The work consent is asked to do
Consent occupies a central place in modern data law: a person agrees, and the agreement legitimates subsequent processing. The structure is straightforward in principle. In practice, consent is asked to do work that it cannot bear — legitimating uses of personal data that are neither knowingly authorised in any meaningful sense nor practically refusable.
Operational realities
We examine the operational realities of consent in three contemporary digital-identity contexts: national ID systems linked to public services, platform identity systems linked to private services, and biometric authentication systems that span both. In each, consent is technically obtained and substantively undermined.
Procedural standards
We propose procedural standards that recognise consent's limits while preserving its protective function: meaningful refusability (the practical availability of declining without losing access to essential services); granular disclosure (specific uses, not blanket categories); and ongoing revocability (a meaningful exit, not just an entry).
These standards do not solve the structural problems of digital consent. They limit the damage that an over-relied-upon doctrine can do.