Pseudonymous Keys used as Consumer IDs need to be handled carefully since they could be mis-used to pollute the atom collection in a data engine, or to retrieve data about a consumer if a service providers credentials are divulged.
We can reduce the likelihood of this happening by ensuring that the consumer ID is only used between a small number of actors: the Operator, Service Provider and Data engine. This can be achieved by using device ids elsewhere so that the consumer rarely gets their Consumer ID. (We cannot say never give the Consumer ID to the consumer, but we can enumerate the scenarios that they are likely to need it k - for example when confirming they have been forgotten - and point out that this is a weak link.)
We should make some statements about secure us of the consumer ID between the Operator and Service provider (since much of that is out of band as far as the standard is concerned).