Done Is Not a Fixed State

We had a consent checkbox from the start. During registration, the participant ticked a box that said they accepted the terms and conditions and the data collection policy, and then they moved on. By the standard of almost every app I have ever built, that is consent. It is what you do. Nobody on the team looked at it twice, because there was nothing to look at. It was there, it worked, it was done.

Then, about two weeks before launch, the bar moved.

It came out of a compliance conversation on the World Bank Group side. This was a research app, with real enrolled participants and Ipsos running the field work in Indonesia, and for a research program of that kind, a tick-to-accept checkbox is not enough. What they needed was informed consent: not just that the participant agreed, but that you can demonstrate they were actually shown what they were agreeing to. Presented the full text. Given the chance to read it. And only then allowed to agree.

So the fix, in the end, was small. The single accept checkbox became a flow where the participant has to scroll through the entire consent and data-collection text before the Agree button becomes available. A couple of days of work. Not hard.

What stays with me is not the fix. It is how close that gap came to sailing straight through.

Because here is the thing: we had not forgotten consent. We had built consent. A reasonable, ordinary, perfectly functional consent step that would have been completely fine on most products. The gap was not a blank where something should have been. The gap was the distance between good enough for a normal app and good enough for an institutional research program, and that distance is invisible until someone who knows the higher bar points at it.

That is the kind of gap that is genuinely dangerous, and it is not the kind people warn you about. Everyone watches for the things you missed, the blank fields, the unhandled cases, the features that break. Those get caught, because they look wrong. The thing that does not get caught is the thing you did reasonably, that works exactly as intended, that passes every check you know to run, and that simply does not clear a standard you did not yet know applied. By every measure your team is using, it is done correctly. It has the checkmark. The attention has moved on.

The checkbox worked. The registration worked. The only thing wrong with it was a definition of consent that had not been written down when we built it, and that arrived, fully specified, two weeks before we were due to go live with real people's data.

Caught there, it was two days of work and a better flow. Caught after launch, with participants already enrolled under a consent process that did not meet the standard, it would not have been a code fix at all. It would have been a question about whether the data collected so far had been collected properly, on a World Bank research program. The same small gap, found two weeks apart, is the difference between an afternoon of work and a conversation nobody wants to have.

I do not think the lesson is that we should have built informed consent from day one. The requirement genuinely was not specified yet when the checkbox went in, and on institutional and regulated work, the compliance picture often sharpens as you go rather than arriving complete on day one. You cannot always build to a standard that does not exist yet.

The lesson is about what to do when the standard does arrive. The instinct, when a requirement lands late, is to ask what it means for the work ahead. The more useful question is what it just quietly changed about the work behind you, the parts marked done, the parts nobody is looking at anymore precisely because they were finished. A reasonable thing you already built can stop being good enough without anyone touching it, simply because the bar it is measured against moved up. And it will keep looking finished the whole time, because by the standard you had when you built it, it was.