WG - Consent and Information Sharing - CISWG

Title: Consent Receipt Specification (download here)

Version: 1.1.0

Date: 2018-02-20

Editors: Mark Lizar, David Turner

Status: This document is a Kantara Initiative Technical Specification Recommendation produced by the Consent & Information Sharing Work Group, and has been approved by the Group. The Public Comment and Intellectual Property Rights Review has been completed. It has been approved by the Membership of the Kantara Initiative. See the Kantara Initiative Operating Procedures for more information.

Abstract: A Consent Receipt is record of authority granted by a Personally Identifiable Information (PII) Principal to a PII Controller for processing of the Principal's PII. The record of consent is human-readable and can be represented as standard JSON. This specification defines the requirements for the creation of a consent record and the provision of a human-readable receipt. The standard includes requirements for links to existing privacy notices & policies as well as a description of what information has been or will be collected, the purposes for that collection as well as relevant information about how that information will be used or disclosed. This specification is based on current privacy and data protection principles as set out in various data protection laws, regulations and international standards.

Known Implementations

Many Consent Receipt Implementations - list of implementations of Consent Receipts or derivatives

Questions and answers about the specification from implementers are here.

In September 2019 FDX announced a collaboration with Kantara and a supporting Kantara Consent Receipt Infographic -v02.pdf. 

The receipt specification enhancement project is active as of December 2018.

For now, we are managing the list of proposed enhancements as Github issues.

Github Project: https://github.com/KantaraInitiative/consent-receipt-v-next/projects/2

Github Issues list: https://github.com/KantaraInitiative/consent-receipt-v-next/issues

Liaisons with CISWG/Consent Receipt update from Liaisons Officer Mark Lizar, as presented to the Kantara European Plenary May 2019  

Kantara presented the demo at EIC 2019 and is scheduled to present improved versions at Identiverse 2019 and MyData 2019.

A webinar recording of the slides on YouTube

The slides on SlideShare: kantara-privacy-control-panel-demonstration-2019-0515

NEW: Demo video for ISSE 2019 Brussels

The project to assemble v2 of the demo is active as of December 2018. Throughout 2019 the WG team will be refining and growing the demo functionality.

The draft demo description being discussed in the WG is:

The main purposes of the Kantara Initiative Privacy Control Panel (Kantara PCP) system are a) to allow people to see, organize, find details via a ‘data processing receipt’ construct about the conditions under which they agreed to provide information for data processing; and b) to give them tools to investigate the data processing receipts they might have received or modify the permissions they granted when they initially shared the data for processing.

In the Kantara vision, whenever an individual is asked for their personal data, or whenever their personal data is acquired, a ‘data processing receipt’ is created by the data controller. The receipt includes details about the conditions under which the data was obtained: the privacy notices provided;  the lawful basis and purposes for collecting and processing data; the terms of the agreement and other metadata related to the interaction.

These data processing receipts could be offered by the data controller’s system to the individual for storage in their personal Privacy Control Panel application. 

Once the data processing receipts are in the personal PCP, the person can organize them and inspect them to ensure they are valid, current and actually represent what happened. 

The PCP gives the person tools to take action with the receipts including view, validity check, request the data, revoke consent, change permissions, or erase the data. In other words to exercise their data subject rights.

On the consent management platform and data controller system side, standard data processing receipt APIs could be offered. The PCP utilizes these APIs. 

Kantara presented a demonstration of Interoperable Consent Receipts at the MyData 2018 conference, Helsinki, August 28, 2018 in the Consent In Action Session there are excellent presentation videos - it's a very interesting conference.

Five Kantara Members who are active Consent & Information Sharing Work Group contributors invested developer time to create external Kantara-spec Consent Receipts. These receipts were stored at a user-specified location, then viewed using a viewer created by OpenConsent. From start to finish, it took about 7 weeks to design, build, test and deliver.

The Consent Receipt presentation was recorded and is posted (YouTube).

And the slides can be downloaded (pptx).

The demo was a hit - lots of conference delegates engaged with the presenters and we are hoping to see that interest result in more WG participants and more demo apps - and hopefully some of these in shipping products!

The demo was then presented at the Kuppinger Cole CIAM World Tour USA, Seattle, September 21, 2018 with similar interest and engagement.

Next stop: Amsterdam for the Kuppinger Cole CIAM World Tour Europe, October 29-31, 2018

After the first two conference presentations, we now have two more solutions to fit into the demo.

Active Projects:

• Demo of interoperable Consent Receipts at MyData2018 - Consent Interoperability Track
• Consent Receipts - Current versions, links to github, links to demo API site
  • Many Consent Receipt Implementations - list of implementations of Consent Receipts or derivatives
• User Submitted Terms

Publications & Submissions

• Submissions in progress.. CIWG Submission to  ISO/IEC JTC 1/SC 27/WG 5. via Kantara BOT-Liaison March 2018 (restricted access BOT-Liasion WG members only)
• Submission to A W3C Workshop on Privacy and Linked Data 17–18 April 2018,
• Submission Comments on Draft Guidance on Consent Information Commissioners Office in the United Kingdom,
• Submission to the Office of Privacy Commissioner of Canada seeks comment on Consent
• Hodder, M,. Lizar, M,."Tracking and Managing Use of Personal Data With a Consent Transaction Receipt". Authors Retain Copyright, ACM Retain exclusive license to publish, https://dl.acm.org/citation.cfm?id=2641681&dl=ACM&coll=DLNote: members must log in to access copy linked in title
• Hodder, M. Lizar, M "Usable Consent", CMU Notice and Choice Submission 2014,

Presentations

• Consent Receipt John Wunderlich -
  • IIW XXIII Consent Receipt presentation: IIW XXIII - Wed 4E Consent Receipts.pptx

Demo's

• How to Make a Consent Receipt Generator (2015): Open Consent Group & Dazza from law.MIT.edu.

All WG Projects:

• WG Project Areas

CALENDAR:  https://kantarainitiative.org/calendars

Call times:

Consent Receipt: Thursdays - 15:30 GMT, 07:30 Pacific, 10:30 Eastern Time

User Submitted Terms: Wednesdays - 16:00 GMT; 08:00 Pacific; 11:00 Eastern

GoToMeeting (GTM1)
Please join the meeting from your computer, tablet or smartphone. 

https://global.gotomeeting.com/join/323930725 

You can also dial in using your phone. 
United States: +1 (669) 224-3318 

Access Code: 323-930-725