CONSENT & INFORMATION SHARINGKantara Initiative

Consent Receipt v0.8: The Alpha@kantaraCISWG

Mark Lizar

2

A consent receipt is the first layer of a privacy notice and links to the rest of the layers and policy notices

It is being designed to reduce friction and improves the customer experience around personal information sharing.

What is a Consent Receipt?

To enable high value flows of volunteered personal information between individuals and organisations that merit their trust.

Step 2Step 1

3

I Agree

Your receipt has been sent to you: Download another? ClickPresentation Options : • Display on screen • email • direct to PDS • Download to local device

Benefits -Opens Consent - people have a record and are able to use it in the future to manage digital rights.

-organisations have proof of consent -uses a common meta-format for recording consent so that consent can be managed on aggregate

Alpha - v0.8 —> 2 Step Receipt

Kantara respects your privacy

To Send with Email

To deliver Goods

Trusted Services

Y/N

Y/N Sensitive Personal Information

LinkLinkLink

Trusted Services

Data Categories Collected

Link to Policies Privacy Policy

Link To Kantara Website https://

kantarainitiat

This consent receipt is provided by the Kantara Initiative, this receipt can be used to access, rectify PII and manage consent

Purpose List

Minimum (or Simple) Consent Receipt

To charge Credit Card

To Advertise

Linked Trusted Services Icons

privacy-controller@kanatarainitiative.org123 AR St. London, WC2X 1NG

Data Controller Contact Information

Date & Time

NameEmail

Credit Card

Stamped

V.2 This Receipt is Compliant

Minimum Viable Consent Receipt

Kantara respects your privacy

To Send with Email

To deliver Goods

Trusted Services

Y/N

Y/N Sensitive Personal Information

LinkLinkLink

Trusted Services

Data Categories Collected

To charge Credit Card

To Advertise

privacy-controller@kanatarainitiative.org123 AR St. London, WC2X 1NG

Date & Time

Machine Readable: JWT

Integrity

eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJqdXJpc2RpY3Rpb24iOiJVUyIsInN1YiI6Im1hcmtAc21hcnRzcGVjaWVzLmNvbSIsInN2YyI6WyJLYW50YXJhIiwiQ29uc2VudCAmIEluZm9ybWF0aW9uIFNoYXJpbmcgV29yayBHcm91cCJdLCJub3RpY2UiOiJEYXRhIGlzIGNvbGxlY3RlZCBmb3IgbWVtYmVyc2hpcCBhbmQgYWRtaW5pc3RhcnRpdmUgIHB1cnBvc2UiLCJwb2xpY3lfdXJpIjoiaHR0cDovL3d3dy5rYW50YX

This consent receipt is provided by the Kantara Initiative, this receipt can be used to access, rectify PII and manage consent

WHEN FULLY EVOLVED THE STANDARD BECOMES A VEHICLE FOR TRUST MARKS

Membership Priv.IPR TRACKING

YES

4

Stakeholder BenefitsStakeholder/ Development

StageAlpha - v0.8 V1. Consent Receipt

SpecificationStandard Candidate - ISO

Fast Track

1 Individuals (data subjects)

Provides people with a record of consent and

information to manually manage

Reduces friction around personal information sharing.

focused on human centric approach a clear and simple standard to bridge the legal

and technical divide

2Kantara

Implementation (orgs)

Demonstrate that consent has been provided and

people can use receipt to manage

Improves customer experience.

Simplify data protection, data control, negotiation of terms

3 Regulators (education)

Proof of consent and useful to demonstrate compliance

or lack thereof

Enable good personal information management

practices for data controllers and processors. Provides proof

of compliance.

Use for Market Self-Regulation

4Trust Services

(education)Used to demonstrate value

to trust servicescore format for binding

protocols and trust services

needed an missing standard to channel trust services and create interoperability in trust

8

General Data Protection RevisionArticle 7

1. Where Article 6(1)(a) applies the controller shall bear the burden of proof for the data subject's be able to demonstrate that unambiguous consent to the processing of their personal data for specified purposes was given by the data subject. 1a. Where article 9(2)(a) applies, the controller shall be able to demonstrate that explicit consent was given by the data subject.

9

General Data Protection RevisionArticle 7

2. If the data subject's consent is to be given in the context of a written declaration which also concerns another matter, the requirement to request consent must be presented in a manner which is clearly distinguishable in its appearance, in an intelligible and easily accessible form, using clear and plain language.

10

General Data Protection Revision

Article 7

3. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject thereof shall be informed

11

There should be no doubt on the elements establishing consent and the intention of the data subject to consent.

Even though it can be expressed in many different ways, for instance through a statement or an affirmative action, the essential requirement is that such statement or action must clearly signify the data subject’s agreement to personal data relating to them being processed. There has to be a clear distinction between opt-in and opt-out.

Therefore, the notion of unambiguous consent foreseen by the Council of the EU in Recital 25 may create some confusion with respect to the aim of the proposed text especially on the Internet where there is now too much improper use of consent. Requiring it to be explicit is an important clarification, truly enabling data subjects the exercise of their rights.

Furthermore consent should be informed and concern a specific purpose, any ́broad consent ́ would therefore not be acceptable.

Article 29 WP - Consent 17 June 2015

12

To Get Involved

We are looking for use cases for the v.1 specification that represent different identity relationships in the “Connected Life” ecosystem:

The Individual: Managing Consent Organisations: Dealing with managing identities with consent Service Providers: using rich consent to deliver services Health Care: consent directors and portability Government: Open Consent IOT: Dynamic Consent

CONSENT & INFORMATION SHARING WG

If you would like to chat, or get a copy of this presentation

If you would like to get involved in developing the receipt infrastructure – join us at CISWG https://kantarainitiative.org/confluence/display/infosharing/Home

To keep Track: Follow us on Twitter @kantaraCISWG