Category: Privacy (Page 1 of 6)

Digital Omnibus Article 88b needs to be about contract, not just consent

With gratitude to the famous Peanuts cartoon. (And art help from ChatGPT.)

The EU’s new Digital Omnibus proposal aims to update and expand the GDPR, notably with Article 88b, which includes this. (I’ve boldfaced the phrases that matter):

A new Article 88b Regulation (EU) 2016/679 (General Data Protection Regulation), for automated and machine-readable indications of individual choices and respect of those indications by website providers once standards are available.

That was written in June 2025. We now have a standard for exactly that: IEEE 7012-2025—Standard for Machine-Readable Personal Privacy Terms. It is nicknamed MyTerms (much as IEEE 802.11 is nicknamed Wi-Fi) and was published by the IEEE in January 2026 after nine years in the making. Here’s the PDF.

Article 6 of the GDPR lists six bases for the  Lawfulness of Processing:

  1. the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
  2. processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
  3. processing is necessary for compliance with a legal obligation to which the controller is subject;
  4. processing is necessary in order to protect the vital interests of the data subject or of another natural person;
  5. processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
  6. processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

I’ve boldfaced the three that matter, and italicised their core distinctions.

The entire adtech business relies on the first and last of these, consent and legitimate interests, as their excuses for tracking people, allowing them to obey the letter of the GDPR while screwing its spirit.

We see consent at work with every cookie notice we click on or click past. And we have no faith that clicks on consent “choices” provide any privacy protection at all. Reasons:

  1. Most sites ignore cookie choices.
  2. Many sites set cookies even before a cookie choice is made.
  3. It’s obvious that adtech is a personalised guesswork business that relies on surveillance, so most of these “choices” are misdirections away from corporate hunger for personal data.
  4. We have no record of the “choices” we make (and in many cases, no choice is offered), or any way to audit or dispute compliance.
  5. Uninvited and unwanted surveillance is by now so far out of control that cars, TVs, and AI chatbots are all in on the game (and hardly bother with consent notices).

To adtech, personal privacy is a bug, not a feature. It is incentivised to violate privacy. No amount of regulatory oversight will fix that. To adtech, paying fines for privacy violations is just a cost of doing business.

The only fix that will work is what people—customers and citizens—bring to the market’s table. With MyTerms, they can do that.

MyTerms addresses the second of the GDPR’s six legal bases: contract. Put simply, here is what  the MyTerms standard says:

  • The person (not a mere data subject) is the first party, and the site or service is the second party.
  • The person proffers a contractual agreement chosen from a limited roster posted on the public website of a disinterested nonprofit, such as Customer Commons (which was created to do for personal contracts what Creative Commons does for personal copyrights—and which the IEEE approached with the idea for making MyTerms a standard).
  • When the second party agrees, both parties keep an identical record, which supports compliance auditing and dispute resolution. (By preserving evidence, this also creates an infrastructure for dispute avoidance as well.)

The GDPR succeeded by recognising natural persons as holders of rights, but it left intact the industrial age convention in which organisations are the exclusive originators of terms at scale. That’s one reason why persons have remained mere data subjects rather than contractual parties.

Fortunately, the Internet’s base protocols are peer-to-peer. Treating people on the Net as mere “users” and “data subjects” limits their agency. With MyTerms, people acquire a status they yielded when industry won the industrial revolution. (Before the industrial age, surnames—Baker, Müller, Weaver,  Lefebvre, Smith, Marchand, Farmer—signified agency: what people did in the world. That’s just one thing we lost when we became workers, executives, consumers, and users.)

In the natural world, privacy is maintained mostly by tacit agreements. In the digital world there is no tacit, so agreements must become explicit and programmable. This is why contracts are the only way we’ll get real personal privacy in the digital world.

It should also be clear by now that polite requests also don’t work. We tried that with Do Not Track, and by the time it finished failing, the adtech lobby had turned it into Tracking Preference Expression—as if we wanted to be tracked all along.

That main pro-consent lobby is the Interactive Advertising Bureau, or IAB. Among its recommendations for the Digital Omnibus are deleting 88b and  improving consent in various ways, such as  “Revise the proposed stricter consent rules.”

The IAB is blind to the simple fact that people hate being spied on and do what they can to stop it—mainly by turning off ads. By 2015, ad blocking was already the biggest boycott in human history. That boycott rose in direct response to obvious tracking, especially with retargeting. (That’s how one ad or advertiser keeps following you from site to site and app to app.)  And the boycott is much bigger now:

The IAB earned all of that. Yet they still see ad blocking and tracking protection as problems to solve rather than clear and constructive signals from the marketplace.

So it should be clear by now that the old brownfield of consent has become a toxic wasteland of surveillance, lost privacy, and minimised human agency—led by an industry that has been hostile to privacy from the start.

In fact, consent is required for what Shoshana Zuboff calls Surveillance Capitalism. That form of capitalism is based on inferred or extracted consent. The only way we can defeat that regime is by re-basing e-commerce on contractual agreements in which customers take the lead. After all, it’s their privacy that needs protection.

The surveillance economy is limited entirely by its methods, which are built around grabbing attention, harvesting data, and guessing at people.

We can replace it with an intention economy that’s based on what customers actually want. The range of those wants far exceeds what companies and their systems can guess at. Far more business, and business improvement, opens up when market intelligence can flow both ways. In the consent/surveillance regime, it can’t, because all relationships are silo’d in sellers’ separate systems, all built to minimize customer interactions, by design. But relationships built on respectful contractual agreements can be far more capacious when those relationships start with forms of mutual trust that whole markets share. That’s what MyTerms makes possible.

Here is a quick outline of some additional benefits.

For customers, the most obvious one is getting rid of cookie notices, which are annoying and not worth the pixels they are printed on.  If a company really does care about personal privacy, it’ll respect personal privacy requirements. This is how things work in the natural world, where tracking people like marked animals has been morally wrong for millennia. In the digital world, however, agreements need to be explicit, so programming and services can be based on them. MyTerms does that.

For business, MyTerms has lots of advantages:

  • Reduced or eliminated compliance risk
  • Competitive differentiation
  • Lower customer churn
  • A basis for real rather than coerced relationships
  • A basis for better signalling in both directions
  • Reduced or eliminated guesswork about what customers want, how they use products and services, and  how both might be improved

Lawyers get a new market for services on both the buy and sell sides of the marketplace. Companies in the CMP (consent management platform) business (e.g. Admiral and OneTrust) have something new and better to sell to enterprises (and perhaps to people as well).

Lawmakers and Regulators can start looking at the Internet and the Web as places where freedom of contract prevails, and contracts of adhesion (such as what you “agree” to with cookie notices) are obsolete.

Developers can have a field day (or decade). Look for these categories to emerge

In the marketplace, we can start to see all these things:

  • VRM + CRM will flourish, as described by Iain Henderson (one of MyTerms’ authors) in Towards Network-Based Ecosystems.
  • We should expect improvements to digital public infrastructure, as relationships move out of Big Tech’s silos and into distributed relationship frameworks based on the Internet’s base peer-to-peer protocols.
  • Predictions I made in The Intention Economy: When Customers Take Charge (Harvard Business Review Press, 2012) and Tim Berners-Lee made in the Attention vs. Intention chapter of This Is for Everyone: The Unfinished Story of the World Wide Web (Farrar, Straus and Giroux, 2025) will finally come true.
  • There will be new dances between customers and companies. (“The Dance” is a closing chapter of The Intention Economy.)
  • New commercial ecosystems can grow around a richer flow of useful information in both directions, based on shared interest and trust between customers and companies.
  • Surveillance capitalism will be obsolesced — and replaced by an economy aligned with personal agency and mutual respect from contractual partners.

And much more.

So it would be helpful for the European Commission to expand its scope from protecting data subjects to empowering first parties. They can do that by welcoming MyTerms in the Omnibus Directive, expanding human agency into a new greenfield where boundless positive outcomes can flourish.


Drafts of myterms agreements are currently posted at MyTerms.info, which is a project of Customer Commons and MyData Global. You can also read more about MyTerms in writings by Iain Henderson, Nitin Badjatia, and me.

We also invite you to join the ProjectVRM list, where we can converse and collaborate on moving MyTerms forward.

Shooting for the World

There is no organisation on Earth with a more audacious purpose than this one:

From Customer Commons’ current index page.

This isn’t shooting for the Moon. It’s shooting for the whole world of business.

What Customer Commons wants to restore isn’t just what was lost when the Internet got real. (For example, privacy.) Customer Commons also wants to restore personal agency that was lost when Industry won the Industrial Revolution. That’s when jobs replaced work, labour replaced teams, and customers became consumers.

That last shift, Jerry Michalski explains, was from human beings to “gullets with wallets and eyeballs.” After that shift, freedom of contract in marketplaces was enjoyed only by businesses. Not by gullets.

Customer Commons was created to change that. It was spun out of ProjectVRM as a 501(c)3 nonprofit in 2013, shortly after Harvard Business Review Press published  The Intention Economy: When Customers Take Charge. That book specifically gave Customer Commons the job of doing for personal privacy terms what Creative Commons did for personal copyright.  And to do it by making privacy a contract between customers and businesses, rather than a “consent” to whatever the hell businesses wanted to shove down our gullets. (For example, with interruptive cookie “choices” that really aren’t and leave no audit trail.)

Work on that began in 2017, when the IEEE approached Customer Commons with an offer to host development of a standard for machine-readable personal privacy terms. That standard, officially called IEEE 7012-2025, and nicknamed MyTerms, was published this past January, concluding nine years of work.

Now what?

MyTerms is a great start toward completing Customer Commons’ audacious mission. Here are some goals we will achieve when that mission is accomplished:

  1. VRM will be a business category, welcomed and engaged by CRM and CX functions on the sell sides of markets.
  2. We will have proof that free customers are worth more than captive ones—to companies they engage, to whole markets, and to themselves. This was ProjectVRM’s original mission in 2006.
  3. The intention economy will materialize when voluntary signaling from customers to companies outperforms and obsolesces surveillance as the primary means for companies to obtain data about customers.

MyTerms is required for all three, because a contract is the only way for companies to commit to respecting personal privacy, and MyTerms is the standard for doing that.

So the first challenge is to make Customer Commons viable as the first mover in establishing MyTerms in the world.

The second challenge is to make Customer Commons substantial enough to lead work toward all three of the challenges listed above. Customer Commons won’t be the only entity working on those. In the U.S., Consumer Reports has already stepped forward as a natural ally.  MyData Global is partnering with Customer Commons in standing up the MyTerms Alliance, which is HQ’d in Europe. There are many other potential partners, such as Mozilla and the EFF.

There is development work on MyTerms already. You can learn more about those at VRM Day, IIW, and AIW, which run M-F through the last week of this month (April 27 to May 1) at the Computer History Museum in Silicon Valley.

Here are other ideas that have been floated in the past for Customer Commons:

  1. Customers Union. Being for customers what the AARP is for retired people. Only bigger, because it would include everybody who is a customer of anything. This isn’t far from Consumers Union, which begat Consumer Reports, and is now its advocacy group.
  2. CustomerCon. A trade show with company booths run by customers, to which companies are invited as guests. Key feature: no complaining. Guest companies are treated only to positive and constructive ideas. HT to Tim Hwang for helping come up with that one.
  3. Omie. A tablet with apps free of Google and Apple. HT to Iain Henderson.
  4. The ByWay, a new path for local e-commerce.
  5. The Free Customer Award. This would be given to companies that value free customers and do nothing to entrap them. The canonical example described in The Intention Economy is Trader Joe’s. But there are others. In-N-Out Burger, for example.

I share those only to give you an idea of how big and influential Customer Commons might be, and how it’s possible to have fun making a new and better economy happen.

We’re not at Square One. Customer Commons is an extant nonprofit, has an energetic board, and a huge accomplishment by getting MyTerms finished. What it needs now is to build out a working organisation. How can we do that?

Let’s look at how Creative Commons got rolling in 2002 and kept moving after that. Here is what I’ve found in diggings so far—

  • The History of Creative Commons in Wired (December 2011) says, “An hour after the court’s decision was announced, the William and Flora Hewlett Foundation presented Creative Commons with $1,000,000 to launch the movement.” The case was Eldred v. Ashcroft.
  • In 2008, there was a successful funding challenge from Hewlett: “The 5×5 challenge, issued in honor of Creative Commons’ fifth birthday, called for the organization to find five funders to each promise five years of support at $500,000 per year. In addition to the Hewlett Foundation, Creative Commons received pledges of $500,000 in yearly support for five years from Omidyar Network, as well as from an anonymous European trust. Google has pledged $300,000 in support renewable for five years, while Mozilla and Red Hat have each pledged to contribute $100,000 annually for five years. The final block of support comes from the board of Creative Commons, which has promised to personally raise or contribute $500,000 to the organization annually for five years.”(Source: Creative Commons Newsletter No.5, February 2008)
  • A Creative Commons  announcement in April 2008 said, “We’re thrilled about a major new grant of $4 million from the William and Flora Hewlett Foundation, consisting of $2.5 million to provide general support to Creative Commons over five years, as well as $1.5 million to support ccLearn.”
  • A MacArthur grant search reports a total of $3,225,000 provided between 2002 and 2022:
    • $750,000 in 2005 to support general operations for three years
    • $500,000 in 2007 to support Science Commons for two years
    • $700,000 in2008 to support general operations and an endowment campaign for three years
    • $25,000 in 2015 to provide travel and other support for attendees of the Creative Commons Global Summit in South Korea, for two months. The meeting was also funded in part by the Institute for Museu m and Library Services and th e Gates Foundation, and by the Korean Ministry of Culture, Sports and Tourism ($25,000), Mozilla ($10,000), and the Wikimedia Foundation ($10,000).
    • $50,000 in 2022 to support dedicated programming on open journalism issues at the 2023 Global Summit, “which is an annual event that brings together educators, artists, technologists, legal experts, and activists to promote the power of open licensing and global access.”

So, by inference, the phases were roughly this:

  • Launch (2001–2002) $1M of initial funding
  • Early build-out (2002–2004) +$1–3M with  additional foundation support
  • Continuous operations (2005 onward) at ~$1–3M/year

That gives us an idea of what we need to raise. (Given inflation, multiply those numbers by 1.5x.)

I’ll tell you more when I find out more. Meanwhile, watch this space. Better yet, jump in and help out.

 

 

 

Without Privacy, VRM Can’t Happen

Nor can CRM. Not really. The middle name of both is Relationship, and those require respect for each other’s boundaries. We don’t have that yet online, and can’t without working standards (hello MyTerms), tech, and norms. In fact, the opposite prevails: extreme exploitation of absent personal privacy.

Helen Nissenbaum has been teaching us that for decades, and working on solutions. One is Adnauseum, which may be on your browser already.  It works (says that last link) “by automating ad clicks universally and blindly on behalf of its users. Built atop uBlock Origin, AdNauseam quietly clicks on every blocked ad, registering a visit on ad networks’ databases. As the collected data gathered shows an omnivorous click-stream, user tracking, targeting and surveillance become futile.” In another word, obfuscation.

And that’s what Helen will unpack when she speaks in our salon series here at Indiana University next Tuesday at 4 pm Eastern, and on Zoom. Her title is Why Obfuscation is (still) Needed (more than ever). Here’s the flyer, with the registration and Zoom links:

And in case you don’t click on that, here it is again.

See you there.

Writings on the Failings of Notice & Consent

This notice actually appeared on the front door of my house for a while.

As with the notice above, notice & consent online is worse than a fail. It’s absurd.  But it helps to have sources that explain how ceremonies promising privacy online will always fail when those running the ceremonies are also incentivised to violate their privacy commitments (or not to make them in the first place). I’m including coverage of adjacent and dependent topics (e.g. adtech and CRM/CX).  Of course, this is all toward setting the stage for MyTerms. Feel free to add your own.

A list of scholarly (or simply serious) sources:

Don Marti’s writings:

Iain Henderson’s writings:

My own writings:

Also Terms and Conditions May Apply, a 2013 documentary by Cullen Hobeck.

Protocols for MyTerms

MyTerms (IEEE P7012 Draft Standard for Machine Readable Personal Privacy Terms, unpacked here) has a simple conceptual structure that is open to many different protocols and roles for them. Note the arrows in this graphic:

MyTerms flow

Protocols are required for those.

Here is an alphabetized list of some protocols that I know so far, and what I think they might do (given my incomplete knowledge across all of them.). Note that the standard never says “user,” which has subordinate and dependent implications. It calls the first party a “person” or an “individual,” and the second party an “entity.”

  • A2A Protocol — “An open protocol enabling communication and interoperability between AI agents, giving them a common language – irrespective of the framework or vendor they are built on.” More here.
  • ActivityPub — Can publish or reference a MyTerms URI in actor metadata or message extensions so follows/interactions and happen under the person’s terms.
  • AT Protocol — Can include a MyTerms pointer in profile schemas or event metadata so interactions can be logged under the proffered terms.
  • Beckn Protocol — Can carry a MyTerms URI (or the terms JSON) in discovery/order messages and bind acceptance in the async ACK/NACK flow.
  • DIDComm v2 — Can attach MyTerms as a claim/document in DID-to-DID messages; the counterparty signs/acks to bind the contract.
  • GNAP — Can pass a MyTerms URI/hash in the grant/interaction; record acceptance alongside the grant.
  • HCP (Human/Hyper-Capability Protocol) — Called (at that link) “a user-owned, secure, and interoperable preference layer that grants individuals granular, revocable control over how their data steers AI systems,” it can store a MyTerms reference in the person’s preference set, gate releases on acceptance, and optionally include the URI/hash in OAuth flows to enable audit.
  • HTTP Message Signatures (RFC 9421) — Can bind MyTerms to specific HTTP exchanges by signing requests/responses that include a terms reference.
  • HTTPS — This is generic transport. It can attach or link MyTerms in headers/body and have the counterparty echo/ack to the transaction log.
  • JLINC — Designed for MyTerms-like ceremonies, it can carry a MyTerms ID/hash for “data shared under an agreement.”
  • Matrix — Can include a MyTerms pointer in a profile state or an event content so rooms/interactions are conducted under the person’s terms.
  • Model Context Protocol (MCP) — Can send a MyTerms URI/hash in a tool/agent handshake or call metadata, so tools operate under those terms and log acceptance.
  • NANDA (Internet of AI Agents) — Can expose MyTerms during agent discovery/handshake and metadata in registry so agents negotiate under the person’s terms.
  • Nostr — Can include a MyTerms reference in profile/event tags so relays and clients can honor and log acceptance.
  • OAuth 2.0 — Can carry MyTerms as a parameter or in a request object, recording consent/acceptance with the access transaction.
  • OpenID Connect — Can include a MyTerms URI/hash as a claim (e.g., in the ID token) or request object with RP/OP log acceptance.
  • Solid — Can host the person’s MyTerms in their wallet (formerly called a pod) and require apps or services to transact under those terms for resource access.
  • UMA 2.0 — Can treat MyTerms as a policy at the resource server and share only with parties that have accepted the person’s terms.
  • Web Linking (RFC 8288) — Can advertise a MyTerms URI via Link: headers or a /.well-known/ location for discovery and binding.

Please give me additions, corrections, and improvements.  And forgive the need for all of those changes. I think it’s important at this stage to get a list of possible protocols out there, and to get the discussion rolling. Thanks!

Shall we commit advercide?

On our mailing list, there is a suggestion that we need a browser that kills all the advertising it sees on the Web. Not just the rude kind, or the tracking-based kind. The idea is to waste it all. The business model is, “$10 a month for a browser which guarantees no adverts, ever. If you see an advert, you file a bug report.”

I dismissed the idea a few years ago, when it first came up, for what seemed good and obvious reasons: that lots of advertising is informative and useful, that good and honest (e.g. non-tracking-based) advertising supports most of the world’s journalism, and so on.

But now most advertising on the Web is tracking-based (“programmatic” mostly means tracking-based), and most of the businesses involved seem hellbent on keeping it that way.

As for regulations, the GDPR and CCPA mean well, but they’ve done little to stop tracking, and much to make it worse.  Search for gdpr+compliance on Google and right now and see how many results you get. (I get way over a billion.) Nearly all of the finds you’ll see are pitches for ways sites and services can obey the letter of the GDPR while screwing its spirit. In other words, the GDPR and the CCPA have created a giant market for working around them.

Clearly the final market for goods and services on the Net—that’s you and me, ordinary human beings—don’t like being tracked like marked animals, and all the lost privacy that tracking involves. And hell, ad blocking alone was the biggest boycott in world history, way back in 2015. That says plenty.

So why not give our market a way to speak? Why not incentivize publishers to start making money in ways that respect everyone’s privacy?

Also, we’re not alone. Dig CheckMyAds.org and their efforts, such as this one.

Comments work on this blog again, so feel free to weigh in.

 

How the Web sucks

This spectrum of emojis is a map of the Web’s main occupants (the middle three) and outliers (the two on the flanks). It provides a way of examining who is involved, where regulation fits, and where money gets invested and made. Yes, it’s overly broad, but I think it’s helpful in understanding where things went wrong and why. So let’s start.

Wizards are tech experts who likely run their own servers and keep private by isolating themselves and communicating with crypto. They enjoy the highest degrees of privacy possible on and around the Web, and their approach to evangelizing their methods is to say “do as I do” (which most of us, being Muggles, don’t). Relatively speaking, not much money gets made by or invested in Wizards, but much money gets made because of Wizards’ inventions. Those inventions include the Internet, the Web, free and open source software, and much more. Without Wizards, little of what we enjoy in the digital world today would be possible. However, it’s hard to migrate their methods into the muggle population.

‍Muggles are the non-Wizards who surf the Web and live much of their digital lives there, using Web-based services on mobile apps and browsers on computers. Most of the money flowing into the webbed economy comes from Muggles. Still, there is little investment in providing Muggles with tools for operating or engaging independently and at scale across the websites and services of the world. Browsers and email clients are about it, and the most popular of those (Chrome, Safari, Edge) are by the grace of corporate giants. Almost everything Muggles do on the Web and mobile devices is on apps and tools that are what the trade calls silos or walled gardens: private spaces run by the websites and services of the world.

Sites. This category also includes clouds and the machinery of e-commerce. These are at the heart of the Web: a client-server (aka calf-cow) top-down, master-slave environment where servers rule and clients obey. It is in this category that most of the money on the Web (and e-commerce in general) gets made, and into which most investment money flows. It is also here that nearly all development n the connected world today happens.

 Ad-tech, aka adtech, is the home of surveillance capitalism, which relies on advertisers and their agents knowing all that can be known about every Muggle. This business also relies on absent Muggle agency, and uses that absence as an excuse for abusing the privilege of committing privacy violations that would be rude or criminal in the natural world. Also involved in this systematic compromise are adtech’s dependents in the websites and Web services of the world, which are typically employed by adtech to inject tracking beacons in Muggles’ browsers and apps. It is to the overlap between adtech and sites that all privacy regulation is addressed. This is why, the GDPR sees Muggles as mere “data subjects,” and assigns responsibility for Muggle’s privacy to websites and services the regulation calls “data controllers” and “data processors.” The regulation barely imagines that Muggles could perform either of those roles, even though personal computing was invented so every person can do both. (By the way, the adtech business and many of its dependents in publishing like to say the Web is free because advertising pays for it. But the Web is as free by nature as are air and sunlight. And most of the money Google makes, for example, comes from plain old search advertising, which can get along fine without tracking. There is also nothing about advertising itself that requires tracking.)

 Crime happens on the Web, but its center of gravity is outside, on the dark web. This is home to botnets, illegal porn, terrorist activity, ransom attacks, cyber espionage, and so on. There is a lot of overlap between crime and adtech, however, given the moral compromises required for adtech to function, plus the countless ways that bots, malware and other types of fraud are endemic to the adtech business. (Of course, to be an expert criminal on the dark web requires a high degree of wizardry. So I one could arrange these categories in a circle, with an overlap between wizards and criminals.)

I offer this set of distinctions for several reasons. One is to invite conversation about how we have failed the Web and the Web has failed us—the Muggles of the world—even though we enjoy apparently infinite goodness from the Web and handy services there. Another is to explain why ProjectVRM has been more aspirational than productive in the fifteen years it has been working toward empowering people on the commercial Net. (Though there has been ample productivity.) But mostly it is to explain why I believe we will be far more productive if we start working outside the Web itself. This is why our spinoff, Customer Commons, is pushing forward with the Byway toward i-commerce. Check it out.

Finally, I owe the idea for this visualization to Iain Henderson, who has been with ProjectVRM since before it started. (His other current involvements are with JLINC and Customer Commons.) Hope it proves useful.

Toward e-commerce 2.0

Phil Windley explains e-commerce 1.0  in a single slide that says this:

One reason this happened is that client-server, aka calf-cow  (illustrated in Thinking outside the browser) has been the default format for all relationships on the Web, and cookies are required to maintain those relationships.  The result is a highly lopsided power asymmetry in which the calves have no more power than the cows give them. As a result,

  1. The calves have no easy way even to find  (much less to understand or create) the cookies in their browsers’ jars.
  2. The calves have no identity of their own, but instead have as many different identities as there are websites that know (via cookies) their visiting browsers. This gives them no independence, much less a place to stand like Archimedes, with a lever on the world. The browser may be a great tool, but it’s neither that place to stand, nor a sufficient lever. (Yes, it should have been, and maybe still could be; but meanwhile, it isn’t.)
  3. All the “agreements” the calves have with the websites’ cows leave no readable record on the calves’ side. This severely limits their capacity for dispute, which is required for a true relationship.
  4. There exists no independent way the calves to signal their intentions—such as interests in purchase, conditions for engagement, or the need to be left alone (which is how Brandeis and Warren define privacy).

In other words, the best we can do in e-commerce 1.0 is what the calf-cow system provides: ways for calves to depend utterly on means the cows provide. And some of those cows are mighty huge.

Nearly all of signaling between demand and supply remains trapped inside these silos and walled gardens. We search inside their systems, we are notified of product and service availability inside their systems, we make agreements inside their systems (to terms and conditions they provide and require), or privacy is dependent on their systems, and product and service delivery is handled either inside their systems or through allied and dependent systems.

Credit where due: an enormous amount of good has come out of these systems. But a far larger amount of good is MLOTT—money left on the table—because there is a boundless sum and variety of demand and supply that still cannot easily signal their interest, intentions of presence to each other in the digital world.

Putting that money on the table is our job in e-commerce 2.0.

So here is a challenge: tell us how we can do that without using browsers.

Some of us here do have ideas. But we’d like to hear from you first.


Cross-posted at the ProjectVRM blog, here.

Is being less tasty vegetables our best strategy?

We are now being farmed by business. The pretense of the “customer is king” is now more like “the customer is a vegetable” — Adrian Gropper

That’s a vivid way to put the problem.

There are many approaches to solutions as well. One is suggested today in the latest by @_KarenHao in MIT Technology Review, titled

How to poison the data that Big Tech uses to surveil you:
Algorithms are meaningless without good data. The public can exploit that to demand change.

An  excerpt:

In a new paper being presented at the Association for Computing Machinery’s Fairness, Accountability, and Transparency conference next week, researchers including PhD students Nicholas Vincent and Hanlin Li propose three ways the public can exploit this to their advantage:
Data strikes, inspired by the idea of labor strikes, which involve withholding or deleting your data so a tech firm cannot use it—leaving a platform or installing privacy tools, for instance.
Data poisoning, which involves contributing meaningless or harmful data. AdNauseam, for example, is a browser extension that clicks on every single ad served to you, thus confusing Google’s ad-targeting algorithms.
Conscious data contribution, which involves giving meaningful data to the competitor of a platform you want to protest, such as by uploading your Facebook photos to Tumblr instead.
People already use many of these tactics to protect their own privacy. If you’ve ever used an ad blocker or another browser extension that modifies your search results to exclude certain websites, you’ve engaged in data striking and reclaimed some agency over the use of your data. But as Hill found, sporadic individual actions like these don’t do much to get tech giants to change their behaviors.
What if millions of people were to coordinate to poison a tech giant’s data well, though? That might just give them some leverage to assert their demands.

The sourced paper* is titled Data Leverage: A Framework for Empowering the Public in its Relationship with Technology Companies, and concludes,

In this paper, we presented a framework for using “data leverage” to give the public more influence over technology company behavior. Drawing on a variety of research areas, we described and assessed the “data levers” available to the public. We highlighted key areas where researchers and policymakers can amplify data leverage and work to ensure data leverage distributes power more broadly than is the case in the status quo.

I am all for screwing with overlords, and the authors suggest some fun approaches. Hell, we should all be doing whatever it takes, lawfully (and there is a lot of easement around that) to stop rampant violation of our privacy—and not just by technology companies. The customers of those companies, which include every website that puts up a cookie notice that nudges visitors into agreeing to be tracked all over the Web (in observance of the letter of the GDPR, while screwing its spirit), are also deserving of corrective measures. Same goes for governments who harvest private data themselves, or gather it from others without our knowledge or permission.

My problem with the framing of the paper and the story is that both start with the assumption that we are all so weak and disadvantaged that our only choices are: 1) to screw with the status quo to reduce its harms; and 2) to seek relief from policymakers.  While those choices are good, they are hardly the only ones.

Some context: wanton privacy violations in our digital world has only been going on for a little more than a decade, and that world is itself barely more than  a couple dozen years old (dating from the appearance of e-commerce in 1995). We will also remain digital as well as physical beings for the next few decades or centuries.

So we need more than these kinds of prescriptive solutions. For example, real privacy tech of our own, that starts with giving us the digital versions of the privacy protections we have enjoyed in the physical world for millennia: clothing, shelter, doors with locks, and windows with curtains or shutters.

We have been on that case with ProjectVRM since 2006, and there are many developments in progress. Some even comport with our Privacy Manifesto (a work in progress that welcomes improvement).

As we work on those, and think about throwing spanners into the works of overlords, it may also help to bear in mind one of Craig Burton‘s aphorisms: “Resistance creates existence.” What he means is that you can give strength to an opponent by fighting it directly. He applied that advice in the ’80s at Novell by embracing 3Com, Microsoft and other market opponents, inventing approaches that marginalized or obsolesced their businesses.

I doubt that will happen in this case. Resisting privacy violations has already had lots of positive results. But we do have a looong way to go.

Personally, I welcome throwing a Theia.


* The full list of authors is Nicholas Vincent, Hanlin Li (@hanlinliii), Nicole Tilly and Brent Hecht (@bhecht) of Northwestern University, and Stevie Chancellor (@snchencellor) of the University of Minnesota,

Let’s zero-base zero-party data

Forrester Research has gifted marketing with a hot buzzphrase: zero-party data, which they define as “data that a customer intentionally and proactively shares with a brand, which can include preference center data, purchase intentions, personal context, and how the individual wants the brand to recognize her.”

Salesforce, the CRM giant (that’s now famously buying Slack), is ambitious about the topic, and how it can “fuel your personalized marketing efforts.” The second person you is Salesforce’s corporate customer.

It’s important to unpack what Salesforce says about that fuel, because Salesforce is a tech giant that fully matters. So here’s text from that last link. I’ll respond to it in chunks. (Note that zero, first and third party data is about you, no matter who it’s from.)

What is zero-party data?

Before we define zero-party data, let’s back up a little and look at some of the other types of data that drive personalized experiences.

First-party data: In the context of personalization, we’re often talking about first-party behavioral data, which encompasses an individual’s site-wide, app-wide, and on-page behaviors. This also includes the person’s clicks and in-depth behavior (such as hovering, scrolling, and active time spent), session context, and how that person engages with personalized experiences. With first-party data, you glean valuable indicators into an individual’s interests and intent. Transactional data, such as purchases and downloads, is considered first-party data, too.

Third-party data: Obtained or purchased from sites and sources that aren’t your own, third-party data used in personalization typically includes demographic information, firmographic data, buying signals (e.g., in the market for a new home or new software), and additional information from CRM, POS, and call center systems.

Zero-party data, a term coined by Forrester Research, is also referred to as explicit data.

They then go on to quote Forrester’s definition, substituting “[them]” for “her.”

The first party in that definition the site harvesting “behavioral” data about the individual. (It doesn’t square with the legal profession’s understanding of the term, so if you know that one, try not to be confused.)

It continues,

why-is-zero-party-data-important

Forrester’s Fatemeh Khatibloo, VP principal analyst, notes in a video interview with Wayin (now Cheetah Digital) that zero-party data “is gold. … When a customer trusts a brand enough to provide this really meaningful data, it means that the brand doesn’t have to go off and infer what the customer wants or what [their] intentions are.”

Sure. But what if the customer has her own way to be a precious commodity to a brand—one she can use at scale with all the brands she deals with? I’ll unpack that question shortly.

There’s the privacy factor to keep in mind too, another reason why zero-party data – in enabling and encouraging individuals to willingly provide information and validate their intent – is becoming a more important part of the personalization data mix.

Two things here.

First, again, individuals need their own ways to protect their privacy and project their intentions about it.

Second, having as many ways for brands to “enable and encourage” disclosure of private information as there are brands to provide them is hugely inefficient and annoying. But that is what Salesforce is selling here.

As industry regulations such as GDPR and the CCPA put a heightened focus on safeguarding consumer privacy, and as more browsers move to phase out third-party cookies and allow users to easily opt out of being tracked, marketers are placing a greater premium and reliance on data that their audiences knowingly and voluntarily give them.

Not if the way they “knowingly and voluntarily” agree to be tracked is by clicking “AGREE” on website home page popovers. Those only give those sites ways to adhere to the letter of the GDPR and the CCPA while also violating those laws’ spirit.

Experts also agree that zero-party data is more definitive and trustworthy than other forms of data since it’s coming straight from the source. And while that’s not to say all people self-report accurately (web forms often show a large number of visitors are accountants, by profession, which is the first field in the drop-down menu), zero-party data is still considered a very timely and reliable basis for personalization.

Self-reporting will be a lot more accurate if people have real relationships with brands, rather (again) than ones that are “enabled and encouraged” in each brand’s own separate way.

Here is a framework by which that can be done. Phil Windley provides some cool detail for operationalizing the whole thing here, here, here and here.

Even if the countless separate ways are provided by one company (e.g. Salesforce),  every brand will use those ways differently, giving each brand scale across many customers, but giving those customers no scale across many companies. If we want that kind of scale, dig into the links in the paragraph above.

With great data comes great responsibility.

You’re not getting something for nothing with zero-party data. When customers and prospects give and entrust you with their data, you need to provide value right away in return. This could take the form of: “We’d love you to take this quick survey, so we can serve you with the right products and offers.”

But don’t let the data fall into the void. If you don’t listen and respond, it can be detrimental to your cause. It’s important to honor the implied promise to follow up. As a basic example, if you ask a site visitor: “Which color do you prefer – red or blue?” and they choose red, you don’t want to then say, “Ok, here’s a blue website.” Today, two weeks from now, and until they tell or show you differently, the website’s color scheme should be red for that person.

While this example is simplistic, the concept can be applied to personalizing content, product recommendations, and other aspects of digital experiences to map to individuals’ stated preferences.

This, and what follows in that Salesforce post, is a pitch for brands to play nice and use surveys and stuff like that to coax private information out of customers. It’s nice as far as it can go, but it gives no agency to customers—you and me—beyond what we can do inside each company’s CRM silo.

So here are some questions that might be helpful:

  • What if the customer shows up as somebody who already likes red and is ready to say so to trusted brands? Or, better yet, if the customer arrives with a verifiable claim that she is already a customer, or that she has good credit, or that she is ready to buy something?
  • What if she has her own way of expressing loyalty, and that way is far more genuine, interesting and valuable to the brand than the company’s current loyalty system, which is full of gimmicks, forms of coercion, and operational overhead?
  • What if the customer carries her own privacy policy and terms of engagement (ones that actually protect the privacy of both the customer and the brand, if the brand agrees to them)?

All those scenarios yield highly valuable zero-party data. Better yet, they yield real relationships with values far above zero.

Those questions suggest just a few of the places we can go if we zero-base customer relationships outside standing CRM systems: out in the open market where customers want to be free, independent, and able to deal with many brands with tools and services of their own, through their own CRM-friendly VRM—Vendor Relationship Management—tools.

VRM reaching out to CRM implies (and will create)  a much larger middle market space than the closed and private markets isolated inside every brand’s separate CRM system.

We’re working toward that. See here.

 

« Older posts

© 2026 ProjectVRM

Theme by Anders NorenUp ↑