MVCR: Core Consent Receipt Profile v0.7
MVCR: Core Consent Receipt Profile
(Note this is for inclusion in v0.7)
| Field Name | Data Type | Description | Example Input | |
|---|---|---|---|---|
| Section 1: Header | This is the first section of the receipt | |||
| jurisdiction | string. ISO two-letter country code if applicable, otherwise free text | this is the jurisidction under which the processing of personal data occurs | US | |
| iat | number. Integer number of seconds since 1970-01-01 00:00:00 GMT | Timestamp of when the consent was issued | 1435367226 | |
| iss | string. HTTPS URL | this is the URI or Internet location of processing | http://www.consentreceipt.org/ | |
| jti | string. | Unique identifier for this consent receipt | 9ef6b81a414b2432ec6e3d384c5a36cea8aa0c30d3dd2b67364126ed80856f9c20654f032eef87ad981187da8c23c1186eefe1503714835c2e952bbb3f22729c | |
| sub | string. | Subject provided identifier, usually email addressClaim, defined/namespaced by the issuer | example@example.com | |
| Section 2: Data Controller | This section has the data controller, contact and privacy service information | |||
| data_controller | object | The identity and company of the data controller and any party nominated to be data controller on behalf of org The object contains information of the data controller in the following fields: Field Name Data Type Description Example Input Required on_behalf boolean. acting on behalf of an organization? true contact string. person to contact Jon Doe company string. company name Data Controller Inc. address string. physical address 123 Main St., Anywhere email string. Email address contact email address jon@datacontroller.com phone string. Phone number contact phone number 00-000-000-0000 | {"on_behalf": true, "contact": "Dave Controller", "company": "Data Controller Inc.", "address": "123 St., Place", "email": "dave@datacontroller.com", "phone": "00-123-341-2351"} | |
| policy_uri | string. HTTP URL | the internet and immediately accessible privacy policy of the service referred to by the receipt | http://example.com/privacy | |
| Section 3: Purpose Specification | ||||
| purpose | array of strings. | Explicit, Specific and Legitimate: interpreted here as: 'Naming the Service' and 'Stating the Action' and putting it in a receipt, meets these requiremetns, | ? [" CISWG Membership", "Join"] | |
| Section 4: Personal Information | ||||
| pi_collected | object. Keys are the name of the field, value is the information collected. | Personal information collected in relation to, or adjacent of purposes specified | {"name" : "Example Example", "email" : "example@example.com"} | |
| sensitive_pi | array of strings. | In many jurisdictions their are additional notice and administrative requirements for the collection, storage and processing of what are called Sensitive Personal Information Categories. These are Sensitive in the business, legal, and technical sense, but not specifically in the personal context. This list of categories are required in some jurisdiction, but, the actual notice and purpose requirements are out the scope of the MVCR. | {"health"} | |
| Section 5: Information Sharing | Sharing information with 3rd parties, what categories, with whom, and how informtion is shared | |||
| sharing | array of strings. | This refers to the sharing of personal information collected about the individual, with another external party by the data controller (service provider). Should list categories of PII shared, from above list and under what purpose. Sharing is also a container for listing trust marks and trust protocols. | [?] | |
| In Review | ||||
| aud | string. HTTP URL | Audience URI that identifies the target service of this consent | http://engageidentity.com/protected | |
| consent_payload | object. Keys are the name of the consent, values are whether or not the user has agreed. | Examples include: Device Identifier, UID, IP Address, Browser Fingerprint, DNT signal client header, .Mobile device id | {"privacy policy" : "agree","ToS" : "agree"} | |
| context | array of strings. | Operational Context refers to the conditions that ensure the consent is fair, reasonable and proportional. , e.g. if it is on a website, then there are requirements like; are mandatory fields indicated, is there a separate consent for privacy policy and terms of service? set of registry values? | ["active privacy policy consent", "passive terms of service consent"] | |
| notice | string. HTTP URL | Link to the short notice enables usability and layered policy. to provide enhanced transparency about data collection and information sharing practices | http://example.com/notice | |
| scopes | string. space separated string values | What you’re allowed to do on the service (these can be tied to legal / business / technical layers) | read update |