MyTerms and the Great Online Privacy Re-boot

Written By Iain Henderson

Using transparent, machine-readable contracts to fix the online exchange of personal data

A few weeks back I wrote this anchor post on the ‘My Protocols Stack’ (My Identifiers/ Key, My Data, My AI Agents and MyTerms) to come back to and drill into. I’m going to start with MyTerms and work inwards because that is the protective outer layer/ wrapper which shields and empowers the other components - and thus the individual human behind them.

Firstly - what do we mean by ‘MyTerms’?

MyTerms is the nickname for IEEE7012, a draft standard that will publish later in 25/ early 2026. As a standard in the IEEE ‘7 series’ it will be freely available globally; and designed for mass adoption (like IEEE802.11, i.e. WIFI). MyTerms proposes an antidote to the very broken ‘check box’/ consent notice/ privacy policies/ cookie pop-ups’ we have now that supposedly protect our privacy but which do nothing of the kind.

That being the case, MyTerms are ultimately about trust; particularly in, but not restricted to, the online environment.

So let’s dig into the problem and the current frameworks around it. And then look at how MyTerms differs.

The root cause of the problem is that organisations see major value in data about their customers/ citizens/ members/ donors/ employees/ patients etc. And they are right to do so. If that data is sourced, gathered and used well then organisations can and will make more revenue, reduce costs, drive efficiency and improve most other metrics that matter to them. That model dates back to pre-digital times; shopkeepers, bank managers, doctor and many more all knew the value of ‘knowing their customers’ and the personal touch (yes, personalisation did exist before the Web….).

However, those folks knew where the boundaries were. And they had their own natural memory limitations that constrained what they could gather. They did not gather ‘all data’; just the important stuff required to deliver and improve the service they provided.

Those boundaries, limits and constraints don’t apply when data gathering is done remotely, with no personal connection, and with computers, cameras, sensors and other devices whose sole purpose is to gather data. And they certainly don’t apply when whole industries emerge, like ‘Search’ and ‘Adtech’ whose sole purpose is to gather data and inferences from individuals and sell those to organisations.

Hence the need for ‘data protection’ and online privacy regulations.

My first encounter with ‘data protection and privacy’ in the context of personal data happened way back in 1988. I was a young Direct Marketing Manager for a big DIY chain when I guess the lawyers said ‘hey Iain, we need to figure out how to handle this new ‘UK Data Protection Act 1988’. I was always a complete advocate for the gathering and use of customer data but don’t recall being phased by these new requirements. Essentially the requirements of the Act boiled down to:

  1. Be transparent about what you are gathering, and what you plan to do with it

  2. Don’t gather more data than you need (the data minimisation principle)

  3. Only do with the what you said you would (the purpose limitation principle)

There were other hygiene style principles (e.g. keep it safe, enable access), but for me privacy and data protection boils down to those three ‘commandments’. As they have done in every privacy regulation since. Transparency, data minimisation and purpose limitation are central to GDPR for example.

They re-surface again in MyTerms…. but more on that later.

So with those sensible protections in place in GDPR and similar; why would we need something else? And why is trust on in online services as low as it is right now?

The reason is quite simple, and unfortunately entrenched (because of that perception that gathering, managing and use data will help organisations make and save money). Organisations ignore the data minimisation and purpose limitation principles; are allowed to do so by regulators. They also ignore hygiene factors like access, portability and right to amend which also have been in the regulations for many years.

They do so by hiding behind ‘their terms’.

Their terms’ are those 30-40 page terms and conditions and privacy policy documents that underpin the biggest lie on The Internet. The reasons they are so long and complicated can, almost always, be tied back to data minimisation and purpose limitation. In other words, organisations use these approaches to mask that they are a) gathering more data than they need, and b) doing more things with the data gathered than the data provider would allow had they easily accessible means to do so. And in taking this approach organisations breach the other cardinal principle - transparency. The logic behind this behaviour differs quite a bit between private, public and third sectors; but it is prevalent in all 3. For private sector the dominant logic is ‘make money’, in public sector the drive is usually saving money.

MyTerms/ IEEE7012 is about providing a viable alternative to that model. It is not about persuading organisations to stop doing what they do at present; the standard is about enabling a more transparent, human-centric model to be built alongside. The belief in the team who have created the approach is that this new model will work better for the vast majority of organisations; and thus that adoption will happen first through that route. One way to think about it is as a replacement for the concept of ‘the privacy policy’. It does not replace product/ service terms and conditions, which necessarily cover pricing, levels of service etc; just any personal data implications within the terms of service.

So, what does that mean in practice. At present that looks like:

  1. A technical standard, published by IEEE (project scope at that link), which sets out the methods through which individuals and organisation can discover, propose, sign and record standardised data sharing agreements that are written from the perspective of the individual. (currently looking like Dec 25/ Jan 26).

  2. A series of 13 initial agreements that can be enacted through the technical methods above to then become standards based contracts that enable data to flow between individuals and organisations under contracts. These agreements will be hosted, and their use facilitated at Customer Commons (just as Creative Commons does the same for copyright licences).

  3. IEEE7012 terminology and requirements supported as an extension within the excellent Data Privacy Vocabulary (DPV) to ensure machine readability, canonical definitions and permanent links for all key words and phrases. This will include definitions for data purposes, data types and attributes that are used in the agreements. This will also be a significant enabler of data portability as it becomes vastly easier to to describe and request data that individuals request to be ported either to themselves, or to other parties.

  4. Through this combination, the parties are known to each other, data is inherently portable, it is exchanged via cryptographically secure methods, under standardised agreements (legal basis for the data exchange is Contract). And each has a record of the contractual relationship.

So…., what’s in those agreements then?

There are two types of agreement.

Personal Data Contribution agreements, that are about one off data transactions. There are three of these:

  • PDC - AI (Contribution to AI model training and deployment)

  • PDC - GOOD (Contribution to a Data for Good project)

  • PDC - INTENT (Contribution of intent-specific data)

Then, Service Delivery agreements. That is to say, agreements that assume individuals and organisations are entering into an ongoing relationship around the acquisition/ provision of a product or service that has some digital component (including payment). Products or services can be either private or public sector, the agreement design covers both.

There are five of these Service Delivery agreements, each of which has two variants. I’ll cover two of those for now as that will illustrate the design pattern.

  • SD-BASE (Base level data and purposes required for a specified product/ service relationship)

  • SD-BASE-DP (Base level data and purposes required for a specified product/ service relationship; and a requirement for data portability)

The ‘DP’/ Data Portability variants may appear to be a niche option initially; but they are carefully designed to fit into, for example, UK.Gov Smart Data schemes. Those agreements make it very easy for the individual to say ‘i’m buying/ getting a widget; and i’d like a copy of the data please for my own use or to share with others’.

The further Service Delivery agreements add additional data purposes into the agreement over and above Service Delivery; e.g. ‘Analytics’. What this then does is builds a ‘Trust Ladder’. That is to say, if relationships begin with the BASE level agreement and that goes well, the parties might move beyond the basic relationship agreement model and progress to allow each other to see/ do more together. That mirrors how trust works in the physical world - it builds over time through consistent experiences to an agreed specification. (and collapses quickly on any negative experience).

One critical aspect of MyTerms is that the signed agreements form contracts. And as such are governed under contract law. Contracts have been around for thousands of years. Everyone knows how they work. Two parties discuss, negotiate and agree something is to happen, and the contract document is the written copy of what has been agreed. Clearly that is very different to the current model of ‘take it or leave it’ privacy policies and deliberately complex cookie banners. Then again, parties forming data sharing agreements (contracts) is already a well formed practice that privacy regulators promote over and above base regulations. See here for the UK Information Commissioner work on data sharing agreements. In many ways MyTerms is effectively just a B2C variant of exactly that model in which parties agree to an additional layer of transparency to a data exchange, and form that as a contract.

As noted above, that makes the legal basis for the exchange of any personal data involved be ‘contract’. The current norm is that Consent is seen as a higher bar than Contract as a basis for personal data exchange. But that assumes the contract was written in the usual way by legal teams within an organisation, not standardised, made very transparent and ultimetly written from the perspective of the individual.

What’s next then…? So the standard still has a few months before publication. In that period we need to finalise the text of the agreements; they are currently in review by a range of volunteer legal experts. And we can also now begin to talk to a range of organisations about how deployment might work for them in practice. Broadly speaking, MyTerms should work pretty well for most organisations once they familiarise with the model. It’s not going to be of interest to organisations that major on surveillance and ‘third party’ activity. It will be of interest to organisations who already focus on ‘first party relationships’; and should work well for public sector. The inner workings will also be of interest to Consent Management Platforms (CMP), Customer Data Platforms (CDP) and systems integrators as they may well be able to build value added services around the standard.

To conclude then, this visual might be help crystalise one of several ways in which MyTerms user journeys might begin.

 

Prefer MyTerms?

 

This start point begins with an organisation having concluded that they are happy to enable the MyTerms; there are multiple other ways in which they can surface.

All in all i’m optimistic that this model has a good chance. It certainly has to be a better approach than the current dreaded consent checkbox…

If your organisation would like to dive deeper to understand how MyTerms might work for you then get in touch.

Iain Henderson
Previous

Personal Agents: The Next Evolution In Customer Relationships
Next

The High Cost of Customer Data: Why Your CRM Might be a "Black Box" in Disguise