No regulation to make organizations respect personal privacy will work.
We’ve had cookie laws since the ’00s, the GDPR since the ’10s, and the CCPA since 2020. None of them has worked.
All those regulations are aimed at reducing the power of organizations to violate personal privacy. None is to empower people. That’s why, under those regulations, all we can do is agree to the terms organizations provide. We have no independent agency. All we have is what they promise, and their promises aren’t worth the pixels they’re printed on.
The only way we will get privacy is with contracts, which are laws that two parties make for themselves.
And the only way to make contracts work, at scale, is if we are the ones proffering those terms as first parties, and organizations agree to them as second parties. This flips the script on business-as-usual online.
By the old script, privacy is a grace of corporate obedience to selections in cookie notices, many of which provide no choice at all. There is “Accept,” and that’s it. In that case, all you’re accepting is a corporate privacy policy, which is typically just a fig leaf over the company’s hard-on for personal data.
Regardless of what you do with a cookie notice, chances are the company still tracks you like a marked animal. See here and here. You also have no easy of auditing compliance, because you keep no record of your “choices.” And we have that system because the incentives are worse than misaligned: they are completely broken.
See, if you are a typical website, you get paid for allowing third parties to harvest visitors’ personal data and use it to aim personalized advertising at their eyeballs. This is morally wrong on its face, but easily rationalized because it pays.
In the natural world, a store would never plant tracking beacons on every shopper, or require those shoppers to “choose” privacy protections by stripping naked and then selecting the purposes to which their personal tracking beacons will be put. Shoppers would avoid that store like the plague,
However, on the Net and the Web, we haven’t yet invented privacy, just as we hadn’t in the natural world before we invented clothing and shelter. So, on the Net and the Web, we are still naked as fish. As a result, a plague of near-ubiquitous surveillance has been raging online for decades. It is nearly impossible to avoid getting infected.
Most of that surveillance is for the $742 Billion surveillance-fed fecosystem* called adtech. And the only way we can obsolesce it is with a business ecosystem that works for everyone: customers and companies alike, and together.
It describes a protocol in the diplomatic sense: a way to reach and record agreements. Here is a diagram that shows how it works:
It is also the ultimate product of ProjectVRM, which began in 2006 with a mission: to prove that free customers are more valuable than captive ones—to companies, to markets, and to themselves. It was to ProjectVRM’s nonprofit spinoff, Customer Commons, that the IEEE came in 2017 with the challenge to create the MyTerms standard.
Of course, every agreement needs to be good for both sides. Right now we have five draft agreements for that. SD-BASE says “Service Delivery only.” This one requires that the site or service provide the visitor only what the visitor came for, and not to share personal data with third parties. This will make the site or service more inviting. (Customer Commons also plans to offer a trustmark to sites and services that sign MyTerms Agreements.) Lots of other mutually respectful agreements can also be built on top of SD-BASE: agreements that respect personal agency as well as privacy.
Other initial MyTerms agreements cover data portability, intentcasting, data-for-good, and AI training.
MyTerms will foster businesses and business methods that the surveillance fecosystem prevents. We describe how that will work, and some of the businesses MyTerms will create and improve, in The Cluetrain Will Run from Customers to Companies.
Of course, we need to develop tools and services for making that cluetrain run. Please tell us what you’ve got or plan.
The place to list those is in a new section of our Developments page. We also need to re-write and condense our privacy manifesto, and welcome help with both.
We also need to thank our many teams over the past two decades for jobs well done, even if many of those jobs didn’t go anywhere, mostly because they were too early.
Now is the time, because the world is fed up with surveillance—and it is easier than ever to develop tools and services using AI.
What is your best friend’s personal brand? How about your spouse’s?
Those questions came to mind as I read through The Death of Merchandising in an Online World, by Dana Blankenhorn, who is reliably wise. In that post, Dana correctly observes that brand value is declining as merchandising shifts from stores to online services, and to influencers who are also stores.
I think there’s also something else going on at the same time: the shift in media from real advertising to the online equivalent of junk mail, which is what you see with nearly every ad you encounter on your browsers and apps. To marketers, browsers and apps are boxes for junk mail, which at its most ideal is personalized by surveillance. As I put it in Separating Advertising’s Wheat and Chaff, ” Madison Avenue fell asleep, direct response marketing ate its brain, and it woke up as an alien replica of itself.”
I wrote that a decade ago. With AI today, that alien replica is the real thing. Madison Avenue is now AM radio, with a whip antenna and tail fins.
Brand advertising worked best when “the media” were mostly print and broadcast. Sources of both were so few that they all fit on a newsstand and the dials of radios and TVs. To operate a source of either, you needed a printing plant or transmitting towers. Publishers and broadcasters are still around, but now their goods are mostly distributed over the Internet and consumed through glowing rectangles. And they’re competing in a world where the abundance of other sources of content is incalculably vast. In that world, the only places you can still reliably create and maintain brands is by sponsoring live events. Especially sports. That’s why I know fifteen minutes will save me fifteen percent with Geico, even though Geico stopped saying that years ago. I also know that you only pay for what you need with Liberty Mutual. And I’ll never get the Shaefer Beer jingle out of my mind.
On the whole, however, branding has finished running the same course as the broadcasting it paid for.
It helps to remember that the words brand and branding were borrowed from ranching. They applied especially well when people had few choices of media, and few if any ways to avoid ads meant to burn the names of companies and products onto mental hides.
What we really (or at least should) mean by brand today is reputation. How a business obtains that in our still-new Digital Age (now with AI!) is an open question.
I believe the answer will come from the natural world, where markets have been working far longer than we’ve had digital media, broadcasting, or print. It was in the natural world that two very different people—one an athiest and the other a pastor—separately explained to me, not long after The Cluetrain Manifesto came out, that markets are not just about transactions and (as Cluetrain insisted) conversations. They are about relationships.
Marketing prevents those. Or shortcuts them. Especially as it continues to devolve into funnels at the bottom end of which are transactions alone, or entrapment in a company’s “loyalty” system.
The Internet and the Web were both designed to support maximum agency and independence for every entity using them. We can have far better markets and marketing if demand and supply both work with maximized agency, and scale in ways that are good for both. That’s the idea behind market intelligence that flows both ways.
Making and maintaining those kinds of relationships will be VRM+CRM, What those together will make are wholes that exceed the sum of either part.
So here is a challenge for Admiral , OneTrust, and the rest of them: make VRM mean Vendor Relationship Management (like it says in Wikipedia).
Our case: real relationships are based on mutual trust, which can only happen if personal privacy is fully respected as a starting point. Consent management by cookie notice can’t cut it. For real trust, we need people to bring their own terms to every website’s table, and have agreements to those. This is why we, the ProjectVRM community, through Customer Commons (our nonprofit spinoff) and the IEEE P7012 (aka MyTerms) working group, created the draft standard (on track to become official early next year) for machine-readable personal privacy terms. Three years ago, I called MyTerms The Most Important Standard in Development Today. The CMP business can help make it so, by getting on the Cluetrain.
Here are some opportunities:
CMPs can provide sites & services with easy ways to respond to MyTerms choices brought to the table by visitors. Let’s call this a Terms Matching Engine.The current roster of terms we’re working with at Customer Commons (abbreviated CuCo, hence the cuco.org shortcut) starts with CC-BASE, which is “service provision only.” It says to a website, “just give me your service, and nothing more.” In other words, no tracking. Yet. Negotiation toward additional provisions comes after that. Those can be anything, but they should be in the spirit of We’re starting with personal privacy here, and the visitor sets the terms for that.
There is a whole new business (which, like the VPN, grammar-help, and password management businesses, people would pay for) in helping people present, manage, remember, and monitor compliance with their terms, and what additional agreements have been arrived at. This can involve browser add-ons such as the one pictured on the ProjectVRM r-button page. CMP companies can make money there too, adding a C2B business to their B2B ones.
Go beyond #2 to provide real VRM. Back in the last millennium, Iain Henderson pointed out that B2B relationships tend to have hundreds or thousands of variables over which both parties need to agree. Nitin Badjatia, another CRM veteran (and a Customer Commons board member like Iain and myself), has also pointed out that companies like Oracle have long provided AI-assisted ways for B2B relationships to arrive at contractual agreements. The same can work for C2B, once the base privacy agreement is established. There can be a business here that expands on what gets started with that first agreement.
Verticals. There can be strong value-adds for regulated industries or companies wanting to acquire and signal accountability, or look for firmer ways to establish a privacy regime better than the called consent, which doesn’t work (except as thin ass-covering for companies fearing the GDPR and the CCPA). For example: banks, insurers, publishers, health care providers.
For people (not just corporate clients), CMPs could offer browser plugins or apps (mobile and/or computer) that help people choose and present their privacy terms, track who honors them, notify them of violations, and have r-buttons mean something. Or multiple things.
Here is what a VRM-friendly person in the UK came up with as a prototypical first by a CMP away from cookie notices:
That was after this post went up. (Which is great.)
Obviously, we want cookie notices (and other forms of friction) to go away, but we also want CMPs to have a nice way to participate in a customer-led world in which intention-based economies can grow.
And here is an example of r-buttons in a browser:
Real relationships, including records of agreements, can be unpacked when a person (not a mere “user”) clicks on either the ⊂ or the ⊃ symbols. There are golden opportunities here for both VRM and CRM vendors. And, of course, companies such as Admiral and OneTrust working both sides—and being truly trusted.
Customers need privacy, respect, and the ability to provide good and helpful information to the companies they deal with. The good clues customers bring can include far more than what companies get today from their CRM systems and from surveillance of customer activities. For example, market intelligence that flows both ways can happen on a massive scale.
But only if customers set the terms.
Now they can, using a new standard from the IEEE called P7012, aka MyTerms. It governs machine readability of personal privacy terms. These are terms that customers proffer as first parties, and companies agree to as second parties. Lots of business can be built on top of those terms, which at the ground level start with service provision without surveillance or unwanted data sharing by the company with other parties. New agreements can be made on top of that, but MyTerms are where genuine and trusting (rather than today’s coerced and one-sided) relationships can be built.
When companies are open to MyTerms agreements, they don’t need cookie notices. Nor do they need 10,000-word terms and conditions or privacy policies because they’ll have contractual agreements with customers that work for both sides.
On top of that foundation, real relationships can be built by VRM systems on the customers’ side and CRM systems on the corporate side. Both can also use AI agents: personal AI for customers and corporate AI for companies. Massive businesses can grow to supply tools and services on both sides of those new relationships. These are businesses that can only grow atop agreements that customers bring to the table, and at scale across all the companies they engage.
This is the kind of thing that four guys (me included)† had in mind when they posted The Cluetrain Manifesto* on the Web in April 1999. A book version of the manifesto came out in early 2000 and became a business bestseller that still sells in nine languages. Above the manifesto’s 95 theses is this master clue**, written by Christopher Locke:
MyTerms is the only way we (who are not seats or eyeballs or end users or consumers) finally have reach that exceeds corporate grasp, so companies can finally deal with the kind of personal agency that the Internet promised in the first place.
The MyTerms standard requires that a roster of possible agreements be posted at a disinterested nonprofit. The individual chooses one, the company agrees to it (or not). Both sides keep an identical record of the agreement.
The first roster will be at Customer Commons, which is ProjectVRM’s 501(c)3 nonprofit spinoff. It was created to do for personal privacy terms what Creative Commons does for personal copyright licenses. (It was Customer Commons, aka CuCo, that the IEEE approached with the idea of creating the MyTerms standard.)
Work on MyTerms started in 2017 and is in the final stages of IEEE approval process. While it is due to be published early next year, what it specifies is simple:
Individuals can choose a term posted at Customer Commons or the equivalent
Companies can agree to the individual’s choice or not
The decision can be recorded identically by both sides
Data about the decision can be recorded by both sides and kept for further reference, auditing, or dispute resolution
Both sides can know and display the state of agreement or absence of agreement (for example, the state of a relationship, should one come to exist)
MyTerms not a technical spec, so implementations are open to whatever. Development on any of those can start now. So can work in any of the six areas listed above.
The biggest thing MyTerms does for customers—and people just using free services—is getting rid of cookie notices, which are massively annoying and not worth the pixels they are printed on. If a company really does care about personal privacy, it’ll respect personal privacy requirements. This is how things work in the natural world, where tracking people like marked animals has been morally wrong for millennia. In the digital world, however, agreements need to be explicit, so programming and services can be based on them. MyTerms does that.
For business, MyTerms has lots of advantages:
Reduced or eliminated compliance risk
Competitive differentiation
Lower customer churn
Grounds for real rather than coerced relationships (CRM+VRM)
Grounds for better signaling (clues!) going in both directions
Reduced or eliminated guesswork about what customers want, how they use products and services, and how both might be improved
Lawyers get a new market for services on both the buy and sell sides of the marketplace. Companies in the CMP (consent management platform) business (e.g. Admiral and OneTrust) have something new and better to sell.
Lawmakers and Regulators can start looking at the Net and the Web as places where freedom of contract prevails, and contracts of adhesion (such as what you “agree” to with cookie notices) are obsolesced.
Developers can have a field day (or decade). Look for these categories to emerge
Agreement Management Platforms – Migrate from today’s much-hated consent management platforms (hello OneTrust, Admiral, and the rest).
Vendor Relationship Management (VRM) Tools and services – Fill the vacuum that’s been there since the Web got real in 1995.
Customer Relationship Management (CRM) – Make its middle name finally mean something.
Customer Data Return (CDR) – Give, sell back, or share with customers the data you’ve been gathering without their permission since forever. Talking here to car companies, TV makers, app makers, and every other technology product with spyware onboard for reporting personal activity to parties unknown.
Platform Relief – Free customers from the walled gardens of Apple, Microsoft, Amazon, and every other maker of hardware and software that currently bears the full burden of providing personal privacy to customers and users. Those companies can also embrace and help implement MyTerms for both sides of the marketplace.
New dances between customers and companies, demand and supply. (“The Dance” is a closing chapter of The Intention Economy.)
New commercial ecosystems can grow around a richer flow of clues in both directions, based on shared interest and trust between demand and supply.
Surveillance capitalism will be obsolesced — and replaced by an economy aligned with personal agency and respect from customers’ corporate partners.
A new distributed P2P fabric of personally secure and shared data processing and storage — See what KwaaiNet + Verida, for example, might do together.
All aboard!
†Speaking for myself in this post. I invite the other two surviving co-authors to weigh in if they like.
*At this writing, the Cluetrain website, along with many others at its host, is offline while being cured of an infection. To be clear, however, it will be back on the Web. Meanwhile, I’m linking to a snapshot of the site in the Internet Archive—a service for which the world should be massively grateful.
**The thesis that did the most to popularize Cluetrain was “Markets are conversations,” which was at the top of Cluetrain’s ninety-five theses. Imagining that this thesis was just for them, marketers everywhere saw marketing, rather than markets, as “conversations.” Besides misunderstanding what Cluetrain meant by conversation (that customers and companies should both have equal and reciprocal agency, and engage in human ways), marketing gave us “conversational” versions of itself that were mostly annoying. And now (thank you, marketing), every damn topic is now also a fucking “conversation”—the “climate conversation,” the “gender conversation,” the “conversation about data ownership.” I suspect that making “conversation” a synonym for “topic” was also a step toward making every piece of propaganda into a “narrative.” But I digress. Stop reading here and scroll back to read the case for MyTerms. And please, hope that it also doesn’t become woefully misunderstood.
Look up customer journey or customer experience (aka CX) and you’ll find nothing about what the customer drives, or rides. All results will be for systems meant for herding customers like cattle into a chute that the CX business (no kidding) calls a sales funnel:
Do any customers want to go down these drains?
But let’s stick with the journey metaphor, because there are good people in the marketing business who have thought deeply about how people buy and own things. Chief among those people is Estaban Kolsky, of Constellation Research. He visualizes the journey in a way that not only gives weight to the ownership experience, but separates it from the sales experience :
As for our actual experience, we spend 100 percent of our lives with things we own, and just a tiny percentage on buying them. So the real ratio should look more like this:
…consider the curb weight of “solutions” in the world of interactivity between company and customer today. In the BUY loop of the customer journey, we have:
3. All the rest of marketing, which has too many segments for me to bother looking up
So, in the OWN loop we have a $0 trillion greenfield.
To enter that greenfield, we need customers to be in charge of their side of these relationships— preferably through means for interaction that customers themselves control—on terms that are agreeable to both sides, rather than the one-sided terms we suffer every time we click AGREE on a cookie notice.
To help imagine how that will work, I volunteer a real-world example from my own life.
A few years back, I bought a pair of LAMOMens Mocs at a shopping mall kiosk in Massachusetts. Here’s one:
I like them a lot. They’re very comfortable and warm on winter mornings. In fact I still wear them, even though the soles have long since come apart and fallen off. Here is how they looked after a few years of use:
I’m showing this so you, and LAMO, can see what happens, and how we can both use my experience—and those of other customers—to change the world.
See, I like LAMO, and would love to help the company learn from my experience with one of their products. As of today, there are four choices for that:
Do nothing (that’s the default)
Send them an email
Go on some website and talk about it. (A perfect Leightoncartoon in the New Yorker shows a couple registering at a hotel while the person behind the counter says, “If there’s anything we can do to make your stay more pleasant, just rant about it on the Internet.”)
So here is a fifth choice: give these moccasins their own virtual cloud, where LAMO and I can share intelligence about whatever we like, starting (on my side) with reports on my own experience, requests for service, or whatever. Phil Windley calls these clouds picos, for persistent compute objects. Picos are breeds of what Bruce Sterling calls spime: persistent intelligence for things. Picos have their own operating system (e.g., Wrangler, which Phil most recently posted about here), and don’t need intelligence on board. Just scan a QR code, and you’ll get to the pico. Here’s the QR code on one of my LAMO moccasins:
Go ahead and scan the code with your phone. You’ll get to a page that says it’s my moccasin.
That’s just one view of a potential relationship between me and Lamo — one in which I can put a message that says “If found, call or text _______.” Another view is on my own dashboard of things in my OWN cycle, and direct connections to every one of those companies. That relationship can rest on friendly terms in which I’m the first party and the company is the second party. (For more on that, see here and here.)
So look at the relationship between me and Lamo as a conduit (the blue cylinder below) that lives in the pico for my mocassin. That conduit goes from my VRM (vendor relationship management) dashboard to Lamo’s CRM (customer relationship management) system. There is no limit to the goodness that can pass back and forth between us, including intelligence about how I use my moccasins.
Let’s look at what can happen at either or both ends of that conduit.
A pico for a product is a CRM dream come true: a standard way for every copy of every product to have its own unique identity and virtual cloud (in which any data can live), and standard way any customer can report usage and other intelligence about any product they own—without any smarts needing to live on the thing itself.
If I scan that QR code, I can see whatever notes I’ve taken. I can also see whatever LAMO has put in there, with my permission. Also in that cloud is whatever programming has been done on it. Here is one example of simple relationship logic at work:
IF this QR code is scanned, THEN send LAMO a note that Doc has a new entry in our common journal.
Likewise, LAMO can send me a note saying that there is new information in the same journal. Maybe that information is a note telling me that the company has changed sole manufacturers, and that the newest Mens Mocs will be far more durable. Or maybe they’ll send a discount on a new pair. The correct answer for what goes in the common journal (a term I just made up) is: whatever.
Now let’s say LAMO puts a different QR code, or other identifier, in every moccasin it sells. Or has a CRM system that is alert to notifications from customers who have turned their LAMO moccasins into picos, making all those moccasins smart. LAMO can then not only keep up with its customers through CRM-VRM conduits, but tie interactions through those conduits to the dashboards of their accounting systems (from Xero or other companies that provide enriched views of how the company is interacting with the world).
Follow the links in the last paragraph (all to Wikipedia), and you’ll find each of them has “multiple issues.” The reason for that is simple: the customer is not involved with any of them. All those entries make the sound of industries talking to themselves — or one hand slapping.
This is an old problem that can only be fixed on the customer’s side. Before the Internet, solving things from the customer’s side — by making the customer the point of integration for her own data, and the decider about what gets done with that data — was impossible. Now that we have the Internet, it’s very possible, but only if we get our heads out of business-as-usual and back into our own lives. This will be good for business as well.
A while back I had meetings with two call center companies, and reviewed this scenario:
A customer scans the QR code on her cable modem, activating its pico.
By the logic described above, a message to the call center says “This customer has scanned the QR code on her cable modem.”
The call center checks to see if there is an outage in the customer’s area, and — if there is — finds out how soon it will be fixed.
The call center sends a message back saying there’s an outage and that it will be fixed within X hours.
In both cases, the call center company sai,d “We want that!” Because they really do want to be fully useful. And — get this — they are programmable.
Unfortunately, in too many cases, they are programmed to avoid customers or to treat them as templates rather than as individual human beings who might actually be able to provide useful information. This is old-fashioned mass-marketing thinking at work, and it sucks for everybody. It’s especially bad at delivering (literal) on-the-ground market intelligence from customers to companies.
Call centers would rather be sources of real solutions rather than just customer avoidance machines for companies and anger sinks for unhappy customers. The solution I’m talking about here takes care of that. And much more.
Now let’s go back to shoes.
I’m not a hugely brand-loyal kind of guy. I use Canon cameras because I like the long-standing 5D user interface more than the competing Nikon ones, and Canon’s lens prices tend to be lower. I use Apple computers because they’re easy to get fixed and I can open a command line shell and get geeky when I need to. I drive a 2017 VW wagon because I got it at a good price. And I buy Rockport shoes because, on the whole, they’re pretty good.
Used to be they were great. That was in the ’70s and early ’80s when Saul and Bruce Katz, the founders, were still in charge. That legacy is still there, under Reebok ownership; but it’s clear that the company is much more of a mass marketing operation than it was back in the early days. Still, in my experience, they’re better than the competition. That’s why I buy their shoes. Rockports are the only shoes I’ve ever loved. And I’ve had many.
So here is a photo I took of wear-and-tear on two pairs of Rockport casual shoes I still use, because they’re damned comfortable:
Shots 1 and 2 are shoes I bought in June 2012, and are no longer sold, near as I can tell. (Wish they were.) Shots 3 and 4 are of shoes called Off The Coast 2 Eye. I bought mine in late 2013, but didn’t start wearing them a lot until early this year. I bought both at the Rockport store in Burlington Mall, near Boston. I like that store too.
The first pair has developed a hole in the heel and loose eyelet grommets for the laces around the side of the shoe. The hole isn’t a big deal, except that it lets in water. The loose eyelets are only a bother when I cross my feet sitting down: they bite into the other ankle. The separating outer sole of the second pair is a bigger concern, because these shoes are still essentially new, and look new except for that one flaw. A design issue is the leather laces, which need to be double-knotted to keep from coming undone, and even the double-knots come undone as well. That’s a quibble, but perhaps useful for Rockport to know.
I’d like to share these experiences privately with Rockport, and for that process to be easy. Same with my experiences with LAMO moccasins.
It could be private if Rockport and LAMO footwear came with QR codes for every pair’s pico — it’s own cloud. Or if Rockport’s CRM or call center system was programmed to hear pings from my picos.
Ideally, customers would get the pico along with the shoe. Then they would have their own shared journal and message space — the conduit shown above — as well as a programmable system for creating and improving the whole customer-company relationship. They could also get social about their dialogs in their own ways, rather than only within Facebook and Twitter, which are the least private and personal places imaginable.
This kind of intelligence exchange can only become a standard way for companies and customers to learn from each other if the code for picos is open source. If Rockport or LAMO try to “own the customer” by locking her into a closed company-controlled system — the current default for customer service — the Internet of Things will be what Phil calls “the Compuserve of things”. In other words, divided into the same kind of closed and incompatible systems we had before the Net came along.
One big thing that made the Internet succeed was substitutability of services. Cars, banks, and countless other product categories you can name are large and vital because open and well-understood standards and practices at their base have made substitutability possible. Phil says we can’t have a true Internet of Things without it, and I agree.
The smartest people working for companies are their customers. And the best way to activate customer smarts is by giving them scale. That’s what picos do.
As a bonus, they also give companies scale. If we can standardize picos, we’ll have common and standard ways for any customer and any company to relate to each other through any VRM + CRM system. Think about how much more, and better, intelligence a company can get from its customers this way, rather than through the ones barely succeeding now, where the company does all the work, and fails to know an infinitude of useful stuff customers could be telling them. Think about how much more products can be improved, an iterated over time. Think about how much more genuine loyalty can be created and sustained with this kind of two-way system.
Then think how much companies can save by not constantly spying on customers, guessing about what they might want, spamming them with unwanted and unnecessary sales messages, maintaining systems try to relate but actually can’t, and herding customers into imaginary funnels that customers would loathe if they could see what’s going on.
It’s a lot.
So let’s start working on growing a sane world of business that’s based on market intelligence that flows both ways, instead of the surveillance-based guesswork and delusional imaginings of marketing that smokes its own exhaust. We can do it, privately, and at scale.
With MyTerms, the person (and their electronic agent) is the first party, and the corporate entity (with its agent) is the second party. This is essential for assuring full respect for personal privacy in the digital world.
Here is the PAR for EEE P7012 (nicknamed MyTerms—much as IEEE 802.11 is nicknamed Wi-Fi). It launched a working group in 2017 (that I now chair), and is expected to go from draft to done by early 2026.
Because what the standard will do is plainly laid out in the PAR, I’m breaking its paragraph into separate sentences to make reading it easier:
This draft standard covers contractual interactions and agreements between individuals and the service providers they engage on a network, including websites.
It describes how individuals, acting as first parties, can proffer their privacy requirements as contractual terms and arrive at agreements recorded and kept by both sides.
These terms shall be chosen from a collection of standard-form agreements in a roster kept by an independent and neutral non-business entity.
Computing devices and software performing as agents for both first and second parties shall engage using any protocol that serves the purpose.
The first party shall point to a preferred agreement, or a set of agreements, from which the second party shall accept one.
Party-to-party negotiations over terms in any of these contracts or other agreements are outside the scope of this standard. If both parties agree, the chosen contract or agreement shall be signed electronically by both parties or their agents.
A matching record shall be kept by both sides in a form that can be retrieved, audited, or disputed, if necessary, at some later time–and which is available to do so easily.*
I can’t share the draft before the final version is published, but I can say that what it says is about as simple as what you read above. It also does not specify what tech or protocol to use. This is to leave development as open as possible.
The main thing is that MyTerms obsolesces notice-and-consent by basing privacy agreements on contracts that individuals proffer as first parties, and sites and services agree to as second parties.
Never mind that this hardly seems thinkable to the status quo. The same was once said of the Internet, the Web, email, and other free and open graces we take for granted today.
If you want to get involved, help us build out Customer Commons, so it can play the same role for personal privacy terms that Creative Commons plays for personal copyright.
*Shall is IEEE-speak for will or must. The purpose of that rule is to make clear that it does not mean should, could, or any other modal auxiliary verb.
A customer looks at a market where choice rules and nobody owns anybody. Source: Microsoft Copilot | Designer
I’m in a discussion of business constituencies. On the list (sourced from the writings of Doug Shapiro) are investors, employees, suppliers, customers, and regulators.
The first three are aware of their membership, but the last two? Not so sure.
Since ProjectVRM works for customers, let’s spin the question around. Do customers have a business constituency? If so, businesses are members by the customer’s grace. She can favor, ignore, or more deeply engage with any of those businesses at her pleasure. She does not “belong” to any of them, even though any or all of them may refer to her, or their many other customers, with possessive pronouns.
Take membership (e.g. Costco, Sam’s Club) and loyalty (CVS, Kroger) programs off the table. Membership systems are private markets, and loyalty programs are misnomered. (For more about that, read the “Dysloyalty” chapter of The Intention Economy.)
Let’s look instead at businesses that customers engage as a matter of course: contractors, medical doctors, auto mechanics, retail stores, restaurants, clubs, farmers’ markets, whatever. Some may be on speed dial, but most are not. What matters in all cases is that these businesses are responsible to their customers. “The real and effectual discipline which is exercised over a workman is that of his customers,” Adam Smith writes. “It is the fear of losing their employment which restrains his frauds and corrects his negligence.” That’s what it means to be a customer’s constituent.
An early promise of the Internet was supporting that “effectual discipline.” For the most part, that hasn’t happened. The “one clue” in The Cluetrain Manifesto said “we are not seats or eyeballs or end users or consumers. we are human beings and our reach exceeds your grasp. deal with it.” Thanks to ubiquitous surveillance and capture by corporate giants and unavoidable platforms, corporate grasp far outreaches customer agency.
That’s one reason ProjectVRM has been working against corporate grasp since 2006, and just as long for customer reach. Our case from the start has been that customer independence and agency are good for business. We just need to prove it.
It took a while, but our website is now on its own. Big thanks go to the Berkman Klein Center for hosting us on its blog server since 2006. Also for continuing to host our mailing list and our wiki. And to all the friends who helped, including those at WordPress and Pressable, who made the transition smooth and complete. Links to every post and page we’ve published at blogs.harvard.edu/vrm/ (our old location) now travel down the same directory paths at projectvrm.org/. There will be no 404s. This is a rare thing for any site that moves from one host to another.
Clearly, this is not the one-year project we imagined in the first place. It may not be a one-generation project. But we will get from the state on the left above to the one on the right. And thanks to Gapingvoid‘s Hugh MacLeod for drawing that illustration in the first place, way back in 2005.
On the sell side (⊃) I can list at least six kinds of advertising alone that desperately need distinctive labels. To pull them apart, these are:
Brand advertising. This kind is aimed at populations. All of it is contextual, meaning placed in media, TV or radio programs, or publications, that appeal broadly or narrowly to a categorized audience. None of it is tracking-based, and none of it is personal. Little of it wants a direct response. It simply means to impress. This is also the form of advertising that burned every brand you can name into your brain. In fact the word brand itself was borrowed from the cattle industry by Procter & Gamble in the 1930s, when it also funded the golden age of radio. Today it is also what sponsors all of sports broadcasting and pays most sports stars their massive salaries.
Search advertising. This is what shows up with search results. There are two very different kinds here:
Context-based. Not based on tracking. This is what DuckDuckGo does.
Context+tracking based. This is what Google and Bing do.
Advertising that’s both contextual and personal—but only in the sense that a highly characterized individual falls within a group, or a collection of overlapping groups, chosen by the advertiser. These are Facebook’s Core, Custom and Look-Alike audiences. Talk to Facebook and they’ll tell you these ads are not meant to be personal, though you should not be surprised to see ads for shoes when you have made clear to Facebook’s trackers (on the site, the apps, and wherever the company’s tentacles reach) that you might be in the market for shoes. Still, since Facebook characterizes every face in its audience in almost countless ways, it’s easy to call this form of advertising tracking-based.
Interactive advertising. Vaguely defined by Wikipedia here, and sometimes called conversational advertising, the purpose is to get an interactive response from people. The expression is not much used today, even though the Interactive Advertising Bureau (IAB) is the leading trade association in the tracking-based advertising field and its primary proponent.
Native advertising, also called sponsored content, is advertising made to look like ordinary editorial material.
The list is actually much longer. But the distinction that matters is between advertising that is tracking-based and the advertising that is not. As I put it in Brands need to fire adtech,
Real advertising doesn’t do any of those things, because it’s not personal. It is aimed at populations selected by the media they choose to watch, listen to or read. To reach those people with real ads, you buy space or time on those media. You sponsor those media because those media also have brand value.
With real advertising, you have brands supporting brands.
Brands can’t sponsor media through adtech because adtech isn’t built for that. On the contrary, adtech is built to undermine the brand value of all the media it uses, because it cares about eyeballs more than media.
Adtech is magic in this literal sense: it’s all about misdirection. You think you’re getting one thing while you’re really getting another. It’s why brands think they’re placing ads in media, while the systems they hire chase eyeballs. Since adtech systems are automated and biased toward finding the cheapest ways to hit sought-after eyeballs with ads, some ads show up on unsavory sites. And, let’s face it, even good eyeballs go to bad places.
This is why the media, the UK government, the brands, and even Google are all shocked. They all think adtech is advertising. Which makes sense: it looks like advertising and gets called advertising. But it is profoundly different in almost every other respect. I explain those differences in Separating Advertising’s Wheat and Chaff:
…advertising today is also digital. That fact makes advertising much more data-driven, tracking-based and personal. Nearly all the buzz and science in advertising today flies around the data-driven, tracking-based stuff generally called adtech. This form of digital advertising has turned into a massive industry, driven by an assumption that the best advertising is also the most targeted, the most real-time, the most data-driven, the most personal — and that old-fashioned brand advertising is hopelessly retro.
In terms of actual value to the marketplace, however, the old-fashioned stuff is wheat and the new-fashioned stuff is chaff. In fact, the chaff was only grafted on recently.
See, adtech did not spring from the loins of Madison Avenue. Instead its direct ancestor is what’s called direct response marketing. Before that, it was called direct mail, or junk mail. In metrics, methods and manners, it is little different from its closest relative, spam.
Direct response marketing has always wanted to get personal, has always been data-driven, has never attracted the creative talent for which Madison Avenue has been rightly famous. Look up best ads of all time and you’ll find nothing but wheat. No direct response or adtech postings, mailings or ad placements on phones or websites.
Yes, brand advertising has always been data-driven too, but the data that mattered was how many people were exposed to an ad, not how many clicked on one — or whether you, personally, did anything.
And yes, a lot of brand advertising is annoying. But at least we know it pays for the TV programs we watch and the publications we read. Wheat-producing advertisers are called “sponsors” for a reason.
So how did direct response marketing get to be called advertising ? By looking the same. Online it’s hard to tell the difference between a wheat ad and a chaff one.
Remember the movie “Invasion of the Body Snatchers?” (Or the remake by the same name?) Same thing here. Madison Avenue fell asleep, direct response marketing ate its brain, and it woke up as an alien replica of itself.
This whole problem wouldn’t exist if the alien replica wasn’t chasing spied-on eyeballs, and if advertisers still sponsored desirable media the old-fashioned way.
I wrote that in 2017. The GDPR became enforceable in 2018 and the CCPA in 2020. Today more laws and regulations are being instituted to fight tracking-based advertising, yet the whole advertising industry remains drunk on digital, deeply corrupt and delusional, and growing like a Stage IV cancer.
We live digital lives now, and most of the advertising we see and hear is on or through glowing digital rectangles. Most of those are personal as well. So, naturally, most advertising on those media is personal—or wishes it was. Regulations that require “consent” for the tracking that personalization requires do not make the practice less hostile to personal privacy. They just make the whole mess easier to rationalize.
So I’m trying to do two things here.
One is to make clearer the distinctions between real advertising and direct marketing.
The other is to suggest that better signaling from demand to supply, starting with intentcasting, may serve as chemo for the cancer that adtech has become. It will do that by simply making clear to sellers what buyers actually want and don’t want.
…In less than a minute, I scanned both hands on a kiosk and linked them to my Amazon account. Then I hovered my right palm over the turnstile reader to enter the nation’s most technologically sophisticated grocery store…
Amazon designed my local grocer to be almost completely run by tracking and robotic tools for the first time.
The technology, known as Just Walk Out, consists of hundreds of cameras with a god’s-eye view of customers. Sensors are placed under each apple, carton of oatmeal and boule of multigrain bread. Behind the scenes, deep-learning software analyzes the shopping activity to detect patterns and increase the accuracy of its charges.
The technology is comparable to what’s in driverless cars. It identifies when we lift a product from a shelf, freezer or produce bin; automatically itemizes the goods; and charges us when we leave the store. Anyone with an Amazon account, not just Prime members, can shop this way and skip a cash register since the bill shows up in our Amazon account.
And this is just Amazon. Soon it will be every major vendor of everything, most likely with Amazon as the alpha sphincter among all the chokepoints controlled by robotic intermediaries between first sources and final customers—with all of them customizing your choices, your prices, and whatever else it takes to engineer demand in the marketplace—algorithmically, robotically, and most of all, personally.
Some of us will like it, because it’ll be smooth, easy and relatively cheap. It will also subordinate us utterly to machines. Or perhaps udderly, because we will be calves raised to suckle on the teats of retail’s robot cows.
This system can’t be fixed from within. Nor can it be fixed by regulation, though some of that might help. It can only be obsolesced by customers who bring more to the market’s table than cash, credit, appetites and acquiescence to systematic training.
What more?
Start with information. What do we actually want (including, crucially, to not be bothered by hype or manipulated by surveillance systems)?
Add intelligence. What do we know about products, markets, needs, and how things actually work than roboticized systems can begin to guess at?
Then add values, such as freedom, choice, agency, care for others, and the ability to collectivize in constructive and helpful ways on our own.
Then add tech. But this has to be our tech: customertech that we bring to market as independent, sovereign and capable human beings. Not just as “users” of others’ systems, or consumers (which Jerry Michalski calls “gullets with wallets and eyeballs”) of whatever producers want to feed us.
And yes, we do need help from the sellers’ side. But not with promises to make their systems more “customer centric.” (We’ve been flagging that as a fail since 2008.) We need CRM that welcomes VRM. B2C that welcomes Me2B.
And money. Our startups and nonprofits have done an amazing job of keeping the VRM and Me2B embers burning. But they could do a lot more with some gas on those things.
