Transparency Performance Reporting is focused on measuring the performance of transparency, centric to the individual and context using the international treaty, Convention 108+, and the ISO/IEC 29100 . p wo measure the performance and conformance of PII Controller transparency with regards to the technical and legal requirements for notice and consent. It is a tool for data subjects, regulators, data controllers, and their subordinates. The publication is put forth as a Kantara Recommendation for public comment by the Anchored Notice and Consent Receipts (ANCR) Work Group.
TPR uses 4 transparency performance indicators (TPIs) to measure the transparency of PII Controller identification, the indicators are captured in a PII Controller record of compulsory attributes. Together they indicate the security and privacy risk of digital identification to the PII Principal. At no point in this process is the PII Principal required to be identified or under surveillance. In order for consent to identification, and identity management to be valid there are requirements for notice on the part of the PII Controller. This is true across justifications including consent, across frameworks, and across jurisdictions.
How Does it Work?
The four TPIs used in reporting measure:
Timing of notice
Regarding the initiation of surveillance
Content of notice
PII Controller required disclosures (Controller Record)
PII Controller Reverse Cookie (could be captured in a receipt and record for the PII Principal)
Who, where, what, why, how, when
Access and usefulness of notice
Taste of the Cookie
How good were the answers including their veracity to the above
Sovereignty of authority and security
Jurisdictions (Legal) of Principal and Controller
Cryptographic (Technical)
Linked by policy (objects)
The following figure shows the workflow. The four TPIs are done in sequence focused on the legal notice requirements of a PII Controller. TPI 1, the timing of notice is an early, effective, and too often ignored benchmark as to whether consent is valid. Notice must be given before identification of the PII Principal takes place. This is almost never the case. Putting this aside TPI 2 looks at the notice provided and captures that information and associates it with (identifies) a PII Controller, i.e. PII Controller Identification vs. PII Principal Identification. This is the reverse cookie referred to above. If there are insufficient ingredients in this cookie (notice), then there is not a basis for processing for any justification, including consent. With notice in hand and record/report under creation TPI 3 then examines whether the content of the notice can be accessed and used by the PII Principal. TPI 3 brings human indicators to the measures, building on content required in TPI 2. TPI 4 then brings legal and technical measures to the content, after its human accessibility and usefulness has been established. This looks to confirm that, to the extent, which is nearly always the case, the cryptography is used is valid. It further checks to see that the policy associated with these objects align with the notice and PII Controller and legal requirements.
This specification includes an appendix mapping of roles and requirements among global privacy instruments, specifically Convention 108+, the General Data Protection Regulation (GDPR), and Quebec Law 25. This demonstrates how TPR establishes an adequacy baseline using an interoperable standard for valid notice and consent, implementing a common methodology, that applies the ISO/IEC 29100:2024 Privacy framework, and all other frameworks that adopt this.
Or put another way, transparency reporting as specified here is a notice and consent bs detector.
Note: The ANCR WG creates and advocates for open standards, and open source to support digital privacy transparency, and that the ISO/IEC 27560 Consent record information structure standard to be free to access,