ISO/IEC Plenary Presentation: Tuesday Oct 1, 2024
Tuesday Oct 1, the ANCR WG is proud to support the presentation by Mark Lizar on the Notice receipt work in an informal ISO JTC1 SC27 WG 5 committee coffee session.
While the “consent receipt” developed further in 27560, it was interpreted as a record of processing activites, rather than a record of consent in relation to the Standard for and Online Notice and Consent Standard called ISO/IEC 29184. Rather than a notice record information structure, to enable receipts that can be used for consent. As it is a record information structure that requires the identification of the PII Principle, to create a record the individual can use to consent with.
The original work, called the MVCR “Minimum Viable Consent Receipt”, authored by Mark Lizar was adopted into ISO from the Kantara Consent and Information Sharing WG. It focused on the minimum requirements for notice, so that a receipt could be used for consent. creating a record of notice that the PII Principal could use to replace cookies in browsers and terms of service online. Not only a well documented dark pattern, but also not being regularly enforced against by regulators. Demonstrating a need for a standard international solution for transparency and consent.
The presentation of the notice receipt, is the introduction of an anonymous receipt flow, where the PII is able to Control and managed and even negotiate the use of personal data processing with standardised transparency.
Learning from the 27560, this introduces a PII Controller identity record information structure that is extended to the notice receipt, and then a notice receipt event log, to provide assurance. Specified in accordance with Convention 108+ Article 14, 15, for Controller Identity Record schema, to Article 30 for the notice receipt to be a record of processing activity, and Article 88 for a log of the processing, to provide the international assurance required to scale consent based data controls.
The proposed profile or possible NWIP, introduces a Two Factor Notice, which is Consent by Default that is extensible as the PII Controller identity record schema is used to generate a notice receipt, and subsequent notice receipt event log.
It is envisioned that this profile could then be used to operationalise personal data and personal data control held by PII Controllers under data protection regulation, enabling self-identification, through receipt presentation. The use of the notice receipt as a consent token, for providing verification of id and attributes without having to provide raw personal security information across the internet. Including the use of a notice receipt for a secondary purpose with the lawful authority of consent.