ProjectVRM

Digital Omnibus Article 88b needs to be about contract, not just consent

June 5, 2026 / / 0 Comments

With gratitude to the famous Peanuts cartoon. (And art help from ChatGPT.)

The EU’s new Digital Omnibus proposal aims to update and expand the GDPR, notably with Article 88b, which includes this. (I’ve boldfaced the phrases that matter):

A new Article 88b Regulation (EU) 2016/679 (General Data Protection Regulation), for automated and machine-readable indications of individual choices and respect of those indications by website providers once standards are available.

That was written in June 2025. We now have a standard for exactly that: IEEE 7012-2025—Standard for Machine-Readable Personal Privacy Terms. It is nicknamed MyTerms (much as IEEE 802.11 is nicknamed Wi-Fi) and was published by the IEEE in January 2026 after nine years in the making. Here’s the PDF.

Article 6 of the GDPR lists six bases for the  Lawfulness of Processing:

  1. the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
  2. processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
  3. processing is necessary for compliance with a legal obligation to which the controller is subject;
  4. processing is necessary in order to protect the vital interests of the data subject or of another natural person;
  5. processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
  6. processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

I’ve boldfaced the three that matter, and italicised their core distinctions.

The entire adtech business relies on the first and last of these, consent and legitimate interests, as their excuses for tracking people, allowing them to obey the letter of the GDPR while screwing its spirit.

We see consent at work with every cookie notice we click on or click past. And we have no faith that clicks on consent “choices” provide any privacy protection at all. Reasons:

  1. Most sites ignore cookie choices.
  2. Many sites set cookies even before a cookie choice is made.
  3. It’s obvious that adtech is a personalised guesswork business that relies on surveillance, so most of these “choices” are misdirections away from corporate hunger for personal data.
  4. We have no record of the “choices” we make (and in many cases, no choice is offered), or any way to audit or dispute compliance.
  5. Uninvited and unwanted surveillance is by now so far out of control that cars, TVs, and AI chatbots are all in on the game (and hardly bother with consent notices).

To adtech, personal privacy is a bug, not a feature. It is incentivised to violate privacy. No amount of regulatory oversight will fix that. To adtech, paying fines for privacy violations is just a cost of doing business.

The only fix that will work is what people—customers and citizens—bring to the market’s table. With MyTerms, they can do that.

MyTerms addresses the second of the GDPR’s six legal bases: contract. Put simply, here is what  the MyTerms standard says:

  • The person (not a mere data subject) is the first party, and the site or service is the second party.
  • The person proffers a contractual agreement chosen from a limited roster posted on the public website of a disinterested nonprofit, such as Customer Commons (which was created to do for personal contracts what Creative Commons does for personal copyrights—and which the IEEE approached with the idea for making MyTerms a standard).
  • When the second party agrees, both parties keep an identical record, which supports compliance auditing and dispute resolution. (By preserving evidence, this also creates an infrastructure for dispute avoidance as well.)

The GDPR succeeded by recognising natural persons as holders of rights, but it left intact the industrial age convention in which organisations are the exclusive originators of terms at scale. That’s one reason why persons have remained mere data subjects rather than contractual parties.

Fortunately, the Internet’s base protocols are peer-to-peer. Treating people on the Net as mere “users” and “data subjects” limits their agency. With MyTerms, people acquire a status they yielded when industry won the industrial revolution. (Before the industrial age, surnames—Baker, Müller, Weaver,  Lefebvre, Smith, Marchand, Farmer—signified agency: what people did in the world. That’s just one thing we lost when we became workers, executives, consumers, and users.)

In the natural world, privacy is maintained mostly by tacit agreements. In the digital world there is no tacit, so agreements must become explicit and programmable. This is why contracts are the only way we’ll get real personal privacy in the digital world.

It should also be clear by now that polite requests also don’t work. We tried that with Do Not Track, and by the time it finished failing, the adtech lobby had turned it into Tracking Preference Expression—as if we wanted to be tracked all along.

That main pro-consent lobby is the Interactive Advertising Bureau, or IAB. Among its recommendations for the Digital Omnibus are deleting 88b and  improving consent in various ways, such as  “Revise the proposed stricter consent rules.”

The IAB is blind to the simple fact that people hate being spied on and do what they can to stop it—mainly by turning off ads. By 2015, ad blocking was already the biggest boycott in human history. That boycott rose in direct response to obvious tracking, especially with retargeting. (That’s how one ad or advertiser keeps following you from site to site and app to app.)  And the boycott is much bigger now:

The IAB earned all that rebuke. And they continue to see ad blocking and tracking protection as problems to solve rather than clear and constructive signals from the marketplace.

So it should be clear by now that the old brownfield of consent has become a toxic wasteland of surveillance, lost privacy, and minimised human agency—led by an industry that has been hostile to privacy from the start.

And it would be helpful for the European Commission to expand its scope from protecting data subjects to empowering first parties. They can do that by welcoming MyTerms in the Omnibus Directive, expanding human agency into a new greenfield where boundless positive outcomes can flourish.

Drafts of myterms agreements are currently posted at MyTerms.info, which is a project of Customer Commons and MyData Global. You can also read more about MyTerms in writings by Iain Henderson, Nitin Badjatia, and me.

We also invite you to join the ProjectVRM list, where we can converse and collaborate on moving MyTerms forward.

Other Looks

May 8, 2026 / / 0 Comments

One possible header.

Last month, Devon Loffreto shared some takes on how this website might look with some big tweaks. Check ’em out:

One post.

On MyTerms.

I think they’re brilliant.

We do need a refresh, and I’ve been working with our friends at WordPress on that. The main constraint is that we need to base the site on a WordPress theme of some kind. I invite suggestions.

The Original and the Eventual Intention Economy

April 18, 2026 / / 2 Comments

The Intention Economy subtitle. It’s the whole thing, right there.

A recent post by Simon Taylor on X expresses something important about AI agents and markets: if an AI agent arrives in a market with a clear mandate—

Get me X. Budget Y. Constraints Z.

—it obsolesces business-as-usual for digital marketing.

See, all of martech and adtech starts with the assumption that human intent is fuzzy and manipulable—and that the best customers are captive and manipulated. Let’s look at this from three angles, which are also the three things that happen in markets:

  • transactions
  • conversations
  • relationships.

On the transaction side, companies invest heavily in tracking people, analyzing their behavior, targeting ads at them, and then (in many cases) rationalizing extremely wasteful results. Plus, of course, discounting or ignoring boundless negative externalities, such as the annoying people to new extremes and massively abusing personal privacy. (In fact, the system treats absent personal privacy as a base feature.) Anyway, the entire surveillance-based advertising fecosystem exists to guess what people want, or to influence what they might want.

On the relationship side, all we have so far is on the sell side: CRM, for Customer Relationship Management, and CX, for Customer Experience. We’ve been trying here to build (or to encourage building) systems for VRM, for Vendor Relationship Management, to give CRM customer hands to shake. But, in VRM’s absence, CRM is all we’ve got. One hand clapping. Or slapping. Or pushing prospects into a funnel.

What many of us, including Simon Taylor, suggest is facilitating conversation through AI agents. Simon’s case, specifically, is that an agent representing a person doesn’t need to be guessed at. It already knows the user’s intent. So there is no attention to capture and no desire to manufacture or manipulate. The demand signal is clear from the start. That’s why he says agents can collapse the attention economy.

The underlying shift in this direction has been visible for a long time. In The Intention Economy: When Customers Take Charge (Harvard Business Review Press, 2012), I argued that markets work best when customers drive them with clear signals of demand, rather than when sellers try to infer demand through surveillance and unwelcome persuasion. I also said markets can be far richer and more vital when customers and companies operate as equals, with relationships based on mutual interest rather than forms of coercion (such as “loyalty” programs that aren’t).

The work of Vendor Relationship Management (VRM) has been about correcting that imbalance.

Instead of companies managing relationships with customers through CRM (Customer Relationship Management) systems, we need customers able to manage relationships with vendors through VRM (Vendor Relationship Management) tools.

Note that relationship is the middle name of both CRM and VRM. Markets are not just about transactions. They are about relationships that continue over time.

That’s why a working intention economy will involve far more than simple buying transactions.

As Esteban Kolsky once put it, companies often focus almost entirely on the “buy cycle.” But customers live mostly in the “own cycle”—the long period of using, maintaining, fixing, improving, and learning from the products and services they already have:

In an intention economy, intelligence about that experience flows both ways between customers and companies. I wrote about this recently here:

Market intelligence that flows both ways.

VRM has long described one key mechanism for this: intentcasting, where customers signal their needs directly to the market rather than being targeted by guesses and ads.

Agents may make this far more feasible than it was when we first started talking about VRM nearly two decades ago.

But there’s an important point that often gets missed in current AI discussions.

The agency that matters most is the person’s, not the agent’s.

A personal AI agent is an instrument—like a phone, a computer, or a car. It acts on behalf of the individual, but the intention behind it must be the person’s own.

And that leads to another requirement:

The only truly personal agents will be owned and operated by individuals.

We don’t have that yet.

What we have instead are assistants that live inside corporate systems—helpful, sometimes impressive, but ultimately operating within feudal structures run by very large companies.

They are, at best, friendly suction cups on the tentacles of giants.

Individuals may well rent or borrow AI models from those giants. But the agents that represent us should operate inside our own environments, in our exclusive interest, rather than inside corporate systems whose interests may diverge from ours.

In other words, our agents should live in our own castles, not inside someone else’s kingdom.

When that happens—when individuals can show up in markets through tools they control—then the deeper shift becomes possible: from guesswork based on surveillance of captive customers to servicing self-qualified leads from free customers in the open marketplace.

Markets then begin to work the way markets are supposed to work: with demand and supply meeting in the open, in relationships that can last far beyond a single transaction.

This is also where work like MyTerms and the emerging ecosystem around personal AI becomes important. If individuals are to operate in markets through their own agents, those agents need ways to assert the person’s terms, preferences, and boundaries in forms that other systems can recognize and respect.

That is the direction VRM has been pointing for nearly twenty years: toward a world where individuals can arrive in markets with their own tools, their own data, and their own terms—and where markets can finally listen.

When that happens, markets will stop guessing what customers want—and start hearing them.

[Later… I actually wrote this post about a month ago, and put off publishing it while I worked on other things. Meanwhile, Adrian Gropper posted A Fork in the Road, which is required reading. I thank him for reminding me in the comments below, and for being a founding participant in ProjectVRM—going back to our earliest meetings almost 20 years ago.]

Finally Fixing Health Care

April 14, 2026 / / 1 Comment

Source: ChatGPT

Interesting how old posts get new traffic. The heaviest traffic this morning is to Health Care Relationship Management, which ran almost nineteen years ago. That post concerned a Steve Lohr story in the NY Times titled Google and Microsoft Look to Change Health Care.  The gist:

The Google and Microsoft initiatives would give much more control to individuals, a trend many health experts see as inevitable. “Patients will ultimately be the stewards of their own information,” said John D. Halamka, a doctor and the chief information officer of the Harvard Medical School.

The initiatives were Google Health  and Microsoft Healthvault. Never mind why they died. Those links will tell you. What matters more is what I said way back then: The key, as with all VRM projects, is that the solution needs to be anchored on the customer side — in this case the patient side — of the relationship.

As it happens, Adrian Gropper, techie and MD, was on this case long before Google and Microsoft showed up to waste $billions failing to solve a problem they could only compound. And he’s still at it, with HIE of One and related efforts. Here is his Substack. These subjects will be on the floor at VRM Day and IIW later this month. VRM for healthcare will save the world $billions, in addition to countless lives.

Here’s Adrian’s latest.

Shooting for the World

April 7, 2026 / / 1 Comment

There is no organisation on Earth with a more audacious purpose than this one:

From Customer Commons’ current index page.

This isn’t shooting for the Moon. It’s shooting for the whole world of business.

What Customer Commons wants to restore isn’t just what was lost when the Internet got real. (For example, privacy.) Customer Commons also wants to restore personal agency that was lost when Industry won the Industrial Revolution. That’s when jobs replaced work, labour replaced teams, and customers became consumers.

That last shift, Jerry Michalski explains, was from human beings to “gullets with wallets and eyeballs.” After that shift, freedom of contract in marketplaces was enjoyed only by businesses. Not by gullets.

Customer Commons was created to change that. It was spun out of ProjectVRM as a 501(c)3 nonprofit in 2013, shortly after Harvard Business Review Press published  The Intention Economy: When Customers Take Charge. That book specifically gave Customer Commons the job of doing for personal privacy terms what Creative Commons did for personal copyright.  And to do it by making privacy a contract between customers and businesses, rather than a “consent” to whatever the hell businesses wanted to shove down our gullets. (For example, with interruptive cookie “choices” that really aren’t and leave no audit trail.)

Work on that began in 2017, when the IEEE approached Customer Commons with an offer to host development of a standard for machine-readable personal privacy terms. That standard, officially called IEEE 7012-2025, and nicknamed MyTerms, was published this past January, concluding nine years of work.

Now what?

MyTerms is a great start toward completing Customer Commons’ audacious mission. Here are some goals we will achieve when that mission is accomplished:

  1. VRM will be a business category, welcomed and engaged by CRM and CX functions on the sell sides of markets.
  2. We will have proof that free customers are worth more than captive ones—to companies they engage, to whole markets, and to themselves. This was ProjectVRM’s original mission in 2006.
  3. The intention economy will materialize when voluntary signaling from customers to companies outperforms and obsolesces surveillance as the primary means for companies to obtain data about customers.

MyTerms is required for all three, because a contract is the only way for companies to commit to respecting personal privacy, and MyTerms is the standard for doing that.

So the first challenge is to make Customer Commons viable as the first mover in establishing MyTerms in the world.

The second challenge is to make Customer Commons substantial enough to lead work toward all three of the challenges listed above. Customer Commons won’t be the only entity working on those. In the U.S., Consumer Reports has already stepped forward as a natural ally.  MyData Global is partnering with Customer Commons in standing up the MyTerms Alliance, which is HQ’d in Europe. There are many other potential partners, such as Mozilla and the EFF.

There is development work on MyTerms already. You can learn more about those at VRM Day, IIW, and AIW, which run M-F through the last week of this month (April 27 to May 1) at the Computer History Museum in Silicon Valley.

Here are other ideas that have been floated in the past for Customer Commons:

  1. Customers Union. Being for customers what the AARP is for retired people. Only bigger, because it would include everybody who is a customer of anything. This isn’t far from Consumers Union, which begat Consumer Reports, and is now its advocacy group.
  2. CustomerCon. A trade show with company booths run by customers, to which companies are invited as guests. Key feature: no complaining. Guest companies are treated only to positive and constructive ideas. HT to Tim Hwang for helping come up with that one.
  3. Omie. A tablet with apps free of Google and Apple. HT to Iain Henderson.
  4. The ByWay, a new path for local e-commerce.
  5. The Free Customer Award. This would be given to companies that value free customers and do nothing to entrap them. The canonical example described in The Intention Economy is Trader Joe’s. But there are others. In-N-Out Burger, for example.

I share those only to give you an idea of how big and influential Customer Commons might be, and how it’s possible to have fun making a new and better economy happen.

We’re not at Square One. Customer Commons is an extant nonprofit, has an energetic board, and a huge accomplishment by getting MyTerms finished. What it needs now is to build out a working organisation. How can we do that?

Let’s look at how Creative Commons got rolling in 2002 and kept moving after that. Here is what I’ve found in diggings so far—

  • The History of Creative Commons in Wired (December 2011) says, “An hour after the court’s decision was announced, the William and Flora Hewlett Foundation presented Creative Commons with $1,000,000 to launch the movement.” The case was Eldred v. Ashcroft.
  • In 2008, there was a successful funding challenge from Hewlett: “The 5×5 challenge, issued in honor of Creative Commons’ fifth birthday, called for the organization to find five funders to each promise five years of support at $500,000 per year. In addition to the Hewlett Foundation, Creative Commons received pledges of $500,000 in yearly support for five years from Omidyar Network, as well as from an anonymous European trust. Google has pledged $300,000 in support renewable for five years, while Mozilla and Red Hat have each pledged to contribute $100,000 annually for five years. The final block of support comes from the board of Creative Commons, which has promised to personally raise or contribute $500,000 to the organization annually for five years.”(Source: Creative Commons Newsletter No.5, February 2008)
  • A Creative Commons  announcement in April 2008 said, “We’re thrilled about a major new grant of $4 million from the William and Flora Hewlett Foundation, consisting of $2.5 million to provide general support to Creative Commons over five years, as well as $1.5 million to support ccLearn.”
  • A MacArthur grant search reports a total of $3,225,000 provided between 2002 and 2022:
    • $750,000 in 2005 to support general operations for three years
    • $500,000 in 2007 to support Science Commons for two years
    • $700,000 in2008 to support general operations and an endowment campaign for three years
    • $25,000 in 2015 to provide travel and other support for attendees of the Creative Commons Global Summit in South Korea, for two months. The meeting was also funded in part by the Institute for Museu m and Library Services and th e Gates Foundation, and by the Korean Ministry of Culture, Sports and Tourism ($25,000), Mozilla ($10,000), and the Wikimedia Foundation ($10,000).
    • $50,000 in 2022 to support dedicated programming on open journalism issues at the 2023 Global Summit, “which is an annual event that brings together educators, artists, technologists, legal experts, and activists to promote the power of open licensing and global access.”

So, by inference, the phases were roughly this:

  • Launch (2001–2002) $1M of initial funding
  • Early build-out (2002–2004) +$1–3M with  additional foundation support
  • Continuous operations (2005 onward) at ~$1–3M/year

That gives us an idea of what we need to raise. (Given inflation, multiply those numbers by 1.5x.)

I’ll tell you more when I find out more. Meanwhile, watch this space. Better yet, jump in and help out.

 

 

 

Without Privacy, VRM Can’t Happen

March 27, 2026 / / 0 Comments

Nor can CRM. Not really. The middle name of both is Relationship, and those require respect for each other’s boundaries. We don’t have that yet online, and can’t without working standards (hello MyTerms), tech, and norms. In fact, the opposite prevails: extreme exploitation of absent personal privacy.

Helen Nissenbaum has been teaching us that for decades, and working on solutions. One is Adnauseum, which may be on your browser already.  It works (says that last link) “by automating ad clicks universally and blindly on behalf of its users. Built atop uBlock Origin, AdNauseam quietly clicks on every blocked ad, registering a visit on ad networks’ databases. As the collected data gathered shows an omnivorous click-stream, user tracking, targeting and surveillance become futile.” In another word, obfuscation.

And that’s what Helen will unpack when she speaks in our salon series here at Indiana University next Tuesday at 4 pm Eastern, and on Zoom. Her title is Why Obfuscation is (still) Needed (more than ever). Here’s the flyer, with the registration and Zoom links:

And in case you don’t click on that, here it is again.

See you there.

Making a New News Business

March 23, 2026 / / 2 Comments

Watching the old galaxy fade away.

In the dawning decades of our new Digital Age, the news business has shrunk from a galaxy of bright stars to a loose collection of white dwarfs glowing in otherwise dark empty spaces. The empty spaces are called  “news deserts.”

In the meantime (at least in the US), the redstream is the new mainstream, while more and more people get news (or what passes for it) from social media and each other. Countless sources are also faked up by AI.

Less metaphorically, the news business has de-institutionalized. How can we re-institutionalize it in digital ways that can also be trusted?

I suggest we start by spinning up News Commons that work with the fewest possible intermediaries between people and sources, and value exchanges that reward everyone.

Some background:::

1) The Dying Galaxy

Here’s how bright stars have turned into white dwarfs:

  1. Stopped Presses: There are now fewer than 1,000 daily newspapers left in the U.S. Over 50 million Americans now live in news deserts.
  2. Radio Silence: CBS News Radio—the oldest and most august of all the syndcated broadcast news sources— will be gone in May 2026 after a 99-year run. Meanwhile, Public Radio (NPR et al.) faces a “shrinking pie” problem: ratings (dig around here) remain steady or are growing only because stations hold larger shares of a rapidly dwindling over-the-air audience.
  3. Cut Cables: Cord-cutting continues, as viewing moves from cable to Internet, and from live to on-demand streamed entertainment. In the midst of this shift, cable news is morphing from mainstream to redstream. Specifically, CNN is moving rightward under the Ellisons, while Fox News stays as right as they were, and MSNBC under its new MS NOW brand continues to glow dimly at the left end of the ratings. None come close in popularity to any of the top news commentary podcasts. Anyway, cable news is transitioning from a collection of leanings (center, left, and right) to highly partisan amen corners with shrinking audiences.
  4. Thinning Air: Over-the-air TV (what we still call stations, with channel numbers) is now called “linear,” whether it’s from a connected antenna or from a cable screwed into the same jack on the back of a TV. That category is also in decline, a victim of the same viewing shift to streaming services (now less often called over-the-top, or OTT, now that the bottom—linear TV—is fading away).
  5. Babes in New Woods: News is still being consumed, though it’s hardly hard  news or from the media we knew when all the stars were bright and mostly trusted. Especially for young people. Lots of stats at both those links. The bottom line is that none of that flow is from the old stars. At least not directly.

Nearly all coverage of changes in the dimming news galaxy concerns one or more of the five factors listed above. Some of that coverage (most notably from the Nieman Journalism Lab) is about innovations. To mix metaphors a bit, while some of these innovations look like greenfields, none of them look very large. (More credit where due: At least these efforts, as the Quakers say, improve on the silence.)

2) MyTerms (IEEE 7012) and the Agentic Shift

Today, the news world is mostly hidden behind permission walls. Inside those walls, absent personal privacy is exploited to extremes almost nobody will contemplate or admit to.  (Here’s a PageXray of Wired.com—one of the “good” guys.) For a fig leaf over the hard-ons walled garden barons have for personal data, visitors knocking on front doors must yield to demands in the form of misleading cookie notices and in crap like this:

Go to www.cnn.com/privacy, as the notice suggests (or just click on that image), and you will find your privacy well and truly fucked.

The ProjectVRM community has written a lot about this over many years. But now, thanks to our work with Customer Commons since 2012 and the IEEE since 2017, we have IEEE 7012 (MyTerms): a standard that flips the script on privacy-as-bullshit by giving individuals a way to proffer their own damn privacy terms as binding contracts, with agents working for both parties. Specifics:

  • Personal AI Agents: Under MyTerms, individuals operate through agents that can range in complexity from browser plug-ins to private AI agents. These agents have a sole responsibility to the person, proffering and signing agreements, and keeping auditable records of them.
  • Reciprocal Agency: On the other side, news providers use their own agents tto choose from the person’s roster of privacy agreement choices (on the Creative Commons model). This machine-to-machine handshake replaces the deceptive, unfair, and un-auditable non-agreements we get with cookie notices and shit such as we see in the image above.
  • Unlocked Possibilities: Unlike corporate AI agents designed to keep people inside a walled garden (one cause of the zero-click problem), a personal AI agent can get the requested news item after a MyTerms agreement is signed, and then participate in a whole new value exchange system that works for everyone. For example, should a further agreement be reached (such as one for a micropayment or an acceptable subscription (also built atop MyTerms) the personal AI agent can both obtain the requested news and work out forms of compensation. In this new system, personal data will be shared on an as-needed and trusted basis that continues to assure personal privacy. This can be done in ways that preserve the open Web and create settlement systems that work for all involved (and not just for sellers and the platforms that trapped them in the past).
  • Downstream Economic Benefits: When use-value and sale-value are both exchanged on terms that work for all involved, a news ecosystem can be built that rivals the old news galaxy, but with many more bright stars and fewer dark spaces. It will also obsolesce the current all-dwarf system, which is based on customr capture, constant surveillance, and algorithmic guesswork that annoys or offends everyone involved.

3. The New News Commons

To maximize both use-value and sale-value, our goal here is an ecosystem with maximized agency on both sides, and the fewest and simplest intermediaries.

  • From redstreams and bluestreams to wide open mystreams: Partisan news at the personal level (look at all those podcasts and blogs) has proven that decentralized, on-demand media are highly resilient. The task now is to multiply and disintermediate both consumption and production. This is required especially at the local level, where realities on the ground (e.g., weather and potholes) tend not to be partisan. What we want here is a common space governed by shared standards (and Ostrom’s principles) rather than algorithmic guesswork by unaccountable giants and their grudging dependents.
  • The Nonprofit Pivot: Local digital-first nonprofits now represent over 50% of the Institute for Nonprofit News (INN), providing a model for news as a public good.
  • The New Frontier: When you zero-base service and business models on agreed-upon privacy that starts with personal agency and respect for it, anything is possible. (By the way, this is what we’ve had in the natural world since we traded stones for fish. Just because we are still as naked on the Net as we were in Eden doesn’t mean we can’t clothe ourselves and get on with business.)
Feature Dying Star News System Bright Star News Commons
Privacy Corporate “consent” (tracking) MyTerms (User-Proffered Contract)
Agency Dependent “users” Independent readers, listeners, and viewers with loyal agents
Distribution Centralized walled gardens with paywalls and coerced subscriptions Open and independent consumers and producers creating use-value and sale-value exchanges that reward both sides

I could go on, but I want to get this up before I get on another airplane. Meanwhile, contact me by email (first name at last name dot com) or in the comments with ways to improve this. Thanks!

The Only Way to Get Privacy Online

January 13, 2026 / / 2 Comments

No regulation to make organizations respect personal privacy will work.

We’ve had cookie laws since the ’00s, the GDPR since the ’10s, and the CCPA since 2020. None of them has worked.

All those regulations are aimed at reducing the power of organizations to violate personal privacy. None is to empower people. That’s why, under those regulations, all we can do is agree to the terms organizations provide. We have no independent agency.  All we have is what they promise, and their promises aren’t worth the pixels they’re printed on.

The only way we will get privacy is with contracts, which are laws that two parties make for themselves.

And the only way to make contracts work, at scale, is if we are the ones proffering those terms as first parties, and organizations agree to them as second parties. This flips the script on business-as-usual online.

By the old script, privacy is a grace of corporate obedience to selections in cookie notices, many of which provide no choice at all. There is “Accept,” and that’s it. In that case, all you’re accepting is a corporate privacy policy, which is typically just a fig leaf over the company’s hard-on for personal data.

Regardless of what you do with a cookie notice, chances are the company still tracks you like a marked animal.  See here and here. You also have no easy of auditing compliance, because you keep no record of your “choices.” And we have that system because the incentives are worse than misaligned: they are completely broken.

See, if you are a typical website, you get paid for allowing third parties to harvest visitors’ personal data and use it to aim personalized advertising at their eyeballs. This is morally wrong on its face, but easily rationalized because it pays.

In the natural world, a store would never plant tracking beacons on every shopper, or require those shoppers to “choose” privacy protections by stripping naked and then selecting the purposes to which their personal tracking beacons will be put. Shoppers would avoid that store like the plague,

However, on the Net and the Web, we haven’t yet invented privacy, just as we hadn’t in the natural world before we invented clothing and shelter. So, on the Net and the Web, we are still naked as fish. As a result, a plague of near-ubiquitous surveillance has been raging online for decades. It is nearly impossible to avoid getting infected.

Most of that surveillance is for the $742 Billion surveillance-fed fecosystem* called adtech. And the only way we can obsolesce it is with a business ecosystem that works for everyone: customers and companies alike, and together.

We can do that now, with MyTerms.

MyTerms is the nickname for IEEE P7012 Standard for Machine Readable Personal Privacy Terms, which will be published next week after eight years in the works. (I chair the working group.)

It describes a protocol in the diplomatic sense: a way to reach and record agreements. Here is a diagram that shows how it works:

It is also the ultimate product of ProjectVRM, which began in 2006 with a mission: to prove that free customers are more valuable than captive ones—to companies, to markets, and to themselves. It was to ProjectVRM’s nonprofit spinoff, Customer Commons, that the IEEE came in 2017 with the challenge to create the MyTerms standard.

Of course, every agreement needs to be good for both sides. Right now we have five draft agreements for that. SD-BASE says “Service Delivery only.” This one requires that the site or service provide the visitor only what the visitor came for, and not to share personal data with third parties. This will make the site or service more inviting. (Customer Commons also plans to offer a trustmark to sites and services that sign MyTerms Agreements.) Lots of other mutually respectful agreements can also be built on top of SD-BASE: agreements that respect personal agency as well as privacy.

Other initial MyTerms agreements cover data portability, intentcasting, data-for-good, and AI training.

MyTerms will foster businesses and business methods that the surveillance fecosystem prevents. We describe how that will work, and some of the businesses MyTerms will create and improve, in The Cluetrain Will Run from Customers to Companies.

Of course, we need to develop tools and services for making that cluetrain run.  Please tell us what you’ve got or plan.

The place to list those is in a new section of our Developments page. We also need to re-write and condense our privacy manifesto, and welcome help with both.

We also need to thank our many teams over the past two decades for jobs well done, even if many of those jobs didn’t go anywhere, mostly because they were too early.

Now is the time, because the world is fed up with surveillance—and it is easier than ever to develop tools and services using AI.

MyTerms will be announced on 28 January at this event in the Imperial Business School and online. Please come.

*The word fecosystem is apropos, kinda like Cory Doctorow’s ensittification. Spread both words.

Writings on the Failings of Notice & Consent

December 27, 2025 / / 0 Comments

This notice actually appeared on the front door of my house for a while.

As with the notice above, notice & consent online is worse than a fail. It’s absurd.  But it helps to have sources that explain how ceremonies promising privacy online will always fail when those running the ceremonies are also incentivised to violate their privacy commitments (or not to make them in the first place). I’m including coverage of adjacent and dependent topics (e.g. adtech and CRM/CX).  Of course, this is all toward setting the stage for MyTerms. Feel free to add your own.

A list of scholarly (or simply serious) sources:

Don Marti’s writings:

Iain Henderson’s writings:

My own writings:

Also Terms and Conditions May Apply, a 2013 documentary by Cullen Hobeck.

When Branding Means Relating

December 22, 2025 / / 5 Comments

What is your best friend’s personal brand? How about your spouse’s?

Those questions came to mind as I read through The Death of Merchandising in an Online World, by  Dana Blankenhorn, who is reliably wise. In that post, Dana correctly observes that brand value is declining as merchandising shifts from stores to online services, and to influencers who are also stores.

I think there’s also something else going on at the same time: the shift in media from real advertising to the online equivalent of junk mail, which is what you see with nearly every ad you encounter on your browsers and apps. To marketers, browsers and apps are boxes for junk mail, which at its most ideal is personalized by surveillance.  As I put it in Separating Advertising’s Wheat and Chaff, ” Madison Avenue fell asleep, direct response marketing ate its brain, and it woke up as an alien replica of itself.”

I wrote that a decade ago. With AI today, that alien replica is the real thing. Madison Avenue is now AM radio, with a whip antenna and tail fins.

Brand advertising worked best when “the media” were mostly print and broadcast. Sources of both were so few that they all fit on a newsstand and the dials of radios and TVs. To operate a source of either, you needed a printing plant or transmitting towers. Publishers and broadcasters are still around, but now their goods are mostly distributed over the Internet and consumed through glowing rectangles. And they’re competing in a world where the abundance of other sources of content is incalculably vast. In that world, the only places you can still reliably create and maintain brands is by sponsoring live events. Especially sports. That’s why I know fifteen minutes will save me fifteen percent with Geico, even though Geico stopped saying that years ago. I also know that you only pay for what you need with Liberty Mutual. And I’ll never get the Shaefer Beer jingle out of my mind.

On the whole, however, branding has finished running the same course as the broadcasting it paid for.

It helps to remember that the words brand and branding were borrowed from ranching. They applied especially well when people had few choices of media, and few if any ways to avoid ads meant to burn the names of companies and products onto mental hides.

What we really (or at least should) mean by brand today is reputation. How a business obtains that in our still-new Digital Age (now with AI!) is an open question.

I believe the answer will come from the natural world, where markets have been working far longer than we’ve had digital media, broadcasting, or print. It was in the natural world that two very different people—one an athiest and the other a pastor—separately explained to me, not long after The Cluetrain Manifesto came out, that markets are not just about transactions and (as Cluetrain insisted) conversations. They are about relationships.

Marketing prevents those. Or shortcuts them. Especially as it continues to devolve into funnels at the bottom end of which are transactions alone, or entrapment in a company’s “loyalty” system.

The Internet and the Web were both designed to support maximum agency and independence for every entity using them. We can have far better markets and marketing if demand and supply both work with maximized agency, and scale in ways that are good for both. That’s the idea behind market intelligence that flows both ways.

Making and maintaining those kinds of relationships will be VRM+CRM, What those together will make are wholes that exceed the sum of either part.

« Older posts

© 2026 ProjectVRM

Theme by Anders NorenUp ↑