Core Spec: Minimum Viable Consent Receipt (MVCR)- Specification

Objective

The Open Notice Initiative is an effort that calls for an open, global and public infrastructure for consent-based notices. A key element of that infrastructure is the consent receipt described in this document. Such a receipt will provide people with the knowledge necessary to make an informed choice about who gets their personal information and what they can do with it. This will be accomplished by providing an explicit record of the consent transaction from the web site to the user about what the user has consented to at the time of their initial transaction with the web site.

The objective for a Minimum Viable Consent Receipt (MVCR) is to provide jurisdiction-ally appropriate consent related information in a common standard format.

Background

Draft, background document can be found here,

Minimum Viable Consent Requirements

By its format and structure the MVCR is intended to provide the basic information to review further the compliance of policy for consent. The MVCR is a record in a standard format. As a result it can be further extended by jurisdiction, data type and additional context. A basic consent receipt will assure a basic level of general regulatory compliance for consent. It will do this by being open, accessible, extensible and providing a standard format to develop a higher quality of consent and policy usability, data privacy law usability.

MVC Contents

This may end up being an XML document, but for now some basic Key:value pairs will provide an initial framework

Required Content

Field Name	Description	Purpose/Explanation	Comments
DP_Domain_Accountable for Consent	URL of the domain Accountable for Consent	Header/Admin/entity identifier
ConsentPref_ThirdParty	Yes/No share with 3rd partie
ConsentPre_etc	ConsentPref from P3P		Comment by John; Comment by Mark etc
Consent type: Explicit, Implied, Exception	Assumed Explicit consent fro alpha version
Data Processing consented to: Purpose
Processor ID if different than Domain Id : Listed DP	The identification of the data processor	entity in charge
User ID:	id (email) of the user in the consent form	non-repudiation
Transaction ID: GUID	the specific consent ID	(or transaction id)
Sequence #: 0 for new receipt +1 every time it is used	time of consent, consent/policy updates,
Use Reference: type of use ID
Date:TimeStamp	time and date of consent
Policy URI’s: PP, TOSA, Cookies	URI's pointing to source for Policies
Address & Contact details of SP	Unless different DP this should be the same as the DP
IP of DS	IP of person making consent - Jurisdiction of the IP address
Data Type: Personal Information(PI), (SPI) Sensitive Personal Information (Y/N)	Data sensitivity (privacy category)

Header Information

DP Domain:Domain URL
DS Consent Preferences: {array to be determined}
Processor ID: Listed DP
User ID: Consenting identifier
Transaction ID: GUID
Sequence #: 0 for new receipt +1 every time it is used
Use Reference: type of use ID
Date:TimeStamp
Consent type: Explicit, Implied, Exception
Policy URI’s: PP, TOSA, Cookies
Data Processing consented to: Purpose
Address & Contact details of DP

IP of DS
Data Type: Personal Information(PI), (SPI) Sensitive Personal Information (Y/N)

Extended By Other Services

Jurisdictional specifics
Reputations
Icons
Short Notices
Trust Frameworks

Glossary

Minimum Viable Consent Receipt(MVCR)

Consent Receipt (CR)

Data Subject(DS)

Data Controller(DC)

Bilateral Online Open Notice (BOON) - SS term for independently initiated two way communication over data controls

Master Data Controller - Individual who is the data controller and the data subject - In specific terms this term is to facilitate access and personal data control

Minimum Viable Consent Receipt Draft v.02