Master Agreements + Schedules
This article is part of a 3-part introduction to https://dataStewardship.solutions(DSS).
Corporations are making a wholesale and rapid shift from increasingly risky and monolithic Privacy Policies to sleek, new, data-driven Master Agreements filled with thin, lean slices of bespoke Schedules tailored to fit the consent needs for a particular user in the moment. This urgent need, spurred on by massive data privacy fines and settlements has businesses scrambling to find web 3.0-savvy legal advisors that can draft a few laser-focused sentences to say what it once took bloated privacy policies 10 pages to cover and with far less risk.
This brought about a high demand on increasingly rare supplies of such legal artisans and has hourly rates rocketing to that of pre-Y2K Cobol programmers. And it only makes sense as courts increasingly view antiquated 90’s-style monolithic (humongous…that’s the technical term, right?) privacy policies as “unconscionable”, and thus ruling these old and brittle privacy policies Void Ab Initio.
Void Ab Initio means, “ah, f*ck” in court Latin.
In other words… just because a company buries data-usage language that even they don’t even completely understand in large contracts hidden behind “I agree” printed in large, friendly letters…that doesn’t mean that you understand it either — let alone that you even read it. Based on this, courts are determining with increasing scale in ruling after profit-threatening ruling that the businesses don’t own your data.
Unconscionable = no contract, no ownership, no permission.
Them’s the rules.
Ok, so if both parties don’t understand the nature of the contract, it’s void according to the legal theory of “Rose 2d of Aberlone”, a famous contract precedent that has become a 136 year-old pain-in-the-ass for privacy attorneys that never knew cow brokering had anything to do with data brokering, and who also then promised countless client corporations, “It’s ok… I’ve gotcha covered with this huge privacy policy I copied from the inter-web.”
The stark reality can be found in the fact that Google just agreed to pay a $100M settlement in a relatively small case in Illinois right on the heels of a similar settlement against Facebook. Why? Because Illinois passed a different law than California did, and different courts came to different conclusions. These types of law application grow risk to companies like yours geometrically each time it happens.
There are now 235+ such regulations and growing around the world as governments increasingly dip into data-profit coffers. In the coming months, some authority or other will likely be knocking on your business’s door and asking to see your affirmative express consent opt-ins for all of your various uses of data.
What will your business do then?
Do you love bacon? Many people do, but not everyone does. Some people like liverwurst.
This is precisely why John Montagu became famous in 1762. You know him better as the 4th Earl of Sandwich (not to be confused with the 3rd Earl of Hoagie). He rightly concluded that some people want a little bacon and others want a slab of liverwurst, but they all like bread, but may want different kinds of bread. This was precisely the beginning of Master Agreements (sometimes called Master Service Agreements) in contract law.
Trust me… I looked it up on the inter-web.
For all businesses in any NAICS industry segment, there are different types of legal bread — standard language that can facilitate a living and nimble agreement like bookends hold books on a shelf. That “header and footer,” if you will, covers all the common things like, “don’t screw with us and we won’t screw with you, and how about if we just be friends on things in this contract.” This master agreement can be fairly brief, and more importantly, imminently conscionable if it’s just laying down some foundational structure.
Think of it as two slices of legal bread. Bread is easy to understand. It holds things together.
Schedules are the thin slices of meaningful agreements (maybe one or two well-worded sentences each) that can be ingredients like tomato, or lettuce, or even slices of lean mutton in the middle.
Mmmmm… MLT sandwich.
For example, if you wanted to install my app on your phone, I could show you a basic agreement with perhaps a schedule or two. A schedule for using your data to rapidly fill in forms might look like this…
If you are an existing [COMPANY NAME] customer who is buying a new [COMPANY NAME] product or service, in order to improve our service to you and to help you save you time, we may automatically populate forms for you using the information we already hold about you. You will always be able to make changes to the pre-filled information.
If you are already one of my customers and have already agreed to the Master Agreement (bread), then I can just show you this new ingredient with a small intro sentence that hooks it into the Master Agreement. I don’t need to show you the larger Master Agreement again.
In this way, this schedule has the flexibility to be shown to a new user when they first agree to the master policy contract or months/years later when they first encounter the related service for the first time.
Smaller, cogent contracts means increased readership, which means “conscionable.”
Further, this schedule can be worded differently for different combinations of jurisdictions. It can be crafted initially by a government who might provide safe harbor for businesses that adopt it, or it might be reworded by the company based on legal advice from counsel.
About a decade ago, a new standard pattern for security and identity hardware and software was published into the public domain (that means they gave it away!) by AT&T called Personal Levels of Assurance (PLOA). Since that time, many companies have embraced the idea of decoupling their policy enforcement point, like their firewall, from their policy decision point and the information available to it. If the necessary assurances were not in place, a rejection notice would bring all the necessary data for the user experience to find help and pop a dialog box for the user to take whatever steps are necessary to continue what they were doing.
PLOA improved a lot of things, and you can read more about it here: https://www.idcommons.org/wp-content/uploads/2011/10/PLOA-White-Paper-v1.02.pdf
The nut of it was that if some necessary condition didn’t exist, there was a federated way for the different pieces of tech to work together to find a remedy that would be easy for the customer.
A few years ago, the Consent Name Service was launched by the Privacy Co-op and published into the public domain. Called the CNS, it’s a point of information that can be drawn upon by policy decision points to determine if a requested data use is legal and permissible by the user in question. It’s marvelous tech that can be used by such things as rapidly available single transactions or massive processing jobs like Big Data. You can specify any combination of data use, jurisdiction, and business name, and for any data subject distinctive get back an instant 0 or a 1. These combinations are known as intersections.
CNS improved a lot of things, and you can read more about it here: https://tiny.one/falconCNS
For businesses that have adopted Master Agreement Platform (MAP) approach to privacy policies, each CNS intersection can be related to a schedule. That means that when you need to have that conversation with the user, you can simply show them a sentence or two and get their permission that relates to the same address you just queried for consent.
This is vastly superior to the old-fashioned way of throwing a legal textbook at them hidden behind a big “I agree” button.
When a business combines PLOA with CNS, they already get a beautiful thing — clear consent for data use in-the-moment. But now if they don’t have the user’s consent for the prescribed data use, they can also in that moment use MAP and ask that user permission with a simple, straightforward Schedule question.
But isn’t this extremely complicated to put into place for any business?
Not at all.
There are a couple of steps your business can do to quickly implement.
Putting it all together
The CNS is being made available through affiliations with any nonprofit Authorized Agencies (AA) that are certified by GCA3 (Global Consent Authorized Agency). Privacy Co-op is a good one (https://privacy.coop). There are others. The GCA3 maintains a current record of certified Authorized Agencies (https://gca3.org).
These AA’s make available to your company, as an affiliate, OpenAPI interfaces to the CNS and can inexpensively provide services. The real benefit here is that many of these AAs also bring licensing for affirmative express consent of their respective members.
This goes much further to de-risking your business’s data use across multiple jurisdictions, as the permissioning you receive back will take the specified jurisdictions into consideration. Further de-risking occurs because the same types of agreements are being made across all NAICS segments and with common schedules for data use — perhaps even to businesses that provide your business with data or vice versa.
Currently, the relevant schedules are being built out, but for any gap, your business can either hire Data Stewardship Solutions to write them and add them for you, or your legal team can purchase a subscription to make your own additions and modifications for your business over time.
Your existing Policy Enforcement Point (PEP) already has a Policy Information Point (PIP) that likely can use any standard protocol for handling rejections based upon lack of required conditions. For example, XACML is a good one. So, when you receive a rejection notice, a zero, the reply from your own PEP will have the information necessary to redirect to a remedy point, and the required appropriate schedule(s) can be shown to your user to gain agreement and the entire data process can be attempted again, but this time with a consented positive result.
Consider the following…
Your business affiliates with an Authorized Agent certified by GCA3 through Data Stewardship Solutions. This provides your org with:
· Ability to license opt-ins
· Easily manage consistent opt-outs across any number of Authorized Agents
· Ability to get in-the-moment or, conversely, massive consent elections as zeros and ones
· A path to resolve all zeros using schedules that plug into your Master Agreement
· The ability to mint tokens as well as using other DLP functionality for a truly Web 3.0 approach to data rights management
Conclusion
Master Agreements + Schedules is a legal technique that has been around for a long time. Fiduciaries, like authorized agents, particularly as cooperatives, have also been around for a long time. In fact, all the components of this paper are individually time-tested. We’re just asking, “Why not put them altogether to address advanced data rights management in Web 3.0?”
If your company adopts a standard Master Agreement available from Data Stewardship Solutions, you can then begin using the CNS to query current consent settings for any identity distinctive. The response you get back will either be a “yes” backed by nonrepudiation data you can use in court if you are ever questioned or even fined for violating any combination of supported privacy regulations, or you will get back a “no” backed with a Schedule you can show the user and perhaps gain in-the-moment consent to continue the specified data use.
How much would it cost your company to research, write the schedules, build the platform, and then maintain all the language across not just changing and competing regulations, but also keep up with court decisions? If you are still using a monolithic approach to privacy policies, you will never be able to spend enough to make your one agreement completely future proof. But if you adopt a Master Agreement + Schedule sandwich approach, you will de-risk your business and be able to adopt existing products supported by companies like Data Stewardship Solutions.
You likely no longer use Windows ’95. Why in the world would your company continue to follow an antiquated legal tech approach to data privacy compliance like your privacy policy from the 90’s?
