Core Spec: Minimum Viable Consent Receipt (MVCR)- Specification
Related Documents:
CISWG: Consent Requirements Map: (spreadsheet of laws/principles for receipt and data control R&D)
Open Notice: Mockup of a Consent Receipt: (A first MockUp of the consent receipt record)
Objective
The Open Notice Initiative is an effort that calls for an open, global and public infrastructure for consent-based notices. A key element of that infrastructure is the consent receipt described in this document. Such a receipt will provide people with the knowledge necessary to make an informed choice about who gets their personal information and what they can do with it. This will be accomplished by providing an explicit record of the consent transaction from the web site to the user about what the user has consented to at the time of their initial transaction with the web site.
The objective for a Minimum Viable Consent Receipt (MVCR) is to provide jurisdiction-ally appropriate consent related information in a common standard format.
Background
Draft, background document can be found here,
Minimum Viable Consent Requirements
By its format and structure the MVCR is intended to provide the basic information to review further the compliance of policy for consent. The MVCR is a record in a standard format. As a result it can be further extended by jurisdiction, data type and additional context. A basic consent receipt will assure a basic level of general regulatory compliance for consent. It will do this by being open, accessible, extensible and providing a standard format to develop a higher quality of consent and policy usability, data privacy law usability.
MVC Contents
This may end up being an XML document, but for now some basic Key:value pairs will provide an initial framework
Required Content
Field Name | Description | Purpose/Explanation | Format of Field | Example | Legal Reference for Field | Tech Ref | Next Step | Comments | |
---|---|---|---|---|---|---|---|---|---|
DP_Domain_Accountable for Consent | URL of the domain Accountable for Consent | Header/Admin/entity identifier | |||||||
ConsentPref_ThirdParty | Yes/No share with 3rd partie | ||||||||
ConsentPre_etc | ConsentPref from P3P | Comment by John; Comment by Mark etc | |||||||
Consent type: Explicit, Implied, Exception | Assumed Explicit consent fro alpha version | ||||||||
Data Processing consented to: Purpose | |||||||||
Processor ID if different than Domain Id : Listed DP | The identification of the data processor | entity in charge | |||||||
User ID: | id (email) of the user in the consent form | non-repudiation | |||||||
Transaction ID: GUID | the specific consent ID | (or transaction id) | |||||||
Sequence #: 0 for new receipt +1 every time it is used | time of consent, consent/policy updates, | ||||||||
Use Reference: type of use ID | |||||||||
Date:TimeStamp | time and date of consent | ||||||||
Policy URI’s: PP, TOSA, Cookies | URI's pointing to source for Policies | ||||||||
Address & Contact details of SP | Unless different DP this should be the same as the DP | ||||||||
IP of DS | IP of person making consent - Jurisdiction of the IP address | ||||||||
Data Type: Personal Information(PI), (SPI) Sensitive Personal Information (Y/N) | Data sensitivity (privacy category) |
Header Information
DP Domain:Domain URL
DS Consent Preferences: {array to be determined}
Processor ID: Listed DP
User ID: Consenting identifier
Transaction ID: GUID
Sequence #: 0 for new receipt +1 every time it is used
Use Reference: type of use ID
Date:TimeStamp
Consent type: Explicit, Implied, Exception
Policy URI’s: PP, TOSA, Cookies
Data Processing consented to: Purpose
Address & Contact details of DP
IP of DS
Data Type: Personal Information(PI), (SPI) Sensitive Personal Information (Y/N)
Extended By Other Services
Jurisdictional specifics
Reputations
Icons
Short Notices
Trust Frameworks
Glossary
Minimum Viable Consent Receipt(MVCR)
Consent Receipt (CR)
Data Subject(DS)
Data Controller(DC)
Bilateral Online Open Notice (BOON) - SS term for independently initiated two way communication over data controls
Master Data Controller - Individual who is the data controller and the data subject - In specific terms this term is to facilitate access and personal data control