Category: Signaling

Digital Omnibus Article 88b needs to be about contract, not just consent

June 5, 2026 / / 3 Comments

With gratitude to the famous Peanuts cartoon. (And art help from ChatGPT.)

The EU’s new Digital Omnibus proposal aims to update and expand the GDPR, notably with Article 88b, which includes this. (I’ve boldfaced the phrases that matter):

A new Article 88b Regulation (EU) 2016/679 (General Data Protection Regulation), for automated and machine-readable indications of individual choices and respect of those indications by website providers once standards are available.

That was written in June 2025. We now have a standard for exactly that: IEEE 7012-2025—Standard for Machine-Readable Personal Privacy Terms. It is nicknamed MyTerms (much as IEEE 802.11 is nicknamed Wi-Fi) and was published by the IEEE in January 2026 after nine years in the making. Here’s the PDF.

Article 6 of the GDPR lists six bases for the  Lawfulness of Processing:

  1. the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
  2. processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
  3. processing is necessary for compliance with a legal obligation to which the controller is subject;
  4. processing is necessary in order to protect the vital interests of the data subject or of another natural person;
  5. processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
  6. processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

I’ve boldfaced the three that matter, and italicised their core distinctions.

The entire adtech business relies on the first and last of these, consent and legitimate interests, as their excuses for tracking people, allowing them to obey the letter of the GDPR while screwing its spirit.

We see consent at work with every cookie notice we click on or click past. And we have no faith that clicks on consent “choices” provide any privacy protection at all. Reasons:

  1. Most sites ignore cookie choices.
  2. Many sites set cookies even before a cookie choice is made.
  3. It’s obvious that adtech is a personalised guesswork business that relies on surveillance, so most of these “choices” are misdirections away from corporate hunger for personal data.
  4. We have no record of the “choices” we make (and in many cases, no choice is offered), or any way to audit or dispute compliance.
  5. Uninvited and unwanted surveillance is by now so far out of control that cars, TVs, and AI chatbots are all in on the game (and hardly bother with consent notices).

To adtech, personal privacy is a bug, not a feature. It is incentivised to violate privacy. No amount of regulatory oversight will fix that. To adtech, paying fines for privacy violations is just a cost of doing business.

The only fix that will work is what people—customers and citizens—bring to the market’s table. With MyTerms, they can do that.

MyTerms addresses the second of the GDPR’s six legal bases: contract. Put simply, here is what  the MyTerms standard says:

  • The person (not a mere data subject) is the first party, and the site or service is the second party.
  • The person proffers a contractual agreement chosen from a limited roster posted on the public website of a disinterested nonprofit, such as Customer Commons (which was created to do for personal contracts what Creative Commons does for personal copyrights—and which the IEEE approached with the idea for making MyTerms a standard).
  • When the second party agrees, both parties keep an identical record, which supports compliance auditing and dispute resolution. (By preserving evidence, this also creates an infrastructure for dispute avoidance as well.)

The GDPR succeeded by recognising natural persons as holders of rights, but it left intact the industrial age convention in which organisations are the exclusive originators of terms at scale. That’s one reason why persons have remained mere data subjects rather than contractual parties.

Fortunately, the Internet’s base protocols are peer-to-peer. Treating people on the Net as mere “users” and “data subjects” limits their agency. With MyTerms, people acquire a status they yielded when industry won the industrial revolution. (Before the industrial age, surnames—Baker, Müller, Weaver,  Lefebvre, Smith, Marchand, Farmer—signified agency: what people did in the world. That’s just one thing we lost when we became workers, executives, consumers, and users.)

In the natural world, privacy is maintained mostly by tacit agreements. In the digital world there is no tacit, so agreements must become explicit and programmable. This is why contracts are the only way we’ll get real personal privacy in the digital world.

It should also be clear by now that polite requests also don’t work. We tried that with Do Not Track, and by the time it finished failing, the adtech lobby had turned it into Tracking Preference Expression—as if we wanted to be tracked all along.

That main pro-consent lobby is the Interactive Advertising Bureau, or IAB. Among its recommendations for the Digital Omnibus are deleting 88b and  improving consent in various ways, such as  “Revise the proposed stricter consent rules.”

The IAB is blind to the simple fact that people hate being spied on and do what they can to stop it—mainly by turning off ads. By 2015, ad blocking was already the biggest boycott in human history. That boycott rose in direct response to obvious tracking, especially with retargeting. (That’s how one ad or advertiser keeps following you from site to site and app to app.)  And the boycott is much bigger now:

The IAB earned all of that. Yet they still see ad blocking and tracking protection as problems to solve rather than clear and constructive signals from the marketplace.

So it should be clear by now that the old brownfield of consent has become a toxic wasteland of surveillance, lost privacy, and minimised human agency—led by an industry that has been hostile to privacy from the start.

In fact, consent is required for what Shoshana Zuboff calls Surveillance Capitalism. That form of capitalism is based on inferred or extracted consent. The only way we can defeat that regime is by re-basing e-commerce on contractual agreements in which customers take the lead. After all, it’s their privacy that needs protection.

The surveillance economy is limited entirely by its methods, which are built around grabbing attention, harvesting data, and guessing at people.

We can replace it with an intention economy that’s based on what customers actually want. The range of those wants far exceeds what companies and their systems can guess at. Far more business, and business improvement, opens up when market intelligence can flow both ways. In the consent/surveillance regime, it can’t, because all relationships are silo’d in sellers’ separate systems, all built to minimize customer interactions, by design. But relationships built on respectful contractual agreements can be far more capacious when those relationships start with forms of mutual trust that whole markets share. That’s what MyTerms makes possible.

Here is a quick outline of some additional benefits.

For customers, the most obvious one is getting rid of cookie notices, which are annoying and not worth the pixels they are printed on.  If a company really does care about personal privacy, it’ll respect personal privacy requirements. This is how things work in the natural world, where tracking people like marked animals has been morally wrong for millennia. In the digital world, however, agreements need to be explicit, so programming and services can be based on them. MyTerms does that.

For business, MyTerms has lots of advantages:

  • Reduced or eliminated compliance risk
  • Competitive differentiation
  • Lower customer churn
  • A basis for real rather than coerced relationships
  • A basis for better signalling in both directions
  • Reduced or eliminated guesswork about what customers want, how they use products and services, and  how both might be improved

Lawyers get a new market for services on both the buy and sell sides of the marketplace. Companies in the CMP (consent management platform) business (e.g. Admiral and OneTrust) have something new and better to sell to enterprises (and perhaps to people as well).

Lawmakers and Regulators can start looking at the Internet and the Web as places where freedom of contract prevails, and contracts of adhesion (such as what you “agree” to with cookie notices) are obsolete.

Developers can have a field day (or decade). Look for these categories to emerge

In the marketplace, we can start to see all these things:

  • VRM + CRM will flourish, as described by Iain Henderson (one of MyTerms’ authors) in Towards Network-Based Ecosystems.
  • We should expect improvements to digital public infrastructure, as relationships move out of Big Tech’s silos and into distributed relationship frameworks based on the Internet’s base peer-to-peer protocols.
  • Predictions I made in The Intention Economy: When Customers Take Charge (Harvard Business Review Press, 2012) and Tim Berners-Lee made in the Attention vs. Intention chapter of This Is for Everyone: The Unfinished Story of the World Wide Web (Farrar, Straus and Giroux, 2025) will finally come true.
  • There will be new dances between customers and companies. (“The Dance” is a closing chapter of The Intention Economy.)
  • New commercial ecosystems can grow around a richer flow of useful information in both directions, based on shared interest and trust between customers and companies.
  • Surveillance capitalism will be obsolesced — and replaced by an economy aligned with personal agency and mutual respect from contractual partners.

And much more.

So it would be helpful for the European Commission to expand its scope from protecting data subjects to empowering first parties. They can do that by welcoming MyTerms in the Omnibus Directive, expanding human agency into a new greenfield where boundless positive outcomes can flourish.

Drafts of myterms agreements are currently posted at MyTerms.info, which is a project of Customer Commons and MyData Global. You can also read more about MyTerms in writings by Iain Henderson, Nitin Badjatia, and me.

We also invite you to join the ProjectVRM list, where we can converse and collaborate on moving MyTerms forward.

A New Way

May 5, 2021 / / 0 Comments

Cross-posted from Customer Commons

Some questions:

  1. Why do you always have to accept websites’ terms? And why do you have no record of your own of what you accepted, or when‚ or anything?
  2. Why do you have no way to proffer your own terms, to which websites can agree?
  3. Why did Do Not Track, which was never more than a polite request not to be tracked off a website, get no respect from 99.x% of the world’s websites? And how the hell did Do Not Track turn into the Tracking Preference Expression at the W2C, where the standard never did get fully baked?
  4. Why, after Do Not Track failed, did hundreds of millions—or perhaps billions—of people start blocking ads, tracking or both, on the Web, amounting to the biggest boycott in world history? And then why did the advertising world, including nearly all advertisers, their agents, and their dependents in publishing, treat this as a problem rather than a clear and gigantic message from the marketplace?
  5. Why are the choices presented to you by websites called your choices, when all those choices are provided by them? And why don’t you give them choices?
  6. Why does the GDPR call people mere “data subjects,” and assign the roles “data controller” and “data processor” only to other parties?* And why are nearly all the 200+million results in a search for GDPR+compliance about how companies can obey the letter of the law while violating its spirit (by continuing to track people)?
  7. Why does the CCPA give you the right to ask to have back personal data others have gathered about you on the Web, rather than forbid its collection in the first place? (Imagine a law that assumes that all farmers’ horses are gone from their barns, but gives those farmers a right to demand horses back from those who took them. It’s kinda like that.)
  8. Why, 22 years after The Cluetrain Manifesto said, we are not seats or eyeballs or end users or consumers. we are human beings and our reach exceeds your grasp. deal with it. —is that statement still not true?
  9. Why, 9 years after Harvard Business Review Press published The Intention Economy: When Customers Take Charge, has that not happened? (Really, what are you in charge of in the marketplace that isn’t inside companies’ silos and platforms?)

The easiest answer to all of those is the cookie.  Partly because without it none of those questions would be asked, and partly because it’s at the center of attention for everyone who cares today about the issues involved in those quesions.

The idea behind the cookie (way back in 1994, when Lou Montulli thought it up) was for a site to remember its visitors by planting reminder files—cookies—in visitors’ browsers. That would make it easy for site visitors to pick up where they left off when they arrived back. It was an innocent idea at the time; but it reified a construct: one that has permanently subordinated visitors to websites.

And it has thus far proven impossible to change that construct. It is, alas, the way the Web works.

Hey, maybe we can still change it. But why bother when there should be any number of other ways for demand and supply to signal each other in a networked marketplace? Better ways: ones that don’t depend on sites, search engines, social media and other parties inferring, mostly through surveillance, what might be “relevant” or “interest-based” for the individual? Ones that give individuals full agency and signaling power?

So we’d like to introduce one. It’s called the Intention Byway. It’s the brain-baby of our CTO, Hadrian Zbarcea, and it is informed by his ample experience with the Apache Software Foundation, SWIFT, the FAA and other enterprises large and small.

In this model, the byway is the path along which messages signaling intent travel between individuals and companies (or anyone), each of which has a simple computer called an intentron, which sends and receives those messages, and also executes code for the owner’s purposes as a participant in the open marketplace the Internet was designed to support.

As computers (which can be physical or virtual), intentrons run apps that can come from any source in the free and open marketplace, and not just from app stores of controlling giants such as Apple and Google. These apps can run algorithms that belong to you, and can make useful sense of your own data. (For example, data about finances, health, fitness, property, purchase history, subscriptions, contacts, calendar entries—all those things that are currently silo’d or ignored by silo builders that want to trap you inside their proprietary systems.) The same apps also don’t need to be large. Early prototypes have less than 100 lines of code.

Messages called intentcasts can be sent from intentrons to markets on the pub-sub model, through the byway, which is asynchronous, similar to email in the online world and package or mail forwarding in the offline world. Subscribers on the sell side will be listening for signals from markets for anything. Name a topic, and there’s something to subscribe to. Intentcasts on the customers’ side are addressed to markets by topical name. Responsibilities along the way are handled by messaging and addressing authorities. Addresses themselves are URNs, or Uniform Resource Names.

These are some businesses that can thrive along the Intention Byway:

  • Intentron makers
  • Intentron sellers
  • App makers
  • App sellers (or stores)
  • Addressing authorities
  • Messaging authorities
  • Message routers (operating like CDNs, or content distribution networks)

—in addition to sellers looking for better signals from the demand side of the market than surveillance-based guesswork can begin to equal.

We are not looking to boil an ocean here (though we do see our strategy as a blue one). The markets first energized by the promise of this model are local and vertical. Real estate in Boston and farm-to-table in Michigan are the two we featured on VRM/CuCo Day and in all three days of the Internet Identity Workshop, which all took place last week. Over the coming days and weeks, we will post details on how the Intention Byway works, starting with those two markets.

We also see the Intention Byway as complementary to, rather than competitive with, developments with similar ambitions, such as SSI, DIDcomm, picos, and JLINC. Once we take off our browser blinders, a gigantic space for new e-commerce development appears. All of those, and many more, will have work to do in it.

So stay tuned for more about life after cookies—and outside the same old bakery.

*Specifically, a “data controller” is “a legal or natural person, an agency, a public authority, or any other body who, alone or when joined with others, determines the purposes of any personal data and the means of processing it.”

While this seems to say that any one of us can be a data controller, that was not what the authors of the GDPR had in mind. They only wanted to maximize the width of the category to include solo operators, rather than to include the individual from whom personal data is collected. (Read what follows from that last link to see what I mean.) Still, this is a loophole through which personal agency can move, because (says the GDPR) the “data subject” whose rights the GDPR protects, is a “natural person.”

What makes a good customer?

April 11, 2021 / / 2 Comments

For awhile the subhead at Customer Commons (our nonprofit spin-off) was this:

How good customers work with good companies

It’s still a timely thing to say, since searches on Google for “good customer” are at an all-time high:

 

The year 2004, when Google began keeping track of search trends, was also the year “good customer” hit at an all-time high in percentage of appearances in books Google scanned*:

So now might be the time to ask, What exactly is a “good customer?

The answer depends on the size of the business, and how well people and systems in the business know a customer. Put simply, it’s this:

  1. For a small business, a good customer is a person known by face and name to people who work there, and who has earned a welcome.
  2. For a large business, it’s a customer known to spend more than other customers.

In both cases, the perspective is the company’s, not the customer’s.

Ever since industry won the industrial revolution, the assumption has been that business is about businesses, not about customers. It doesn’t matter how much business schools, business analysts, consultants and sellers of CRM systems say it’s about customers and their “experience.” It’s not.

To  see how much it’s not, do a Bing or a Google search for “good customer.” Most of the results will be for good customer + service. If you put quotes around “good customer” on either search engine and also The Markup’s Simple Search (which brings to the top “traditional” results not influenced by those engines’ promotional imperatives), your top result will be Paul Jun’s How to be a good customer post on Help Scout. That one offers “tips on how to be a customer that companies love.” Likewise with Are You a Good Customer? Or Not.: Are you Tippin’ or Trippin’? by Janet Vaughan, one of the top results in a search for “good customer” at Amazon. That one is as much a complaint about bad customers as it is advice for customers who aspire to be good. Again, the perspective is a corporate one: either “be nice” or “here’s how to be nice.”

But what if customers can be good in ways that don’t involve paying a lot, showing up frequently and being nice?

For example, what if customers were good sources of intelligence about how companies and their products work—outside current systems meant to minimize exposure to customer input and to restrict that input to the smallest number of variables? (The worst of which is the typical survey that wants to know only how the customer was treated by the agent, rather than by the system behind the agent.)

Consider the fact that a customer’s experience with a product or service is far more rich, persistent and informative than is the company’s experience selling those things, or learning about their use only through customer service calls (or even through pre-installed surveillance systems such as those which for years now have been coming in new cars).

The curb weight of customer intelligence (knowledge, knowhow, experience) with a company’s products and services far outweighs whatever the company can know or guess at.

So, what if that intelligence were to be made available by the customer, independently, and in standard ways that worked at scale across many or all of the companies the customer deals with?

At ProjectVRM, this has been a consideration from the start. Turning the customer journey into a virtuous cycle explores how much more the customer knows on the “own” side of what marketers call the “customer life journey”†:

Given who much more time a customer spends owning something than buying it, the right side of that graphic is actually huge.

I wrote that piece in July 2013, alongside another that asked, Which CRM companies are ready to dance with VRM? In the comments below, Ray Wang, the Founder, Chairman and Principal Analyst at Constellation Research, provided a simple answer: “They aren’t ready. They live in a world of transactions.”

Yet signals between computing systems are also transactional. The surveillance system in your new car is already transacting intelligence about your driving with the company that made the car, plus its third parties (e.g. insurance companies). Now, what if you could, when you wish, share notes or questions about your experience as a driver? For example—

  • How there is a risk that something pointed and set in the trunk can easily puncture the rear bass speaker screwed into the trunk’s roof and is otherwise unprotected
  • How some of the dashboard readouts could be improved
  • How coins or pens dropped next to the console between the front seats risk disappearing to who-knows-where
  • How you really like the way your headlights angle to look down bends in the road

(Those are all things I’d like to tell Toyota about my wife’s very nice (but improvable) new 2020 Camry XLE Hybrid. )

We also visited what could be done in How a real customer relationship ought to work in 2014 and in Market intelligence that flows both ways in 2016. In that one we use the example of my experience with a pair of Lamo moccasins that gradually lost their soles, but not their souls (I still have and love them):

By giving these things a pico (a digital twin of itself, or what we might call internet-of-thing-ness without onboard smarts), it is not hard to conceive a conduit through which reports of experience might flow from customer to company, while words of advice, reassurance or whatever might flow back in the other direction:

That’s transactional, but it also makes for a far better relationship that what today’s CRM systems alone can imagine.

It also enlarges what “good customer” means. It’s just one way how, as it says at the top, good customers can work with good companies.

Something we’ve noticed in Pandemic Time is that both customers and companies are looking for better ways to get along, and throwing out old norms right and left. (Such as, on the corporate side, needing to work in an office when the work can also be done at home.)

We’ll be vetting some of those ways at VRM/CuCo Day, Monday 19 April. That’s the day before the Internet Identity Workshop, where many of us will be talking and working on bringing ideas like these to market. The first is free, and the second is cheap considering it’s three days long and the most leveraged conference of any kind I have ever known. See you there.

*Google continued scanning books after that time, but the methods differed, and some results are often odd. (For example, if your search goes to 2019, the last year they cover, the  results start dropping in 2009, hit zero in 2012 and stay at zero after that—which is clearly wrong as well as odd.)

†This graphic, and the whole concept, are inventions of Estaban Kolsky, one of the world’s great marketing minds. By the way, Estaban introduced the concept here in 2010, calling it “the experience continuum.” The graphic above comes from a since-vanished page at Oracle.

Why personal agency matters more than personal data

June 23, 2018 / / 12 Comments

Lately a lot of thought, work and advocacy has been going into valuing personal data as a fungible commodity: one that can be made scarce, bought, sold, traded and so on.  While there are good reasons to challenge whether or not data can be property (see Jefferson and  Renieris), I want to focus on a different problem: the one best to solve first: the need for personal agency in the online world.

I see two reasons why personal agency matters more than personal data.

The first reason we have far too little agency in the networked world is that we settled, way back in 1995, on a model for websites called client-server, which should have been called calf-cow or slave-master, because we’re always the weaker party: dependent, subordinate, secondary. In defaulted regulatory terms, we clients are mere “data subjects,” and only server operators are privileged to be “data controllers,” “data processors,” or both.

Fortunately, the Net’s and the Web’s base protocols remain peer-to-peer, by design. We can still build on those. And it’s early.

A critical start in that direction is making each of us the first party rather than the second when we deal with the sites, services, companies and apps of the world—and doing that at scale across all of them.

Think about how much more simple and sane it is for websites to accept our terms and our privacy policies, rather than to force each of us, all the time, to accept their terms, all expressed in their own different ways. (Because they are advised by different lawyers, equipped by different third parties, and generally confused anyway.)

Getting sites to agree to our own personal terms and policies is not a stretch, because that’s exactly what we have in the way we deal with each other in the physical world.

For example, the clothes that we wear are privacy technologies. We also have  norms that discourage others from doing rude things, such as sticking their hands inside our clothes without permission.

We don’t yet have those norms online, because we have no clothing there. The browser should have been clothing, but instead it became an easy way for adtech and its dependents in digital publishing to plant tracking beacons on our naked digital selves, so they could track us like marked animals across the digital frontier. That this normative is no excuse. Tracking people without their conscious and explicit invitation—or a court order—is morally wrong, massively rude, and now (at least hopefully) illegal under the GDPR and other privacy laws.

We can easily create privacy tech, personal terms and personal privacy policies that are normative and scale for each of us across all the entities that deal with us. (This is what ProjectVRM’s nonprofit spin-off, Customer Commons, is about.)

It is the height of fatuity for websites and services to say their cookie notice settings are “your privacy choices” when you have no power to offer, or to make, your own privacy choices, with records of those choices that you keep.

The simple fact of the matter is that businesses can’t give us privacy if we’re always the second parties clicking “agree.” It doesn’t matter how well-meaning and GDPR-compliant those businesses are. Making people second parties in all cases is a design flaw in every standing “agreement” we “accept.” And we need to correct that.

The second reason agency matters more than data is that nearly the entire market for personal data today is adtech, and adtech is too dysfunctional, too corrupt, too drunk on the data it already has, and absolutely awful at doing what they’ve harvested that data for, which is so machines can guess at what we might want before they shoot “relevant” and “interest-based” ads at our tracked eyeballs.

Not only do tracking-based ads fail to convince us to do a damn thing 99.xx+% of the time, but we’re also not buying something most of the time as well.

As incentive alignments go, adtech’s failure to serve the actual interests of its targets verges on absolute. (It’s no coincidence that more than a year ago, up to 1.7 billion people were already blocking ads online.)

And hell, what they do also isn’t really advertising, even though it’s called that. It’s direct marketing, which gives us junk mail and is the model for spam. (For more on this, see Separating Advertising’s Wheat and Chaff.)

Privacy is personal. That means privacy is an effect of personal agency, projected by personal tech and by personal expressions of intent that others can respect without working at it. We have that in the offline world. We can have it in the online world too.

Privacy is not something given to us by companies or governments, no matter how well they do Privacy by Design or craft their privacy policies. Top-down privacy simply can’t work.

In the physical world we got privacy tech and norms before we got privacy law. In the networked world we got the law first. That’s why the GDPR has caused so much confusion. Good and helpful though it may be, it is the regulatory cart in front of the technology horse. In the absence of privacy tech, we also failed to get the norms that would normally and naturally guide lawmaking.

So let’s get the tech horse back in front of the lawmaking cart. If we don’t do that first, adtech will stay in control. And we know how that movie goes, because it’s a horror show and we’re living in it now.

 

© 2026 ProjectVRM

Theme by Anders NorenUp ↑