Page Comparison

...

• identity of parties
  • how does Alice Company verify the identity of Bob? how does Bob verify the identity of AliceCompany?
  • is this a requirement for the receipts or out-of-scope?
    • a consent receipt captures the identities of the parties in a consent

  • synergies between identities and personal data: Are there SP to IdP signaling mechanisms to indicate what types of values are needed by the SP?

    • a contact is made for the consent- with the notices in it - so SP and IDP can use the same policies and laws 
• types of receiptnotices (with receipts)
  • notice, consentnotification, notification consent
• types of consent
  •  Consent Types are the human labels for consent mapped to a legal justification providing the authority for that consent type 
    notice
    • consent not needed, implied consent as you have consent from a previous context,  that state of consent as-expected, explicit consent to being consent state, privacy agreement (user-initiated - consent directive with a notification) – from git hub doc here, Mark L
  • receipt-id
    • should enable context over a long period of time (re-consent, changes, revocation, etc.)
    • a previous-receipt-id to enable protocols and establish a notion of session continuity?
      • linking receipts (this should be explored separately in each use case)   
  • a receipt needs to embed/facilitate traceability + auditabilityaudit-ability
    • the consent is the permissions record - it should be queried for processing - and this should be logged to provide transparency and queried (in context of service usage) according choice and context by person. 
  • support to batched/scheduled consent to the future
    • is this consent or is this maintenance of consent state? 
  • no-consent/refusal
    • In US - among “merchants” (not consumers), failure to promptly object to a notice of a minor change can be taken as acceptance. And there are numberous other situations, time periods for undoing something, making a claim, etc. (quoting and thanks to Jim Hazard)
      • this varies  but - in US Healthcare non-consent means that there is no processing - as this requires explicit consent -
        • in the US they have relaxed rules for identity  
  • deep sharing of 3rd parties
    • is there a receipt to be issued?
    • who issues the receipt?
    • is consent “cascaded” (first party handles everything) or each a sequence of peer-to-peer Consent cycles?\
    • -→ isn't this the same as idp to sp above? 
  • we need taxonomies for certain fields which can be enumerated
    • e.g., purposes, legal basis, types of data collected
    • the taxonomies in themselves out-of-scope?
    • nope these are what the inputs are 
      • Notice and consent receipts are not useful without standard words for noices for humans to understand 
        • if standardised then people only need to know one set of terms - and its the services that have to adopt to people (not the other way around - thus enabling social physics etc) 
  • personal data fields

    • How to characterize the distinction between the two – what functionalities and attributes in an app are considered optional

    • How does this relate to data minimization principles

    • in the spec - the subject identifier is personal and the consent record  is personal
  • purpose of useuse 
    • Is it specified on a per attribute basis, or just for the overall bundle of attributes requested?
    • legally specified to purpose category in the specification, and its the industry, or association, or location, or person who can specify the attributes under that category for that person
  • post-receipt/consent notifications
    • means to notify back the recipient post-act (as in a message about changes)
    • So you means ? Notice Proof? 
      • when a person accepts a receipt -
        • a notification is sent to the controller - 
      • when a controller finishes the purpose 
        • the notification goes to the person