Transparency Performance Reporting is focused on assessing notice compliance and consent validity. The TPR uses 4 transparency performance indicators (TPIs) to measure the transparency of PII Controller identification, the indicators are captured in a PII Controller record of compulsory attributes. Together they indicate the security and privacy risk of digital identification to the PII Principal. At no point in this process is the PII Principal required to be identified or under surveillance. In order for consent to identification, and identity management to be valid there are requirements for notice on the part of the PII Controller. This is true across justifications including consent, across frameworks, and especially internationally between legal jurisdictions.
How Does it Work?
The following figure shows the workflow to capture the timing, presentation of required information to validate consent, including, Permissions, policies, terms, and licenses.
The four TPIs used in reporting measure:
Timing of notice
Regarding the initiation of surveillance
Content of notice
PII Controller required disclosures (Controller Record)
PII Controller Reverse Cookie (could be captured in a receipt and record for the PII Principal)
Who, where, what, why, how, when
Access and usefulness of notice
Taste of the Cookie
How good were the answers including their veracity to the above
Sovereignty of authority and security
Jurisdictions (Legal) of Principal and Controller
Cryptographic (Technical)
Linked by policy (objects)
As illustrated in this methodology, the four Indicators are used in sequence, focused on the timing, and presentation of elements required for consent to be valid.
TPI 1, the timing of notice
is an early, effective, and too often ignored benchmark as to whether consent is valid. Notice must be given before identification of the PII Principal takes place. This is almost never the case. Putting this aside
TPI 2 Compulsory Controller identification
captures PII Controller identification attributes, and creates a controller identifiable information record, to be used as a notice identifier.
Not to be confused with the PII (personally identifiable information, attributes and associated identifiers). A PII notice controller identification record can be used to capture and assess any legal justification, including consent.
TPI 3 measures the presentation and accessibility of the compulsory information and examines the content of the notice and the degree it can be accessed and used by the PII Principal. TPI 3 brings human indicators to the measures, building on content required in TPI 2.
TPI 4 then brings legal and technical measures to the content, after its human accessibility and usefulness has been established. This looks to confirm that, to the extent, which is nearly always the case, the cryptography is used is valid. It further checks to see that the policy associated with these objects align with the notice and PII Controller and legal requirements, in particular jurisdiction.
This specification includes an appendix mapping of roles and requirements among global privacy instruments, specifically Convention 108+, the General Data Protection Regulation (GDPR), and Quebec Law 25. This demonstrates how TPR establishes an adequacy baseline using an interoperable standard for valid notice and consent, implementing a common methodology, that applies the ISO/IEC 29100:2024 Privacy framework, and all other frameworks that adopt this.
Or put another way, transparency reporting as specified here is a notice and consent dark pattern recorder.
This extensible notice record and reporting method, can be employed by any stakeholder; (Data Subjects, Controllers, Processors (3rd parties and their Subordinates) as defined in ISO/IEC 29100:2024.
Status
The publication is put forth as a Kantara Recommendation for public comment by the Anchored Notice and Consent Receipts (ANCR) Work Group. Feb 25, 2025.
Note:
The ANCR WG creates and advocates for open standards, and open source to support digital privacy transparency, and that the ISO/IEC 27560 Consent record information structure standard to be free to access,