Consent is the political heart of how personal data flows through APIs, and it’s a question the technical machinery of OAuth and terms of service consistently dresses up as solved when it isn’t. Every time an application accesses your data through an API, there’s supposed to be consent behind it — you agreed, somewhere, that this app could see this data. But the gap between the formal mechanics of consent and genuine, informed, meaningful agreement is enormous, and that gap is where some of the most serious political problems in the API economy live. I’ve spent years arguing that consent is not just a checkbox or an OAuth flow — it’s a real question about power, about whether ordinary people actually understand and agree to how their data is being used, and about whether the consent we extract from users is meaningful or merely coerced through dark patterns and deliberately obscured terms.
OAuth is the technical layer where consent supposedly happens, and understanding both its value and its limits is essential. OAuth is the protocol that lets you grant an application access to your data on another platform without handing over your password — the “three-legged” flow where you, the platform, and the application negotiate access. I wrote about OAuth as the mechanism through which users are the critical third leg of the conversation, the one whose consent actually authorizes the data sharing. OAuth is genuinely important infrastructure, and it’s the closest thing we have to a consent layer for the API economy. But I’ve also been blunt that OAuth has many flaws even as it’s the best we have — because the OAuth consent screen, in practice, is often a formality users click through without understanding, with scopes written to be vague and permissions bundled to be all-or-nothing. The technical existence of a consent flow does not guarantee that meaningful consent actually occurred, and that gap is the political problem.
Cambridge Analytica was the moment the consent problem became impossible to ignore, and I wrote about it extensively. The Facebook–Cambridge Analytica scandal revealed how data harvested through APIs — ostensibly with consent — could be used in ways users never imagined or agreed to. I wrote about how the scandal exposed that Facebook didn’t actually know, or didn’t care to monitor, what API consumers were doing with the data users had consented to share. The consent users gave was technically valid and practically meaningless: they clicked through a permission screen for a quiz app, and their data, and their friends’ data, flowed into political profiling operations. This is the core failure of consent-as-checkbox: the formal consent existed, but it bore no relationship to what people actually understood or would have agreed to. The scandal made clear that the consent mechanisms of the API economy were a thin veneer over a system of data extraction that users had no real understanding of or control over.
Regulation has become the political response to the failure of voluntary consent, and I’ve tracked it closely. GDPR forced organizations to actually ask hard questions about the data they collect and the consent they rely on — pushing toward consent that is informed, specific, and revocable rather than buried in an unreadable terms-of-service document. I wrote about GDPR forcing us to ask real questions about our data, because the regulation made consent a genuine legal obligation rather than a formality. In financial services, I tracked the CFPB’s principles for consumer-authorized data sharing and Europe’s PSD2 rules, which built consent into the regulatory framework for banking APIs — giving consumers real, revocable control over who accesses their financial data. The emergence of dedicated consent APIs, which I wrote about in 2025, reflects this maturation: consent becoming a managed, auditable, machine-readable part of the API infrastructure rather than a one-time checkbox. Regulation is, in effect, the political system stepping in because the voluntary consent mechanisms of the API economy failed to protect people.
Transparency is the precondition for meaningful consent, and it’s a demand I’ve pressed repeatedly. You cannot meaningfully consent to data sharing you can’t see, which is why I’ve called for transparency around every company that has access to our social data via an API. If consent is to mean anything, users need to know who actually has their data, what they’re doing with it, and how to revoke access — and platforms have consistently resisted providing that transparency because it would expose the scale of the data extraction. The right to see who has access, to audit it, and to revoke it is the practical machinery that turns consent from a fiction into a reality. Without that transparency, the consent screen is theater: you click “allow,” and then you have no visibility into or control over what happens next, which means your consent was never really informed in the first place.
Where I land on consent is that it’s a genuine political question that the API economy has consistently disguised as a solved technical problem — and that closing the gap between formal consent and meaningful consent is one of the central challenges in the politics of APIs. OAuth gives us a consent mechanism, but a mechanism is not the same as genuine agreement, and the history of the API economy is full of formally-consented data flows that no reasonable person would have actually agreed to if they’d understood them. Cambridge Analytica exposed the failure; GDPR, PSD2, and consent APIs represent the political and regulatory response; and transparency is the precondition that makes any of it real. The deepest point is about power: consent is the mechanism through which ordinary people are supposed to retain some control over their own data in a system designed to extract it, and whether that consent is meaningful or merely extracted determines whether people have real agency or just the illusion of it. Building API systems where consent is genuinely informed, specific, revocable, and transparent isn’t a technical nicety — it’s the political work of ensuring that the people whose data flows through these systems actually have a say in it.
References
- OAuth 101
- Politics Of The API Economy
- Transparency Around Every Company Who Has Access To Our Social Data Via An API
- Hints Of Banking API Regulations From CFPB With Consumer-Authorized Financial Data Sharing And Aggregation Rules
- Facebook, Cambridge Analytica, And Knowing What API Consumers Are Doing With Our Data
- GDPR Forcing Us To Ask Questions About Our Data
- OAuth Has Many Flaws But It Is The Best We Have At The Moment
- Consent APIs
