Skip to end of metadata
Go to start of metadata

You are viewing an old version of this content. View the current version.

Compare with Current View Version History

« Previous Version 4 Next »

Transparency Performance Reporting is focused on the technical validity of online presented record for assessing notice compliance and consent validity. The TPR uses 4 transparency performance indicators (TPIs) to measure the transparency of PII Controller identification, the indicators are captured in a PII Controller record of compulsory attributes. Together they indicate the security and privacy risk of digital identification to the PII Principal. At no point in this process is the PII Principal required to be identified or under surveillance. In order for consent to identification, and identity management to be valid there are requirements for notice on the part of the PII Controller. This is true across justifications including consent, across frameworks, and across jurisdictions.

How Does it Work?

The following figure shows the workflow to capture the timing, presentation of required information to validate consent, including, Permissions, policies, terms, and licenses.

image-20250303-093201.png

The four TPIs used in reporting measure:

  1. Timing of notice

    1. Regarding the initiation of surveillance

  2. Content of notice

    1. PII Controller required disclosures (Controller Record)

    2. PII Controller Reverse Cookie (could be captured in a receipt and record for the PII Principal)

      1. Who, where, what, why, how, when

  3. Access and usefulness of notice

    1. Taste of the Cookie

      1. How good were the answers including their veracity to the above

  4. Sovereignty of authority and security

    1. Jurisdictions (Legal) of Principal and Controller

    2. Cryptographic (Technical)

    3. Linked by policy (objects)

As illustrated in this methodology, the four Indicators are used in sequence, focused on the timing, and presentation of elements required for consent to be valid.

  • TPI 1, the timing of notice

    • is an early, effective, and too often ignored benchmark as to whether consent is valid. Notice must be given before identification of the PII Principal takes place. This is almost never the case. Putting this aside

  • TPI 2 Compulsory Controller identification

    • captures PII Controller identification attributes, and creates a controller identifiable information record, to be used as a notice identifier.

    • Not to be confused with the PII (personally identifiable information, attributes and associated identifiers). A Pii controller notice identification record can be used to capture and assess any legal justification, including consent.

  • TPI 3 measures the presentation and accessibility of the compulsory information, and examines no the content of the notice can be accessed and used by the PII Principal. TPI 3 brings human indicators to the measures, building on content required in TPI 2.

  • TPI 4 then brings legal and technical measures to the content, after its human accessibility and usefulness has been established. This looks to confirm that, to the extent, which is nearly always the case, the cryptography is used is valid. It further checks to see that the policy associated with these objects align with the notice and PII Controller and legal requirements.

This specification includes an appendix mapping of roles and requirements among global privacy instruments, specifically Convention 108+, the General Data Protection Regulation (GDPR), and Quebec Law 25. This demonstrates how TPR establishes an adequacy baseline using an interoperable standard for valid notice and consent, implementing a common methodology, that applies the ISO/IEC 29100:2024 Privacy framework, and all other frameworks that adopt this.

Or put another way, transparency reporting as specified here is a notice and consent dark pattern recorder.

This extensible notice record and reporting method, can be employed by any stakeholders, (Data subjects, Controllers, Processors (3rd parties and their Subordinates) as defined in ISO//IEC 29100,

Status
The publication is put forth as a Kantara Recommendation for public comment by the Anchored Notice and Consent Receipts (ANCR) Work Group. Feb 25, 2025.

Note:

The ANCR WG creates and advocates for open standards, and open source to support digital privacy transparency, and that the ISO/IEC 27560 Consent record information structure standard to be free to access,

  • No labels