Versions Compared

Old Version 5

changes.mady.by.user Mark Lizar

Saved on

compared with

New Version Current

changes.mady.by.user Mark Lizar

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

MVCR (Minimum Viable Consent Receipt) for an Open Consent Model

  • A proof of concept that explains the consent receipt and is presented as an open common consent meta-format for a legal consent notice.
  • Demonstrate how/why the simple version is better than existing consent, demonstrating that a record by itself provides transparency over policy and organisation information sharing practices
  • Used as a demonstrator to evaluate the legal and binding aspects of a consent record
  • Used to demonstrate how a consent receipt opens the closed privacy policy infrastructure.

Introduction

  • A receipt is a starting point for being able to track consents and their basic open notice requirements for people online.

  • The MVCR is meant to be the simple version of a receipt, which people download at the point of consent 

    • providing legacy consents, with an updated consent profile implementations that can be used to evolve, manage and maintain consent by both parties
    • a consent receipt aggregated, with other receipts in a dashboard provide the basis for modern consent management (which is beyond scope of this use case)
    • This use case will show that the open format by its self is It is intended to be the light version of a more compliant way to harvest and manage consent across multiple juisdictions.
    • The MVCR is a bridge for policy, and personal data control architecture

Scope of Work

The scope of work is to create a consent receipt generator that is used to developed the MVCR, and then to implement the MVCR for a site registration use case, starting with the CISWG registration process. 

The Consent Receipt Generator will :

  •  consist of:

    • the core consent receipt data model form the MVCR v0.7 specification

    • a web API to generate signed consent receipt JWTs.

    • The UI will be a Kantara CISWG Branded JavaScript application that will present a set of form fields;

    • submission of the form will call the API and download the JWT into the browser.

    • The UI will then render the downloaded JWT in a human-readable fashion and allow the user to download the JWT to their machine.

    • The code for the render of the UI will be re-usable. i.e. cut and paste into the implementation of the MVCR consent button. 
  • be usable for:
    • developing the consent receipt data model and usable renderings of a consent receipt
  • Be hosted at Consentreceipts.org
    • this will be an open source consent receipt generator, with a liberal re-use license.
    • will take into consideration that 
      • success of the consent receipt being a machine readable meta format relies on the CR being  THE dominant common format
      • we need to ensure that the licensing for the receipt generator enables CIS to actively maintain this format
      • we need to ensure the CIS WG is setup to actively maintain this consent data model
      • we need to make  sure that this development effort and the WG is  easy for data model change requests, and additions to be made.
  • All of the code will be kept in Git Hub at https://github.com/smartopian/MVCR

The MVCR Implementation:

  • The MVCR is the primary proof of concept Use Case for the core consent receipt data modelIt is intended to a way to bridge for policy, and personal data control architecture
  • The MVCR is the open common consent meta-format for a legal consent notice delivered as a consent receipt when consent is provided on while registering on the website.
  • The alpha MVCR  instance is to be used to sign up to the CISWG, and is best explained as an advanced consent button, which calls the consent receipt generator API, (Hosted at consentreceipts.org) and delivers a consent receipt visually in the browsers as well as a jwt machine readable consent receipt to the person consenting.
  • The consent receipt generator and the MVCR is intended to demonstrate how/why the most simple version of a consent receipt is a massive improvement over existing consent buttons on line, especially in the context of website/service registration.
  •   management   better than existing consent, demonstrating that a record by itself provides transparency over policy and organisation information sharing practices
  • Used as a demonstrator to evaluate the legal and binding aspects of a consent record
  • Used to demonstrate how a consent receipt opens the closed privacy policy infrastructure.

Objective

    1. The MVCR has a downloadable record of consent, provides contact and purpose in context
    2. It is record the data subject receives that has a clear record of purpose, and can be used to independently manage consent after the consent has been provided. 
    3.  Usability: It is, by itself intended to transparently show organisation data sharing practices at a glance
    4. The MVCR implementation will be evaluated in compairison to the MVCR v0.7 specification, to create a list of issues, that will be solved in the v0.8  iteration of the MVCR spec.

MVCR: Minimum Method

  • display the meta format that meets the minimum compliance obligations of an organisation that does not:
    • share with third parties,
    • does not collect sensitive data,
    • includes a self assertion that context specific requirements are included, this minimum viable consent receipt provides the minimum needed for a person to interact independently with an organizations to address any additional compliance or complaint requirements.
    • Notes:
  •  the MVCR is designed and intended to demonstrate the minimum online consent requirements with existing law illustrating the most common consent requirements across all jurisdictions in an independently usable form)
  • with these three components alone provides a tremendous improvement as a meta format,
  • Additional Operational Objectives to implement beyond the MVCR: (creating list here)

    1. re-consent

    2. withdrawing consent

    3. upgrading consent to the new consent data model

  • Technical Implementation
    • release an open simple version of the CR that is useful out of the box for a common and specific scenario, defined here as website registration for Kantara.
    • do this in a way that enables the receipt to be usable (systematically read)

...

MVCR Website Registration Walkthough for the CIS-WG Registration:

  • Specific Use Case for :the Kantara CISWG Registration
    •  non-sensitive PII, -
    • e.g.no third party sharing,
    • no-PII payload,
    • with output into a json format of the receipt download as a text file with  html version displayed on screen and pdf version available to send via email (evaluating different methods of delivery)
    Components
    • includes a simple form for creating a static receipt
    • presents the receipt on a website, with pdf version, and digital cert version
    • documentation about what the receipt is potentially good for. 
  • Walkthrough
    • WG- Admin
      • fills out form for creating consent receipt code installs a consent button  that calls the consent receipt generator api. 
      • this code (or consent receipt generator) is put on the website
    • Alice Experience
      • alice goes to sign up
      • alice see human readable in the website page, gets download machine readable receipt
  • Implementation Plan
    • get quote from Oliver for the demo
    • demo needs plan to be developed and moved to consent receipt. org
      • includes list of usability requirements, documentation, graphics

Stage 2  MVCR Website Registration: Consent Receipt . Org

...

      • message,

Additional Operational Objectives to consider during MVCR development: (creating list here)

  1. re-consent

  2. withdrawing consent

  3. upgrading consent MVCR to the new consent data model  v1.0