WG - Consent and Information Sharing - CISWG

This Work Group operates under the Kantara IPR Option: Patent & Copyright: Reciprocal Royalty Free with Opt-Out to Reasonable And Non discriminatory (RAND)

Join | Subscribe | Archive (Mailman) | Archive (Google) | Charter | Participant Roster 2016 | Minutes | Kantara Initiative Bylaws
(Mail archives prior to Oct 6, 2009)

Current Status - Version 1.1 has been published

Title: Consent Receipt Specification (download here)

Version: 1.1.0

Date: 2018-02-20

Editors: Mark Lizar, David Turner

Status: This document is a Kantara Initiative Technical Specification Recommendation produced by the Consent & Information Sharing Work Group, and has been approved by the Group. The Public Comment and Intellectual Property Rights Review has been completed. It has been approved by the Membership of the Kantara Initiative. See the Kantara Initiative Operating Procedures for more information.

Abstract: A Consent Receipt is record of authority granted by a Personally Identifiable Information (PII) Principal to a PII Controller for processing of the Principal's PII. The record of consent is human-readable and can be represented as standard JSON. This specification defines the requirements for the creation of a consent record and the provision of a human-readable receipt. The standard includes requirements for links to existing privacy notices & policies as well as a description of what information has been or will be collected, the purposes for that collection as well as relevant information about how that information will be used or disclosed. This specification is based on current privacy and data protection principles as set out in various data protection laws, regulations and international standards.

Known Implementations

Many Consent Receipt Implementations - list of implementations of Consent Receipts or derivatives

Questions and answers about the specification from implementers are here.

In September 2019 FDX announced a collaboration with Kantara and a supporting Kantara Consent Receipt Infographic -v02.pdf

Receipt Specification Enhancement Project

The receipt specification enhancement project is active as of December 2018.

For now, we are managing the list of proposed enhancements as Github issues.

Github Project: https://github.com/KantaraInitiative/consent-receipt-v-next/projects/2

Github Issues list: https://github.com/KantaraInitiative/consent-receipt-v-next/issues

Liaisons with CISWG/Consent Receipt update from Liaisons Officer Mark Lizar, as presented to the Kantara European Plenary May 2019  

Kantara Initiative Privacy Control Panel Demo - 2019 Edition

Kantara presented the demo at EIC 2019 and is scheduled to present improved versions at Identiverse 2019 and MyData 2019.

A webinar recording of the slides on YouTube

The slides on SlideShare: kantara-privacy-control-panel-demonstration-2019-0515

NEW: Demo video for ISSE 2019 Brussels

The project to assemble v2 of the demo is active as of December 2018. Throughout 2019 the WG team will be refining and growing the demo functionality.

The draft demo description being discussed in the WG is:

The main purposes of the Kantara Initiative Privacy Control Panel (Kantara PCP) system are a) to allow people to see, organize, find details via a ‘data processing receipt’ construct about the conditions under which they agreed to provide information for data processing; and b) to give them tools to investigate the data processing receipts they might have received or modify the permissions they granted when they initially shared the data for processing.

In the Kantara vision, whenever an individual is asked for their personal data, or whenever their personal data is acquired, a ‘data processing receipt’ is created by the data controller. The receipt includes details about the conditions under which the data was obtained: the privacy notices provided;  the lawful basis and purposes for collecting and processing data; the terms of the agreement and other metadata related to the interaction.

These data processing receipts could be offered by the data controller’s system to the individual for storage in their personal Privacy Control Panel application. 

Once the data processing receipts are in the personal PCP, the person can organize them and inspect them to ensure they are valid, current and actually represent what happened. 

The PCP gives the person tools to take action with the receipts including view, validity check, request the data, revoke consent, change permissions, or erase the data. In other words to exercise their data subject rights.

On the consent management platform and data controller system side, standard data processing receipt APIs could be offered. The PCP utilizes these APIs. 

Interoperable Consent Receipt Demo - 2018 Edition

Kantara presented a demonstration of Interoperable Consent Receipts at the MyData 2018 conference, Helsinki, August 28, 2018 in the Consent In Action Session there are excellent presentation videos - it's a very interesting conference.

Five Kantara Members who are active Consent & Information Sharing Work Group contributors invested developer time to create external Kantara-spec Consent Receipts. These receipts were stored at a user-specified location, then viewed using a viewer created by OpenConsent. From start to finish, it took about 7 weeks to design, build, test and deliver.

The Consent Receipt presentation was recorded and is posted (YouTube).

And the slides can be downloaded (pptx).

The demo was a hit - lots of conference delegates engaged with the presenters and we are hoping to see that interest result in more WG participants and more demo apps - and hopefully some of these in shipping products!

The demo was then presented at the Kuppinger Cole CIAM World Tour USA, Seattle, September 21, 2018 with similar interest and engagement.

Next stop: Amsterdam for the Kuppinger Cole CIAM World Tour Europe, October 29-31, 2018

After the first two conference presentations, we now have two more solutions to fit into the demo.

This working group has been evolving since 2009, starting out as the Information Sharing WG focused on catalysing a rich flow of consent based personal information - from a CRM perspective - actual demand data (as opposed to predicted demand) can be engineered with better personal data control then could be found in any traditional CRM products and departments. The first work stream was led by Joe Andrieu and Iain Henderson, which produced the Information Sharing Label Notice for people.

In 2012, Open Notice Initiative, (now the Kantara Liaison Partner Open Consent Group), presented a paper Opening up the Online Notice Infrastructure An ‘Open Notice’ Call For Collaboration, at the W3C Do Not Track & Beyond Conference.

The result of this effort was the proposal to Kantara, ISWG to focus on a consent work stream, which resulted in this WG name change to the Consent & Information Sharing WG (CISWG). This work stream has focused on making an identity management usable consent record called the "Consent Receipt", driven largely by major contributions from Mary Hodder, John Wunderlich, Iain Henderson and Mark Lizar who brought the spec to a v.1, with a special thanks to David Turner and extra special effort of Andrew Hughes to bring together the release of V1.1 to be published on May 25, 2018 . This specification is now growing adoption in the EU and US healthcare, consent management, policy frameworks, smart contracts.

Special mention to UMAWG and Eve Maler for providing the shining example for how to develop a specification by consensus and Justin Richer for building the first consent receipt generator

This Workgroup is open for interested participants, the work product that is produced is under a Royalty Free (openly usable) RAND license. The work produced is provided for review by industry, public sector, regulators, other standards organisations like the ISO of  ISO/IEC JTC 1/SC 27/WG 5, and community partners; like Project VRM, who have supported the long term development of tools for individual autonomy over personal information.

Project VRM community also drive a work stream in CISWG with Customer Commons called User Submitted Terms, which is focused on a common set of icons that customers can use to signal their intent.

The WG members often meet at conferences and workshops in the US and EU, which happen annually for those who want to meet in person.

  • April & Oct - IIW Internet Identity Workshop - Mountain View, California
  • May EIC European Identity Conference - Berlin Germany
  • June - Identiverse (Boston 2018)
  • August 29-31 MyData Helsinki

Active Projects:

Publications & Submissions



All WG Projects:

This blog post on the Personal Data Eco-system is useful background and context for this working group.

Download the Consent Receipt Overview


  • Jim Pasquale - Chair (Elected Feb 2018 tbc)
  • John Wunderlich - Vice-Chair (Elected Feb 2018 tbc) 
  • Former user (Deleted) - Vice-Chair (Elected Feb 2018 tbc)
  • Mark Lizar - Liaison (Elected Feb 2018 tbc)


CALENDAR:  https://kantarainitiative.org/calendars

Call times:

Consent Receipt: Thursdays - 15:30 GMT, 07:30 Pacific, 10:30 Eastern Time

User Submitted Terms: Wednesdays - 16:00 GMT; 08:00 Pacific; 11:00 Eastern

GoToMeeting (GTM1)
Please join the meeting from your computer, tablet or smartphone. 


You can also dial in using your phone. 
United States: +1 (669) 224-3318 

Access Code: 323-930-725 

GoToMeeting (GTM1)
Please join my meeting from your computer, tablet or smartphone.

Please join my meeting from your computer, tablet or smartphone. 

You can also dial in using your phone. 
United States: +1 (669) 224-3318 

Access Code: 323-930-725 

More phone numbers 
Australia: +61 2 9091 7603 
Austria: +43 1 2530 22500 
Belgium: +32 28 93 7002 
Canada: +1 (647) 497-9376 
Denmark: +45 32 72 03 69 
Finland: +358 923 17 0556 
France: +33 170 950 590 
Germany: +49 692 5736 7300 
Ireland: +353 15 360 756 
Italy: +39 0 230 57 81 80 
Netherlands: +31 207 941 375 
New Zealand: +64 9 282 9510 
Norway: +47 21 93 37 37 
Spain: +34 932 75 1230 
Sweden: +46 853 527 818 
Switzerland: +41 225 4599 60 
United Kingdom: +44 330 221 0097 

 View Space in 'Tree' View

 View Recently Updated Pages

Recently Updated

The work group submitted the following response offering the past, current and future work of on notice and consent receipts and records to the FTC can address many of the challenges presented in the Advanced Notice of Proposed Rulemaking on Commercial Surveillance and Data Security https://www.federalregister.gov/documents/2022/08/22/2022-17752/trade-regulation-rule-on-commercial-surveillance-and-data-security
A wallet-less future?
1 big thing: The wallet-less future draws closer Axios Login, Oct. 7 2022 The original article is here: https://www.axios.com/newsletters/axios-login-ffb597d1-6c80-44b7-9a05-cc24af374527.html?utm_source=newsletter&utm_medium=email&utm_campaign=newsletter_axioslogin&stream=top https://www.axios.com/newsletters/axios-login-ffb597d1-6c80-44b7-9a05-cc24af374527.html?utm_source=newsletter&utm_medium=email&utm_campaign=newsletter_axioslogin&stream=top On a recent trip to Seattle,…
Please take a look that this post, originally published at Technometria - Issue #62 http://news.windley.com/issues/using-openid4vc-for-credential-exchange-technometria-issue-62-1374264 Using OpenID4VC for Credential Exchange; Technometria - Issue #62 by @windley http://news.windley.com/issues/using-openid4vc-for-credential-exchange-technometria-issue-62-1374264 http://news.windley.com/issues/using-openid4vc-for-credential-exchange-technometria-issue-62-1374264
Ma B, Zheng X, Zhao C, Wang Y, Wang D, Meng B (2022) A secure and decentralized SSI authentication protocol with privacy protection and fine-grained access control based on federated blockchain. PLoS ONE 17(9): e0274748. https://doi.org/10.1371/journal.pone.0274748 https://doi.org/10.1371/journal.pone.0274748 Abstract Self-sovereign identity authentication protocol is an active research topic in the field of identity authentication and management. However,…
This may be of interest to some: Request for Comment and IPR Review: PCTF Infrastructure (Technology & Operations) Final Recommendation V1.1 https://diacc.ca/2022/09/26/request-for-comment-and-ipr-review-pctf-infrastructure-technology-operations-final-recommendation-v1-1/ https://diacc.…
2022-09-28 Call
With a number of people focussing on the ISO meetings, I’m cancelling today’s call. This will create some more time for me to do some drafting. The next call is on . Along with a review of any progress to date on the implementor’s report, we have a couple of annual tasks. Charter review Please review the Work Group Charter. If you think it needs updating or refreshing, now is the time. So we will have an agenda item for charter review. Call for leadership nominations As you know,…
Based on some recent conversations in the workgroup, I’ve updated my thinking on the entities involved in the PEMC ecosystem. We talk about the three endpoints in trusted credentialing systems, using “Issuer,” “Verifier,” and “Holder” or variations of those three in our conversations. This aligns with the interfaces set out in ISO/IEC 18013-5: mDL Interfaces in ISO/IEC 18013-5 image-20220713-151615.png This also aligns with the PEMC Trust Triangle PEMC Trust Triangle.svg https://lucid.…
The ANCR WG delivered a readout that focused on a critical security flaw in the existing working draft whereby the PII Principal's identifier is being unnecessarily exposed in the consent record and is no longer under the control of the PII Principal.…
I prepared this from the requirements so far entered into our confluence page. It is worth noting: We have no requirements yet where AQ (Accuracy and Quality), IA (Individual access & participation), or PS (Privacy compliance) are the primary considerations. This suggests to me some gaps in our coverage so far. 13 of the 16 requirements apply to verifiers, which aligns with the group’s decision to focus on verifiers first. Items 7 and 16 appear to be candidates for being merged,…
Based on some recent conversations in the workgroup, I’ve updated my thinking on the entities involved in the PEMC ecosystem. We talk about the three endpoints in trusted credentialing systems, using “Issuer,” “Verifier,” and “Holder” or variations of those three in our conversations. This aligns with various versions of the trust triangle that is spoken about in the identity community: ISO/IEC 18013-5 mDL https://www.iso.…
Australian state’s mDL takes criticism for security flaws May 25, 2022, 5:46 pm EDT | Tyler Choi https://www.biometricupdate.com/author/tylerchoi Australia’s Queensland will test out a mobile driver’s license app for an eventual statewide release in 2023, while California may also test out a digital driver’s license secured with biometrics in the near future. States may need to be cautious about the implementation, however.…
FOR IMMEDIATE RELEASE: 5/25/2022 FOR INFORMATION, CONTACT: Ashley Millner https://kantarainitiative.org/confluence/mailto:, 410-787-4077 MDOT MVA Launches Driver’s License and State ID in Apple Wallet Marylanders can now add their Maryland Mobile ID to Apple Wallet on iPhone and Apple Watch GLEN BURNIE, Md. (May 25, 2022) – The Maryland Department of Transportation Motor Vehicle Administration (MDOT MVA) today announced the launch of Maryland Mobile ID in Apple Wallet,…
Published 13 hours ago on May 12, 2022 By  Brandon Martin https://www.inferse.com/author/brandon/  Text of this article March 23, 2022 UPDATE Apple launches the first driver’s license and state ID in Wallet with Arizona Additional states to follow, including Colorado, Hawaii, Mississippi, Ohio, and the territory of Puerto Rico Apple announced that Arizona is the first state to offer driver’s license and state ID in Wallet. Starting today,…
Wednesday, May 11, 2022 The most useful NFT on your Android phone may soon be your Maryland driver's license. During today's Google I/O 2022 keynote address, Maryland was shown as one of the first states whose digital driver's license will be accepted by Google Wallet later this year. Our state was already one of the first to qualify for Apple's Wallet app, allowing residents to store their Maryland driver's license digitally on their iPhone or Apple Watch.…
In addition to all of the cards/passes that already exist in Google Pay today, the new Google Wallet app will also introduce digital IDs and digital driver's licenses for the first time. Similar to how digital IDs work in Apple Wallet, digital IDs in Google Wallet will vary from state to state depending on local laws. It may be a while before the state you live in allows digital IDs in Google Wallet, but the foundation is now there to get the ball rolling. Confused? We don't blame you.…