This Work Group operates under the Kantara IPR Option: Patent & Copyright: Reciprocal Royalty Free with Opt-Out to Reasonable And Non discriminatory (RAND)

Current Status - Version 1.1 has been published

Title: Consent Receipt Specification (download here)

Version: 1.1.0

Date: 2018-02-20

Editors: Mark Lizar, David Turner

Status: This document is a Kantara Initiative Technical Specification Recommendation produced by the Consent & Information Sharing Work Group, and has been approved by the Group. The Public Comment and Intellectual Property Rights Review has been completed. It has been approved by the Membership of the Kantara Initiative. See the Kantara Initiative Operating Procedures for more information.

Abstract: A Consent Receipt is record of authority granted by a Personally Identifiable Information (PII) Principal to a PII Controller for processing of the Principal's PII. The record of consent is human-readable and can be represented as standard JSON. This specification defines the requirements for the creation of a consent record and the provision of a human-readable receipt. The standard includes requirements for links to existing privacy notices & policies as well as a description of what information has been or will be collected, the purposes for that collection as well as relevant information about how that information will be used or disclosed. This specification is based on current privacy and data protection principles as set out in various data protection laws, regulations and international standards.

Known Implementations

Many Consent Receipt Implementations - list of implementations of Consent Receipts or derivatives

Questions and answers about the specification from implementers are here.

In September 2019 FDX announced a collaboration with Kantara and a supporting Kantara Consent Receipt Infographic -v02.pdf.

Receipt Specification Enhancement Project

The receipt specification enhancement project is active as of December 2018.

For now, we are managing the list of proposed enhancements as Github issues.

Github Project: https://github.com/KantaraInitiative/consent-receipt-v-next/projects/2

Github Issues list: https://github.com/KantaraInitiative/consent-receipt-v-next/issues

Liaisons with CISWG/Consent Receipt update from Liaisons Officer Mark Lizar, as presented to the Kantara European Plenary May 2019

Kantara Initiative Privacy Control Panel Demo - 2019 Edition

Kantara presented the demo at EIC 2019 and is scheduled to present improved versions at Identiverse 2019 and MyData 2019.

A webinar recording of the slides on YouTube

The slides on SlideShare: kantara-privacy-control-panel-demonstration-2019-0515

NEW: Demo video for ISSE 2019 Brussels

The project to assemble v2 of the demo is active as of December 2018. Throughout 2019 the WG team will be refining and growing the demo functionality.

The draft demo description being discussed in the WG is:

The main purposes of the Kantara Initiative Privacy Control Panel (Kantara PCP) system are a) to allow people to see, organize, find details via a ‘data processing receipt’ construct about the conditions under which they agreed to provide information for data processing; and b) to give them tools to investigate the data processing receipts they might have received or modify the permissions they granted when they initially shared the data for processing.

In the Kantara vision, whenever an individual is asked for their personal data, or whenever their personal data is acquired, a ‘data processing receipt’ is created by the data controller. The receipt includes details about the conditions under which the data was obtained: the privacy notices provided; the lawful basis and purposes for collecting and processing data; the terms of the agreement and other metadata related to the interaction.

These data processing receipts could be offered by the data controller’s system to the individual for storage in their personal Privacy Control Panel application.

Once the data processing receipts are in the personal PCP, the person can organize them and inspect them to ensure they are valid, current and actually represent what happened.

The PCP gives the person tools to take action with the receipts including view, validity check, request the data, revoke consent, change permissions, or erase the data. In other words to exercise their data subject rights.

On the consent management platform and data controller system side, standard data processing receipt APIs could be offered. The PCP utilizes these APIs.

Interoperable Consent Receipt Demo - 2018 Edition

Kantara presented a demonstration of Interoperable Consent Receipts at the MyData 2018 conference, Helsinki, August 28, 2018 in the Consent In Action Session there are excellent presentation videos - it's a very interesting conference.

Five Kantara Members who are active Consent & Information Sharing Work Group contributors invested developer time to create external Kantara-spec Consent Receipts. These receipts were stored at a user-specified location, then viewed using a viewer created by OpenConsent. From start to finish, it took about 7 weeks to design, build, test and deliver.

The Consent Receipt presentation was recorded and is posted (YouTube).

And the slides can be downloaded (pptx).

The demo was a hit - lots of conference delegates engaged with the presenters and we are hoping to see that interest result in more WG participants and more demo apps - and hopefully some of these in shipping products!

The demo was then presented at the Kuppinger Cole CIAM World Tour USA, Seattle, September 21, 2018 with similar interest and engagement.

Next stop: Amsterdam for the Kuppinger Cole CIAM World Tour Europe, October 29-31, 2018

After the first two conference presentations, we now have two more solutions to fit into the demo.

This working group has been evolving since 2009, starting out as the Information Sharing WG focused on catalysing a rich flow of consent based personal information - from a CRM perspective - actual demand data (as opposed to predicted demand) can be engineered with better personal data control then could be found in any traditional CRM products and departments. The first work stream was led by Joe Andrieu and Iain Henderson, which produced the Information Sharing Label Notice for people.

In 2012, Open Notice Initiative, (now the Kantara Liaison Partner Open Consent Group), presented a paper Opening up the Online Notice Infrastructure An ‘Open Notice’ Call For Collaboration, at the W3C Do Not Track & Beyond Conference.

The result of this effort was the proposal to Kantara, ISWG to focus on a consent work stream, which resulted in this WG name change to the Consent & Information Sharing WG (CISWG). This work stream has focused on making an identity management usable consent record called the "Consent Receipt", driven largely by major contributions from Mary Hodder, John Wunderlich, Iain Henderson and Mark Lizar who brought the spec to a v.1, with a special thanks to David Turner and extra special effort of Andrew Hughes to bring together the release of V1.1 to be published on May 25, 2018 . This specification is now growing adoption in the EU and US healthcare, consent management, policy frameworks, smart contracts.

Special mention to UMAWG and Eve Maler for providing the shining example for how to develop a specification by consensus and Justin Richer for building the first consent receipt generator

This Workgroup is open for interested participants, the work product that is produced is under a Royalty Free (openly usable) RAND license. The work produced is provided for review by industry, public sector, regulators, other standards organisations like the ISO of ISO/IEC JTC 1/SC 27/WG 5, and community partners; like Project VRM, who have supported the long term development of tools for individual autonomy over personal information.

Project VRM community also drive a work stream in CISWG with Customer Commons called User Submitted Terms , which is focused on a common set of icons that customers can use to signal their intent.

The WG members often meet at conferences and workshops in the US and EU, which happen annually for those who want to meet in person.

April & Oct - IIW Internet Identity Workshop - Mountain View, California
May EIC European Identity Conference - Berlin Germany
June - Identiverse (Boston 2018)
August 29-31 MyData Helsinki

Active Projects:

Demo of interoperable Consent Receipts at MyData2018 - Consent Interoperability Track
Consent Receipts - Current versions, links to github, links to demo API site
- Many Consent Receipt Implementations - list of implementations of Consent Receipts or derivatives
User Submitted Terms

Publications & Submissions

Submissions in progress.. CIWG Submission to ISO/IEC JTC 1/SC 27/WG 5. via Kantara BOT-Liaison March 2018 (restricted access BOT-Liasion WG members only)
Submission to A W3C Workshop on Privacy and Linked Data 17–18 April 2018,
Submission Comments on Draft Guidance on Consent Information Commissioners Office in the United Kingdom,
Submission to the Office of Privacy Commissioner of Canada seeks comment on Consent
Hodder, M,. Lizar, M,."Tracking and Managing Use of Personal Data With a Consent Transaction Receipt". Authors Retain Copyright, ACM Retain exclusive license to publish, https://dl.acm.org/citation.cfm?id=2641681&dl=ACM&coll=DLNote: members must log in to access copy linked in title
Hodder, M. Lizar, M "Usable Consent", CMU Notice and Choice Submission 2014,

Presentations

Consent Receipt -
- IIW XXIII Consent Receipt presentation: IIW XXIII - Wed 4E Consent Receipts.pptx

Demo's

How to Make a Consent Receipt Generator (2015): Open Consent Group & Dazza from law.MIT.edu.

All WG Projects:

WG Project Areas

This blog post on the Personal Data Eco-system is useful background and context for this working group.

Download the Consent Receipt Overview

Browser not supported