Versions Compared

Old Version 3

changes.mady.by.user John Wunderlich

Saved on

compared with

New Version 4

changes.mady.by.user John Wunderlich

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Version published after converting to the new editor

Statement: Verifiers should request user consent prior to the presentation from their mobile credential but after presenting a notice.

Review meeting(s)

Status:

Status
subtletrue
colourGrey
titleDraft

ItemDescription
Statement (Single phrase or sentence)

Verifiers should request user consent prior to the presentation from their mobile credential but after presenting a notice.

Description

For in-person presentation, consent may be assumed to be implicit because the Holder has the option of not opening or presenting their mobile device. This implied consent should only apply to the minimum data required to fulfil the implicit purposes of the interaction. For example, presenting the mobile device for age verification implies consent for a yes/no age verification and a proof of possession (i.e. a photo of the Holder). Similarly, there is no implied necessity for the retention of that data. Any other data request or retention would need notice and explicit consent.

In online scenarios (Day 2) user consent shall be requested in a clear and comprehensible way. If PII are disclosed for different purposes, the specific PII and respective purposes shall be displayed to the user.

Discussion:

  1. Do we include a notice in this requirement?
  2. Discussion about notice:
    1. What is being collected
    2. Purpose of Collection
    3. Notice of retention

Should see consent receipt spec at ISO.

Need to make sure that if there is a notice requirement that it doesn't add friction unless there is an overriding privacy-related reason for adding that friction



Scope (applies to)
  •  Part A: Verifiers
  •  Part B: Issuers
  •  Part C: Providers
Select the Primary Consideration*
  •  CC (Consent and Choice)
  •  PL (Purpose legitimacy and specification)
  •  CL (Collection limitation)
  •  DM (Data minimization)
  •  UR (Use, retention, and disclosure limitation)
  •  AQ (Accuracy and quality)
  •  OT (Openness, transparency, and access)
  •  IA (Individual access & participation)
  •  AC (Accountability)
  •  IS (Information Security)
  •  PS (Privacy compliance)
Select other relevant considerations
  •  CC (Consent and Choice)
  •  PL (Purpose legitimacy and specification)
  •  CL (Collection limitation)
  •  DM (Data minimization)
  •  UR (Use, retention, and disclosure limitation)
  •  AQ (Accuracy and quality)
  •  OT (Openness, transparency, and access)
  •  IA (Individual access & participation)
  •  AC (Accountability)
  •  IS (Information Security)
  •  PS (Privacy compliance)
Select impacted Identifiers
  •  Direct
  •  Indirect
  •  Unique
Reference (#_Scope_Consideration_Ref #)
Related Requirements
Explanatory Notes (Text or Link)

...