Statement (Single phrase or sentence)

Verifiers should request user consent prior to the presentation from their mobile credential but after presenting a notice.

Discussion 31 Aug 2022

Loffie Jordaan (Unlicensed) Statement is about sequence, but description has more than one requirement. Maybe multiple requirements?

Tom Jones Use of the word notice is a problem … IMHO notice occurs after consent, not before.

Salvatore D'Agostino you could also have the individual present the terms of the consent and then get agreement

Tom Jones suggest moving the order in the statement present request, followed by presentation of credential

Description

For in-person presentation, consent may be assumed to be implicit because the Holder has the option of not opening or presenting their mobile device. This implied consent should only apply to the minimum data required to fulfil the implicit purposes of the interaction. For example, presenting the mobile device for age verification implies consent for a yes/no age verification and a proof of possession (i.e. a photo of the Holder). Similarly, there is no implied necessity for the retention of that data. Any other data request or retention would need notice and explicit consent.

In online scenarios (Day 2) user consent shall be requested in a clear and comprehensible way. If PII are disclosed for different purposes, the specific PII and respective purposes shall be displayed to the user.

Discussion:

1. Do we include a notice in this requirement?

2. Discussion about notice:

   1. What is being collected

   2. Purpose of Collection

   3. Notice of retention

Should see consent receipt spec at ISO.

Need to make sure that if there is a notice requirement that it doesn't add friction unless there is an overriding privacy-related reason for adding that friction

Discussion 31 Aug 2022

Loffie Jordaan (Unlicensed) reads the ‘in presentation consent may be implicit' shouldn’t be read as notice is actually implicit

Salvatore D'Agostino ? implicit notice because you are there

John Wunderlich Implicit notice not technically verifiable in the context of in person presentations.

Loffie Jordaan (Unlicensed) Because a Holder chooses to share information has NO implication for whether or not there has been notice.

Tom Jones it is certainly possible to craft requests that are unambiguous, but that is just an edge case really

Differentiate between in-person and prior/on-line transaction re: notice/consent use cases. No time for notice/consent ritual in a casual or high throughput in person scenario.

Scope (applies to)

•  Part A: Verifiers
•  Part B: Issuers
•  Part C: Providers

Select the Primary Consideration^*

•  CC (Consent and Choice)
•  PL (Purpose legitimacy and specification)
•  CL (Collection limitation)
•  DM (Data minimization)
•  UR (Use, retention, and disclosure limitation)
•  AQ (Accuracy and quality)
•  OT (Openness, transparency, and access)
•  IA (Individual access & participation)
•  AC (Accountability)
•  IS (Information Security)
•  PS (Privacy compliance)

Reference

808_AV_CC

Select other relevant considerations

•  CC (Consent and Choice)
•  PL (Purpose legitimacy and specification)
•  CL (Collection limitation)
•  DM (Data minimization)
•  UR (Use, retention, and disclosure limitation)
•  AQ (Accuracy and quality)
•  OT (Openness, transparency, and access)
•  IA (Individual access & participation)
•  AC (Accountability)
•  IS (Information Security)
•  PS (Privacy compliance)

Select impacted Identifiers

•  Direct
•  Indirect
•  Unique

Related Requirements

Explanatory Notes (Text or Link)