Versions Compared

Old Version 1

changes.mady.by.user Mark Lizar

Saved on

compared with

New Version Current

changes.mady.by.user Mark Lizar

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Policy Paper: Minimum Viable Consent Receipt


Editors; Mark Lizar, John Wunderlich, Joni Brennan.

Abstract

Consent and notice on the Internet is broken. It is technology that hasn’t evolved much while the rest of the environment seems to be evolving at an increasing pace. One of the reasons for this lag in development is that notice is typically an infrequently executed via a visited privacy policy or web privacy statement and another reason is that consent is more often implied and not explicit. Both notice and consent are one-way communications ‘To’ the data subject, or ‘From’ the service user.


This paper introduces a draft specification for a  Minimum Viable Consent Receipt (MVCR) that provides a mechanism for transparency about the compliance of consent notices.  The specification is highly focused on evolving the  usability  and transparency of consent mechanisms so that personal consent management can be dramatically evolved in both online and physical spaces.


How A Consent Receipt Is Used


A consent receipt will be provided or made available when a data subject provisions consent. This is typically when a service user registers with a web site, or otherwise provides personally identifiable information that the data controller will collect, use and/or disclose.

A minimum viable consent receipt (MVCR) is a consent receipt based on a specification that  will supply the basic (legally required) policy information that governs the transaction, linked to a record of the consent transaction.

The specification is being created as a 'specification by example' as part of the Kantara Initiative, a global non-profit innovation and compliance body. The Kantara Initiative provides open and transparent governance for the development of innovations by enabling communities to develop, evolve, and implement industry standards based solutions to common problems. For policy makers transparency and the usability of consent is an essential tool for enabling people to control data and is a significant development in bridging identity management technology to user managed infrastructure.  Notice and consent is in essence part of a stack of user-centric mechanisms that provide users with more natively trustworthy on-line environments.

The MVCR can be layered with additional consent notice requirements to accolade sensitive personal data consent, 3rd party sharing requirements and specific notice requirements that vary from jurisdiction to jurisdiction.

The MVCR is conceptually a digital version of a sign that points people to the right information and enables legally required controls to be developed for varying contextual use. In such a way consent can be ubiquitous, persistent, and pervasive.  

This specification aims to bridge consent into Smart Physical Spaces that capture identifying data from people as well as for consent harvested from online environments.

The MVCR addresses a number of issues:

  • It enables innovation by addressing the bottleneck of consent and notice, avoiding click throughs (click wrap) behaviour and enabling the possibility of mass customization of consent.

  • It increases efficiency in an industry that currently is plagued with inefficiency.

    • Overhead estimated that this costs 3.3 bn in UK alone a year, with an estimated 96% in costs saving predicted over the next 6 years.

    • Currently to read policies and use data controls prescribed in law people need to log into every provider and are accountable for reading every iteration of every policy.

    • Businesses need to  authenticate every individual to manage their personal data and profile

  • An MVCR provides an indication of the level compliance of the consent for the data subject in their local jurisdiction.

  • It provides a record of the consent for the data subject to enable transparency of consent on aggregate


For policy makers a consent receipt provides a solution with incredible potential. The MVCR enables co-regulation of data control management and is a vehicle for self-regulation through the use of trusted 3rd parties.

This co-regulation provides consistent transparency to all parties and stakeholders. While self-regulation that provides a consent receipt is designed to carry icons for trust frameworks, privacy, and third party reputations through the emerging trusted services industry.

Trusted services can be embedded in a consent receipt by the provisioning organisation so that assurance about data control and personal data management can be made transparent, verifiable, and independently policed.

How A Consent Receipt Is Made


The consent receipt is made from the legal requirements defined by legalese and applicable laws.   In law and privacy principles around the world the requirement for notice for consent (or assent) to be valid is the most consistent and universally defined privacy requirement.

These laws, their included legalese, and jurisdictional contextual requirements are referenced in the consent receipt specification.   

For example, Article 10 of the EU Data Protection Directive 94/95/Ec  section c) “ whether [the data subject] replies to the questions are obligatory or voluntary” must be made clear.  In addition, section c) states “the existence of the right of access to and the right to rectify the data concerning [the data subject] in so far as such further information is necessary, having regard to the specific circumstances in which the data are collected, to guarantee fair processing in respect of the data subject.”

These types of provisions provide contextual requirements for recording a consent event.  This scenario is accounted for in this specification with a checklist of contextual requirements provided to the  consent receipt provisioning Organisation.  The Organisation then self asserts that these legal requirements are present at the time of consent and this assertion is included in the consent receipt provided to the data subject.


{Flow Diagram Here}

How It Works

The MVCR specification can be used independently and can be implemented by anyone. An Open Consent Notice registry is also in Alpha testing to provide all of these facilities for trusted data consumption by organisations in the future.

Ideally, an Organisation would fill in a form asking for the required consent receipt information that, like existing policy, provides a self asserted compliance.

This receipt would include, policy information, linking to purpose information, clarifying a short purpose, linking short notices, and for data controller contact information.   As well as include a yes/no answer about sharing personal data or collecting sensitive personal information.   If that answer to these questions is no, then an automatic compliant rating is provided.  If the answer is yes, then at this time no rating is provided.  

We have a variety of planned specification extensions, 3rd party sharing, and sensitive data collection extensions are in progress to extend the compliance of a MVCR further.

Additional specification extensions can be used for notice requirements from different jurisdictions, specific to certain contexts, or for certain industries to be layered onto the the MVCR.  

Currently the MVCR is being explored as path forward to manage more complex compliance and consent issues, for instance Safe Harbour and other contentious areas of consent and compliance across jurisdictions and with Big Data.

If the Organisation has only part of the information required, or some of the links in the receipt are broken and reported, then a partially compliant rating is provided.

If the Organisation does not comply with jurisdictional legal requirements and does not provide the required information then a non-compliant rating is provided.  Most often Organisations would not provision a non-compliant rating, but, a browser plugin in or third party receipt provider would.  All of which would be facilitated by an Open Consent Notice Registry.



Figure 1. Consent Receipt Example





Trusted Services

Trusted services/networks and frameworks, can be used to meet or exceed notice(and therefore consent) legal requirements. Or to address the need for assurance and trust for people so that consent and its management can be automated and more usable. It is foreseen that a notice registry is the natural place for trust services to register their services.

A process for auditing and verifying all trust services needs to be in place for trust services to be trusted.  Then when an organisation enrols into the registry they can also add (or manage) trust services that has been added to the receipt.

Advice for Policy Makers

At the moment notice requirement for consent are micro issues that are not transparent to policy makers or regulators except on a case by case basis.   A standard for consent will enable consent receipt and use data to be looked at from a global perspective and as such enable policy makers to manage consent policy in a much more meaningful way.

As openness of policy notices that require consent are the cornerstone of privacy principles and legislation the Open Consent Receipt is a great policy solution.   It enables people to directly engage Organisations without having to read all the policies and to login to every service provider platform and enable Organisations to update data subjects dynamically about consent.


Thus making a consent receipt standard a two way communication solution.