Statement: Verifiers should request user consent prior to the presentation from their mobile credential but after presenting a notice.
Review meeting(s)
Status: DRAFT
Item | Description |
---|---|
Statement (Single phrase or sentence) | Verifiers should request user consent prior to the presentation from their mobile credential but after presenting a notice. |
Description | For in-person presentation, consent may be assumed to be implicit because the Holder has the option of not opening or presenting their mobile device. This implied consent should only apply to the minimum data required to fulfil the implicit purposes of the interaction. For example, presenting the mobile device for age verification implies consent for a yes/no age verification and a proof of possession (i.e. a photo of the Holder). Similarly, there is no implied necessity for the retention of that data. Any other data request or retention would need notice and explicit consent. I Discussion:
Should see consent receipt spec at ISO. Need to make sure that if there is a notice requirement that it doesn't add friction unless there is an overriding privacy-related reason for adding that friction |
Scope (applies to) |
|
Select the Primary Consideration* |
|
Select other relevant considerations |
|
Select impacted Identifiers |
|
Reference (#_Scope_Consideration_Ref #) | |
Related Requirements | |
Explanatory Notes (Text or Link) |
*For descriptions download the publicly available version of ISO/IEC 29100