WG - Consent and Information Sharing - CISWG

This Work Group operates under the Kantara IPR Option: Patent & Copyright: Reciprocal Royalty Free with Opt-Out to Reasonable And Non discriminatory (RAND)

Join | Subscribe | Archive (Mailman) | Archive (Google) | Charter | Participant Roster 2016 | Minutes | Kantara Initiative Bylaws
(Mail archives prior to Oct 6, 2009)



Current Status - Version 1.1 has been published

Title: Consent Receipt Specification (download here)

Version: 1.1.0

Date: 2018-02-20

Editors: Mark Lizar, David Turner

Status: This document is a Kantara Initiative Technical Specification Recommendation produced by the Consent & Information Sharing Work Group, and has been approved by the Group. The Public Comment and Intellectual Property Rights Review has been completed. It has been approved by the Membership of the Kantara Initiative. See the Kantara Initiative Operating Procedures for more information.

Abstract: A Consent Receipt is record of authority granted by a Personally Identifiable Information (PII) Principal to a PII Controller for processing of the Principal's PII. The record of consent is human-readable and can be represented as standard JSON. This specification defines the requirements for the creation of a consent record and the provision of a human-readable receipt. The standard includes requirements for links to existing privacy notices & policies as well as a description of what information has been or will be collected, the purposes for that collection as well as relevant information about how that information will be used or disclosed. This specification is based on current privacy and data protection principles as set out in various data protection laws, regulations and international standards.

Known Implementations

Many Consent Receipt Implementations - list of implementations of Consent Receipts or derivatives

Questions and answers about the specification from implementers are here.

In September 2019 FDX announced a collaboration with Kantara and a supporting Kantara Consent Receipt Infographic -v02.pdf



Receipt Specification Enhancement Project

The receipt specification enhancement project is active as of December 2018.


For now, we are managing the list of proposed enhancements as Github issues.

Github Project: https://github.com/KantaraInitiative/consent-receipt-v-next/projects/2

Github Issues list: https://github.com/KantaraInitiative/consent-receipt-v-next/issues

Liaisons with CISWG/Consent Receipt update from Liaisons Officer Mark Lizar, as presented to the Kantara European Plenary May 2019  



Kantara Initiative Privacy Control Panel Demo - 2019 Edition

Kantara presented the demo at EIC 2019 and is scheduled to present improved versions at Identiverse 2019 and MyData 2019.

A webinar recording of the slides on YouTube

The slides on SlideShare: kantara-privacy-control-panel-demonstration-2019-0515

NEW: Demo video for ISSE 2019 Brussels


The project to assemble v2 of the demo is active as of December 2018. Throughout 2019 the WG team will be refining and growing the demo functionality.

The draft demo description being discussed in the WG is:


The main purposes of the Kantara Initiative Privacy Control Panel (Kantara PCP) system are a) to allow people to see, organize, find details via a ‘data processing receipt’ construct about the conditions under which they agreed to provide information for data processing; and b) to give them tools to investigate the data processing receipts they might have received or modify the permissions they granted when they initially shared the data for processing.

In the Kantara vision, whenever an individual is asked for their personal data, or whenever their personal data is acquired, a ‘data processing receipt’ is created by the data controller. The receipt includes details about the conditions under which the data was obtained: the privacy notices provided;  the lawful basis and purposes for collecting and processing data; the terms of the agreement and other metadata related to the interaction.

These data processing receipts could be offered by the data controller’s system to the individual for storage in their personal Privacy Control Panel application. 

Once the data processing receipts are in the personal PCP, the person can organize them and inspect them to ensure they are valid, current and actually represent what happened. 

The PCP gives the person tools to take action with the receipts including view, validity check, request the data, revoke consent, change permissions, or erase the data. In other words to exercise their data subject rights.

On the consent management platform and data controller system side, standard data processing receipt APIs could be offered. The PCP utilizes these APIs. 

Interoperable Consent Receipt Demo - 2018 Edition

Kantara presented a demonstration of Interoperable Consent Receipts at the MyData 2018 conference, Helsinki, August 28, 2018 in the Consent In Action Session there are excellent presentation videos - it's a very interesting conference.

Five Kantara Members who are active Consent & Information Sharing Work Group contributors invested developer time to create external Kantara-spec Consent Receipts. These receipts were stored at a user-specified location, then viewed using a viewer created by OpenConsent. From start to finish, it took about 7 weeks to design, build, test and deliver.

The Consent Receipt presentation was recorded and is posted (YouTube).

And the slides can be downloaded (pptx).

The demo was a hit - lots of conference delegates engaged with the presenters and we are hoping to see that interest result in more WG participants and more demo apps - and hopefully some of these in shipping products!

The demo was then presented at the Kuppinger Cole CIAM World Tour USA, Seattle, September 21, 2018 with similar interest and engagement.

Next stop: Amsterdam for the Kuppinger Cole CIAM World Tour Europe, October 29-31, 2018

After the first two conference presentations, we now have two more solutions to fit into the demo.




This working group has been evolving since 2009, starting out as the Information Sharing WG focused on catalysing a rich flow of consent based personal information - from a CRM perspective - actual demand data (as opposed to predicted demand) can be engineered with better personal data control then could be found in any traditional CRM products and departments. The first work stream was led by Joe Andrieu and Iain Henderson, which produced the Information Sharing Label Notice for people.

In 2012, Open Notice Initiative, (now the Kantara Liaison Partner Open Consent Group), presented a paper Opening up the Online Notice Infrastructure An ‘Open Notice’ Call For Collaboration, at the W3C Do Not Track & Beyond Conference.

The result of this effort was the proposal to Kantara, ISWG to focus on a consent work stream, which resulted in this WG name change to the Consent & Information Sharing WG (CISWG). This work stream has focused on making an identity management usable consent record called the "Consent Receipt", driven largely by major contributions from Mary Hodder, John Wunderlich, Iain Henderson and Mark Lizar who brought the spec to a v.1, with a special thanks to David Turner and extra special effort of Andrew Hughes to bring together the release of V1.1 to be published on May 25, 2018 . This specification is now growing adoption in the EU and US healthcare, consent management, policy frameworks, smart contracts.

Special mention to UMAWG and Eve Maler for providing the shining example for how to develop a specification by consensus and Justin Richer for building the first consent receipt generator

This Workgroup is open for interested participants, the work product that is produced is under a Royalty Free (openly usable) RAND license. The work produced is provided for review by industry, public sector, regulators, other standards organisations like the ISO of  ISO/IEC JTC 1/SC 27/WG 5, and community partners; like Project VRM, who have supported the long term development of tools for individual autonomy over personal information.

Project VRM community also drive a work stream in CISWG with Customer Commons called User Submitted Terms, which is focused on a common set of icons that customers can use to signal their intent.

The WG members often meet at conferences and workshops in the US and EU, which happen annually for those who want to meet in person.

  • April & Oct - IIW Internet Identity Workshop - Mountain View, California
  • May EIC European Identity Conference - Berlin Germany
  • June - Identiverse (Boston 2018)
  • August 29-31 MyData Helsinki


Active Projects:

Publications & Submissions

Presentations

Demo's

All WG Projects:



This blog post on the Personal Data Eco-system is useful background and context for this working group.

Download the Consent Receipt Overview



Leadership

  • Jim Pasquale - Chair (Elected Feb 2018 tbc)
  • John Wunderlich - Vice-Chair (Elected Feb 2018 tbc) 
  • Former user (Deleted) - Vice-Chair (Elected Feb 2018 tbc)
  • Mark Lizar - Liaison (Elected Feb 2018 tbc)

Teleconferences:


CALENDAR:  https://kantarainitiative.org/calendars

Call times:

Consent Receipt: Thursdays - 15:30 GMT, 07:30 Pacific, 10:30 Eastern Time

User Submitted Terms: Wednesdays - 16:00 GMT; 08:00 Pacific; 11:00 Eastern

GoToMeeting (GTM1)
Please join the meeting from your computer, tablet or smartphone. 

https://global.gotomeeting.com/join/323930725 

You can also dial in using your phone. 
United States: +1 (669) 224-3318 

Access Code: 323-930-725 



GoToMeeting (GTM1)
Please join my meeting from your computer, tablet or smartphone.

Please join my meeting from your computer, tablet or smartphone. 
https://global.gotomeeting.com/join/323930725 

You can also dial in using your phone. 
United States: +1 (669) 224-3318 

Access Code: 323-930-725 

More phone numbers 
Australia: +61 2 9091 7603 
Austria: +43 1 2530 22500 
Belgium: +32 28 93 7002 
Canada: +1 (647) 497-9376 
Denmark: +45 32 72 03 69 
Finland: +358 923 17 0556 
France: +33 170 950 590 
Germany: +49 692 5736 7300 
Ireland: +353 15 360 756 
Italy: +39 0 230 57 81 80 
Netherlands: +31 207 941 375 
New Zealand: +64 9 282 9510 
Norway: +47 21 93 37 37 
Spain: +34 932 75 1230 
Sweden: +46 853 527 818 
Switzerland: +41 225 4599 60 
United Kingdom: +44 330 221 0097 

 View Space in 'Tree' View

 View Recently Updated Pages

Recent updates

Tuesday Oct 1, the ANCR WG is proud to support the presentation by Mark Lizar on the Notice receipt work in an informal ISO JTC1 SC27 WG 5 committee coffee session. While the “consent receipt” developed further in 27560, it was interpreted as a record of processing activites, rather than a record of consent in relation to the Standard for and Online Notice and Consent Standard called ISO/IEC 29184. Rather than a notice record information structure,…
(this is a draft blog post, pending WG approval) Support Open ISO Standard to Scale Digital Privacy Transparency and make privacy and consent free Working Group 5, with which Kantara has had a liaison agreement since … at its most recent in-person meeting in Manchester, is taking action with regards to publicly available standards.…
This year ANCR WG and 0PN Digital Transparency Lab teamed up to present a report on Canada’s Bill C 27, extending the ANCR Transparency Performance Scheme, with a Canadian Bill C27, WHiSSPR Report https://kantara.atlassian.net/wiki/pages/resumedraft.action?draftId=347668488&draftShareId=05e09c21-8b0c-41a7-8c49-34b2cc65a69f, referring to a White Hat iDentity, Surveillance, Security, Privacy Risk Report. With a special Jan 28 podcast https://www.transparencylab.…
May 24, 2024 ANCR (Jedi Privacy Day) WG Report : For International Digital Security and Privacy Community There is a critical lack of transparency in the use of digital identity technologies and the governance of personal data. The lack of systemic transparency over who is processing your data, under what authority, to what purpose, to what benefit, and when is hidden. Current security and privacy engineering is for institutional and enterprise infrastructure, not for the individual.…
Dear Members of JTC 1/SC27/WG 5 - WG Mirror Committee: Introducing the Transparency Performance Scheme ANCR (Anchored, Notice and Consent Receipts) Standard Digital Privacy Transparency Record Framework for Consent by Design. The ANCR WG contributed to the last JTC 1/SC27/WG5 meeting a number of items: ISO/IEC 27568 Security and privacy in Digital Twin - ANCR Report Submitted https://kantara.atlassian.net/wiki/pages/resumedraft.action?…
Establishing the Commons Rule Book For Digital Identity:  ANCR will be presenting, the Digital Transparency at Think Digital @ Westminster in London UK, June 11 https://thinkdigitalpartner.zohobackstage.eu/ThinkDigitalIdentityandCybersecurityforGovernment#/?lang=en. Covering the inclusive ANCR Record and Receipt Framework for the Digital Commons, International secure governance of digital identity and digital identity polkicy.…
CJEU invalidates IAB Transparency and Consent Framework (TCF) March 7, 2024 was a watershed moment for the digital privacy landscape. The landmark CJEU Judgment in Case C‑604/22 on the commercial Transparency and Consent Framework (TCF) set a new precedent, not just for online platforms, but for every entity processing personal data across the European Union. This judgment isn't a mere legal jargon shuffle; it redefines the intersection of personal data, consent, and accountability.…



=