Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 4 Next »

Statement: Verifiers should request user consent prior to the presentation from their mobile credential but after presenting a notice.

Review meeting(s)

Status: DRAFT

ItemDescription
Statement (Single phrase or sentence)

Verifiers should request user consent prior to the presentation from their mobile credential but after presenting a notice.

Description

For in-person presentation, consent may be assumed to be implicit because the Holder has the option of not opening or presenting their mobile device. This implied consent should only apply to the minimum data required to fulfil the implicit purposes of the interaction. For example, presenting the mobile device for age verification implies consent for a yes/no age verification and a proof of possession (i.e. a photo of the Holder). Similarly, there is no implied necessity for the retention of that data. Any other data request or retention would need notice and explicit consent.

In online scenarios (Day 2) user consent shall be requested in a clear and comprehensible way. If PII are disclosed for different purposes, the specific PII and respective purposes shall be displayed to the user.

Discussion:

  1. Do we include a notice in this requirement?
  2. Discussion about notice:
    1. What is being collected
    2. Purpose of Collection
    3. Notice of retention

Should see consent receipt spec at ISO.

Need to make sure that if there is a notice requirement that it doesn't add friction unless there is an overriding privacy-related reason for adding that friction



Scope (applies to)
  • Part A: Verifiers
  • Part B: Issuers
  • Part C: Providers
Select the Primary Consideration*
  • CC (Consent and Choice)
  • PL (Purpose legitimacy and specification)
  • CL (Collection limitation)
  • DM (Data minimization)
  • UR (Use, retention, and disclosure limitation)
  • AQ (Accuracy and quality)
  • OT (Openness, transparency, and access)
  • IA (Individual access & participation)
  • AC (Accountability)
  • IS (Information Security)
  • PS (Privacy compliance)
Select other relevant considerations
  • CC (Consent and Choice)
  • PL (Purpose legitimacy and specification)
  • CL (Collection limitation)
  • DM (Data minimization)
  • UR (Use, retention, and disclosure limitation)
  • AQ (Accuracy and quality)
  • OT (Openness, transparency, and access)
  • IA (Individual access & participation)
  • AC (Accountability)
  • IS (Information Security)
  • PS (Privacy compliance)
Select impacted Identifiers
  • Direct
  • Indirect
  • Unique
Reference (#_Scope_Consideration_Ref #)
Related Requirements
Explanatory Notes (Text or Link)

*For descriptions download the publicly available version of ISO/IEC 29100


  • No labels