Undoubtedly, users are increasingly aware of data protection risks.  73% of US consumers surveyed by SAS reported increasing concerns about personal data privacy, with 67% feeling that the US government should be doing more; while in the UK research by Janrain suggests that, if given the choice, 32.3% of respondents would not let any company use any of their personal data.

Giving data subjects control

Enabling that choice may seem like a simple answer.  Consent-based regimes are intended to empower data subjects to access and control their own data and to consent where sharing personal data is useful, for example in banking and healthcare. 

The UK Information Commissioner's Office suggested that "it may be possible to have a process of graduated consent, in which people can give consent or not to different uses of their data throughout their relationship with a service provider."  Some recent proposals go further, allowing data subjects to monetise their own data, selecting which offerors are able to purchase, for example, their DNA profile, and for what purpose.

Surely this is a fair trade - a win-win situation?  Over 52% of Janrain's respondents would willingly allow a company to use their data if they had something to gain from it.

Is consent enough?

However, consent-based regimes rely on the user's priorities and their perception of choice.  Tellingly, 19.5% of UK respondents were apathetic, feeling that no company protects personal data, with as few as 18% likely to walk away from a business that requested personal data.  Where the immediate benefits outweigh the perceived risks (or where those risks are already seen as inevitabilities), users are disincentivised from exercising the right to refuse consent. 

It can also be difficult to curtail the scope of consent: only 42.3% of respondents were concerned with protecting friends' and family's personal data, a real risk in a growing data marketplace, even setting aside on-selling by intermediaries.  Ethical and civil rights concerns have also been raised about data, such as video footage, that can be collected in public places and combined with facial recognition technology.

Where there is a marketplace for personal data - and a whole range of benefits to sharing that data - there will inevitably be an incentive for users to provide consent.  However, the sheer volume of data created each day poses a real challenge to users understanding what data they are selling, how it could be used, by whom and for how long.  For most if not all users, this is simply too much to monitor.  While trust and transparency will always be essential, is self-regulation enough, or is external regulation a necessity for consumers to be able to give meaningful informed consent?