Tuesday Oct 1, the ANCR WG is proud to support the presentation by Mark Lizar on the Notice receipt work to the ISO JTC1 SC27 WG 5 committee of international expert and liaisons,
While the “consent receipt” developed further in 27560, it wasn’t interpreted as a profile for the ISO/IEC 29184:2020 Online Notice and Consent Standard, instead a of a notice record information structure, a consent record information structure was developed focused on the surveillance of the PII Principle.
The original work, called the MVCR “Minimum Viable Consent Receipt”, authored by Mark Lizar was adopted into ISO from the Kantara Consent and Information Sharing WG. It focused on the minimum requirements for notice, so that a receipt could be used for consent. creating a record of notice that the PII Principal could use to replace cookies in browsers and terms of service online. Not only a well documented dark pattern, but also not being regularly enforced against by regulators. Demonstrating a need for a standard international solution for transparency and consent.
The presentation of the notice receipt, is the introduction of an anonymous receipt flow, where the PII is able to Control and managed and even negotiate the use of personal data processing with standardised transparency.
Learning from the 27560, this introduces a PII Controller identity record information structure that is extended to the notice receipt, and then a notice receipt event log, to provide assurance. Specified in accordance with Convention 108+ Article 14, 15, for Controller Identity Record schema, to Article 30 for the notice receipt to be a record of processing activity, and Article 88 for a log of the processing, to provide the international assurance required to scale consent based data controls.
The proposed profile or possible NWIP, introduces a Two Factor Notice, which is Consent by Default that is extensible as the PII Controller identity record schema is used to generate a notice receipt, and subsequent notice receipt event log.
It is envisioned that this profile could then be used to operationalise personal data and personal data control held by PII Controllers under data protection regulation, enabling self-identification, through receipt presentation. The use of the notice receipt as a consent token, for providing verification of id and attributes without having to provide raw personal security information across the internet. Including the use of a notice receipt for a secondary purpose with the lawful authority of consent.