Introduction to the ANCR Transparency Reporting

By Mark Lizar
3 min

Transparency Performance Reporting is focused on assessing notice compliance and consent validity. The TPR uses 4 transparency performance indicators (TPIs) to measure the transparency of PII Controller identification, the indicators are captured in a PII Controller record of compulsory attributes. Together they indicate the security and privacy risk of digital identification to the PII Principal. At no point in this process is the PII Principal required to be identified or under surveillance. In order for consent to identification, and identity management to be valid there are requirements for notice on the part of the PII Controller. This is true across justifications including consent, across frameworks, and especially internationally between legal jurisdictions.

How Does it Work?

The following figure shows the workflow to capture the timing, presentation of required information to validate consent, including, Permissions, policies, terms, and licenses.

image-20250303-093201.png

The four TPIs used in reporting measure:

  1. Timing of Controller identification (presentation)

    1. Regarding the initiation of surveillance

  2. Content of Controller identification information

    1. PII Controller required disclosures (Controller Record)

    2. PII Controller Reverse Cookie (could be captured in a receipt and record for the PII Principal)

      1. Who, where, what, why, how, when

  3. Accessibility to identification of jurisdiction and use of privacy rights

  4. Sovereignty of authority and security

    1. Jurisdictions (Legal) of Principal and Controller

    2. Cryptographic (Technical)

    3. Linked by policy (objects)

As illustrated in this methodology, the four Indicators are used in sequence, focused on the timing, and presentation of elements required for consent to be valid.

  • TPI 1, the timing of notice

    • is the technical benchmark as to whether consent is valid. Notice of Controller identification, must be provided collecting PII, and permitted before identification, or user-id generation, linking the PII Principal takes place.

  • TPI 2 Compulsory Controller identification

    • captures PII Controller identification attributes, and creates a controller identifiable information notice record, and identifier.

    • Not to be confused with the PII (personally identifiable information, attributes and associated identifiers- user-id). A PII notice controller identification record identifier is safe to use as an exchange identifier, instead dramatically reducing security and privacy risks.

  • TPI 3 measures the presentation and accessibility of the compulsory controller id information and examines the content of the notice and how difficult it is to discover this information from the context of pii collection.

  • the degree it can be accessed and used by the PII Principal. TPI 3 brings human indicators to the measures, building on content required in TPI 2.

  • TPI 4 then brings legal and technical measures to the content, after its human accessibility and usefulness has been established. This looks to confirm that, to the extent, which is nearly always the case, the cryptography is used is valid. It further checks to see that the policy associated with these objects align with the notice and PII Controller and legal requirements, in particular jurisdiction, security in context.

This specification includes an appendix mapping of roles and requirements among global privacy instruments, specifically Convention 108+, the General Data Protection Regulation (GDPR), and Quebec Law 25. This demonstrates how TPR establishes an adequacy baseline using an interoperable standard for valid notice and consent, implementing a common methodology, that applies the ISO/IEC 29100:2024 Privacy framework, and all other frameworks that adopt this.

Or put another way, transparency reporting as specified here is a notice and consent dark pattern recorder.

This extensible notice record and reporting method, can be employed by any stakeholder; (Data Subjects, Controllers, Processors (3rd parties and their Subordinates) as defined in ISO/IEC 29100:2024.

Status
The publication is put forth as a Kantara Recommendation for public comment by the Anchored Notice and Consent Receipts (ANCR) Work Group. Feb 25, 2025.

Note:

The ANCR WG creates and advocates for open standards, and open source to support digital privacy transparency, and that the ISO/IEC 27560 Consent record information structure standard to be free to access,

Related content