Overview: 

This request form is essentially research to develop the minimum viable consent receipt request form Draft 01 in an agile manner.

The aim is to innovate the questions and the quality of compliance.   Correlating  the laws from different jurisdictions and requirements to the questions and element in the form.

From here it would be great to map more notice requirements from the consent map to the form below, as well, to improve on the questions and approach so that we can include more requirements in less questions.

At the bottom of the form are the references; to california law, FTC needs to be added and referenced in the question.  (these are the minimum requirements) 

So far I have mapped the California laws and the basic components to the consent receipt so far.  

Action Item for Draft 1:  list the references for how this complies with FTC Guidelines,

Notes:

This form aims to highlight if any other US Federal laws (which cover sensitive personal information) and Government standards is also needed to the receipt maker.

This by itself provides a valuable service to the company, as well as provides us with what we hypothesis to be the minimum viable consent receipt.

The questions  I hope this research can answer is:  (Add More if you like)

1. Can the consent receipt provide compliance guarantees with notice requirements?

2. How can this be measured?  (Compliance Scale)

3. Does this pose any legal challenges

The Consent Receipt Request Form Step-by-step Outline

************************** Consent Receipt Request ************************

[Header; Date Time]

Dear [Insert Data Controller or Org Name]

 I [Insert Identifier used for consen] have consented to your (policy, and TOS)

Introduction

[Insert

Date & Time of Consent

URL of web page with consent mechanism

Policies Consented ] [Put in Links] (with Confirm Checkbox)

[Text]

The custom nature of your privacy policy/terms of service/cookie policies makes them difficult for me to read and thereby understand what I am consenting too. As a consumer, the custom nature of policy means that it is “closed” and prevent me properly understanding what data you gather from me and why as the custom nature equates to obscure and complex language.

So I can genuinely give my fully informed consent (and in accordance with the laws listed below [footnote]) please send me the information requested below via this “Open Notice” form.

******

Drop in Google Form:

(I can make a google form for this and we can use the embed code and drop it in the website to start with, I think will have many versions of this form.  Do you think it might be a good idea to keep it in Google Form until we are ready to move into the website? 

 Step 1.  (if not produced in form above)

Confirm Consent Policy Links 

What is the link to your privacy policy

What is your link to your TOS

What is your link to (cookie policy if you have one)

(Reference California 

 Step 2. Questions For Company

0. Please indicate the category of personal information that you collect (Personal Information (check), Sensitive Personal Information (what type - drop down list) (1)

1. Please restate the purpose for this consent (s)

please indicate where we find this in your privacy policy.  (e.g. link, paragraph #) (W3C linking Spec? a linking tool needed could even offer service to scan policy and get company to select from links)

2. What are the contact details and address of the data controller responsible for the compliance of the consent agreement.  (such as the privacy/ data protection officer at )

[Name]

[Address]

[Phone]

[Email]

[Jurisdiction]

3. Please indicate the length and scope of this consent

How long does this consent last for?

At what point, if any will you require consent maintenance?

4. Additional fields [based on California jurisdiction]:

 a. How do you deal with the do not track signal (consent preference)? (5)

[Obey, Ignore] - Link to description (7)

Administrative:

6.What process (or communication channel) do you communicate changes to your policies and change of personal data use?

7. In the future, when my personal details change, when your policies changes or when the nature of your use of my data or service changes, what process do I use to:

Access/Correct my information ? (personal data store, UMA)

Manage consent?(personal data store, UMA)

Consent Again?

Get informed of critical notices for my personal security and privacy

Inquire about purpose use

8. Please provide a link to a list of other parties that are collecting personal identifiers, tracking part of my web session with you.

9. Please indicate if these parties have consented to follow the same privacy policies and terms.

References Related to this Form

References

References to laws in your jurisdiction which require these fields: X,Y,Z [from the consent legal map].

California:

(1) Identify the categories of personally identifiable information that the operator collects through the Web site or online service about individual consumers who use or visit its commercial Web site or online service and the categories of third-party persons or entities with whom the operator may share that personally identifiable information.

(2) If the operator maintains a process for an individual consumer who uses or visits its commercial Web site or online service to review and request changes to any of his or her personally identifiable information that is collected through the Web site or online service, provide a description of that process.

(3) Describe the process by which the operator (Data Controller) notifies consumers who use or visit its commercial Web site or online service of material changes to the operator’s privacy policy for that Web site or online service.

(4) Identify its effective date.

(5) Disclose how the operator responds to Web browser “do not track” signals or other mechanisms that provide consumers the ability to exercise choice regarding the collection of personally identifiable information about an individual consumer’s online activities over time and across third-party Web sites or online services, if the operator engages in that collection.

(6) Disclose whether other parties may collect personally identifiable information about an individual consumer’s online activities over time and across different Web sites when a consumer uses the operator’s Web site or service.

(7) An operator may satisfy the requirement of paragraph (5) by providing a clear and conspicuous hyperlink in the operator’s privacy policy to an online location containing a description, including the effects, of any program or protocol the operator follows that offers the consumer that choice.

a How do you respond to Do Not Track preferences?

Privacy Act

FTC - Guidelines

US - Standards

Principles

Openness Principle

Privacy Bill Of Rights