Transparency Performance Reporting (TPR) is a novel approach to digital transparency and data control reporting and has just been submitted as a Kantara Recommendation for public comment by the Anchored Notice and Consent Receipts (ANCR) Work Group. The TPR uses 4 transparency performance measures (TPIs) to measure the transparency of the PII Controller notice of risk to the personal data of the PII Principal. This represents a significant advancement for decentralizing digital identification and data surveillance governance within data flows. This TPR was developed through volunteer work over three years in the ANCR workgroup represents a means of understanding and addressing ubiquitous platform and application surveillance and promotes glass-box Commonwealth security and privacy legal standards.
The ANCR WG transparency and consent work has a 'bottom-up' history, originating as the Notice and Consent Receipt brought to Kantara in 2013 by the Open Notice Initiative. It stemmed from the Identity Commons in California just before that, an initiative aiming to create standards to address “the Biggest Lie on the Internet”. In 2019 Kantara published the Consent Receipt v1.1 specification, which in 2020 was drafted into ISO/IEC 29184:2020 Online privacy notice and consent, under JTC 1, SC 27, WG 5 – the ISO work group focused on privacy and identity management. The schema from the consent receipt is incorporated into the ISO/IEC 27560 Consent record information structure which may become freely available, as is the case with the ISO/IEC 29100:2024 Privacy framework.
Transparency performance reporting clarifies when a notice and consent receipt is required and its validity.
The initial Transparency Performance Report is focused on evaluating the validity, security, sovereignty, and accountability of digital consent. It is a tool to expose dark patterns and secret surveillance. It builds on the consent receipt specification by adding standardized transparency with regards to the sovereignty of data and consent and its validity in conjunction with digital identification systems.
The four TPIs used in reporting measure:
Timing of notice
Regarding the initiation of surveillance
Content of notice
PII Controller required disclosures (.. Controller Record)
PII Controller Reverse Cookie (could be captured in a receipt and record for the PII Principal)
Who, where, what, why, how, when
Access and usefulness of notice
Taste of the Cookie
How good were the answers including their veracity to the above
Sovereignty of authority and security
Jurisdictions (Legal) of Principal and Controller
Cryptographic (Technical)
Linked by policy (objects)
The TPR document includes mapping to privacy frameworks including Convention 108+, that creates a global (2.5 billion person) rule set for security and privacy, that is rights, law, and commons based. The mappings show how the TPIs address the requirements for records of processing activities (GDPR Article 30) and enable services to be accountable to international (internet) standards for data governance. It creates a technical record foundation in a common set of rules allowing people to have their own authoritative records of digital identification relationships.
The ANCR WG has completed its draft for submission to the Kantara Leadership Council of a Kantara Recommendation of a Transparency Performance Report (TPR) that uses four (4) Transparency Performance Indicators (TPIs) to measure whether or not there is a valid basis for consent based on the notice presented to the data subject/PII Principal by the data controller/PII Controller. It measures the 1. timing, 2. completeness, 3. usability, and 4. security and sovereignty of the notice and associated trustworthiness of the PII Controller.
Too often today data subject/customers are placed under surveillance and have their personal information and attributes gathered and used without consent by 3rd parties. Things called consent, sometimes making reference to earlier Kantara work on a consent receipt, are often more accurately consent deceit.
This work is human centric, it does not require, in fact it does not permit, identification of the PII Principal or the gather of any surveillance data or personal information without prior notice and acceptance of the state of a relationship by the PII Principal.
The work makes use of open standards such as ISO/IEC 29100:2024 Privacy framework, and ISO/IEC 27560:2023 Consent record information structure, and the Kantara Consent Receipt v1.1. that is an Annex in ISO/IEC 29184:2020 Online privacy notices and consent, among others. In publishing this work as a Kantara Recommendation we hope to add to these open and public resources.