Learn about the Kantara Consent & Information Sharing WG and their major deliverable the digital Consent Receipt - an Alpha project designed to upgrade the way a person provides consent on-line. This is an open standardization project.
Choreo: Empowering the Future of Enterprise Software Engineering
Kantara - Consent & Information Sharing WG Update
1. CONSENT & INFORMATION SHARING
Kantara Initiative
Consent Receipt v0.8: The Alpha
@kantaraCISWG
Mark Lizar
2. 2
A consent receipt is the first layer of a privacy notice and links to
the rest of the layers and policy notices
It is being designed to reduce friction and improves the customer
experience around personal information sharing.
What is a Consent Receipt?
To enable high value flows of volunteered personal information between
individuals and organisations that merit their trust.
3. Step 2Step 1
3
I Agree
Your receipt has been sent to you: Download another?
Click
Presentation Options :
• Display on screen
• email
• direct to PDS
• Download to local device
Benefits
-Opens Consent - people have a record and are able to
use it in the future to manage digital rights.
-organisations have proof of consent
-uses a common meta-format for recording consent so
that consent can be managed on aggregate
Alpha - v0.8 —> 2 Step Receipt
4. Kantara respects your privacy
To Send with Email
To deliver Goods
Trusted Services
Y/N
Y/N Sensitive Personal Information
Link
Link
Link
Trusted Services
Data Categories Collected
Link to Policies
Privacy Policy
Link To
Kantara
Website
https://
kantarainitiat
This consent receipt is provided by the Kantara Initiative, this receipt
can be used to access, rectify PII and manage consent
Purpose List
Minimum (or Simple) Consent Receipt
To charge Credit Card
To Advertise
Linked Trusted
Services Icons
privacy-controller@kanatarainitiative.org
123 AR St. London, WC2X 1NG
Data Controller Contact
Information
Date & Time
Name
Email
Credit Card
Stamped
5. V
Minimum Viable Consent Receipt
Kantara respects your privacy
To Send with Email
To deliver Goods
Trusted Services
Y/N
Y/N Sensitive Personal Information
Link
Link
Link
Trusted Services
Data Categories Collected
To charge Credit Card
To Advertise
privacy-controller@kanatarainitiative.org
123 AR St. London, WC2X 1NG
Date & Time
Machine Readable: JWT
Integrity
eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ
9.eyJqdXJpc2RpY3Rpb24iOiJVUyIsInN1
YiI6Im1hcmtAc21hcnRzcGVjaWVzLmNv
bSIsInN2YyI6WyJLYW50YXJhIiwiQ29uc
2VudCAmIEluZm9ybWF0aW9uIFNoYXJ
pbmcgV29yayBHcm91cCJdLCJub3RpY2
UiOiJEYXRhIGlzIGNvbGxlY3RlZCBmb3I
gbWVtYmVyc2hpcCBhbmQgYWRtaW5p
c3RhcnRpdmUgIHB1cnBvc2UiLCJwb2xp
Y3lfdXJpIjoiaHR0cDovL3d3dy5rYW50YX
This consent receipt is provided by the Kantara Initiative, this receipt
can be used to access, rectify PII and manage consent
6. WHEN FULLY EVOLVED THE STANDARD
BECOMES A VEHICLE FOR TRUST MARKS
Membership Priv.
IPR TRACKING
YES
7. 4
Stakeholder Benefits
Stakeholder/
Development
Stage
Alpha - v0.8
V1. Consent Receipt
Specification
Standard Candidate - ISO
Fast Track
1
Individuals
(data subjects)
Provides people with a
record of consent and
information to manually
manage
Reduces friction around
personal information sharing.
focused on human centric
approach a clear and simple
standard to bridge the legal
and technical divide
2
Kantara
Implementation
(orgs)
Demonstrate that consent
has been provided and
people can use receipt to
manage
Improves customer
experience.
Simplify data protection, data
control, negotiation of terms
3
Regulators
(education)
Proof of consent and useful
to demonstrate compliance
or lack thereof
Enable good personal
information management
practices for data controllers
and processors. Provides proof
of compliance.
Use for Market Self-
Regulation
4
Trust Services
(education)
Used to demonstrate value
to trust services
core format for binding
protocols and trust services
needed an missing standard
to channel trust services and
create interoperability in trust
8. 8
General Data Protection Revision
Article 7
1. Where Article 6(1)(a) applies the controller shall bear
the burden of proof for the data subject's be able to
demonstrate that unambiguous consent to the processing
of their personal data for specified purposes was given by
the data subject.
1a. Where article 9(2)(a) applies, the controller shall be
able to demonstrate that explicit consent was given by the
data subject.
9. 9
General Data Protection Revision
Article 7
2. If the data subject's consent is to be given in the
context of a written declaration which also concerns
another matter, the requirement to request consent must
be presented in a manner which is clearly
distinguishable in its appearance, in an intelligible and
easily accessible form, using clear and plain language.
10. 10
General Data Protection Revision
Article 7
3. The data subject shall have the right to withdraw his
or her consent at any time. The withdrawal of consent
shall not affect the lawfulness of processing based on
consent before its withdrawal. Prior to giving consent,
the data subject thereof shall be informed
11. 11
There should be no doubt on the elements establishing consent and
the intention of the data subject to consent.
Even though it can be expressed in many different ways, for instance
through a statement or an affirmative action, the essential requirement
is that such statement or action must clearly signify the data subject’s
agreement to personal data relating to them being processed. There has
to be a clear distinction between opt-in and opt-out.
Therefore, the notion of unambiguous consent foreseen by the Council of
the EU in Recital 25 may create some confusion with respect to the
aim of the proposed text especially on the Internet where there is now
too much improper use of consent. Requiring it to be explicit is an
important clarification, truly enabling data subjects the exercise of their
rights.
Furthermore consent should be informed and concern a specific purpose,
any ́broad consent ́ would therefore not be acceptable.
Article 29 WP - Consent 17 June 2015
12. 12
To Get Involved
We are looking for use cases for the v.1 specification that represent
different identity relationships in the “Connected Life” ecosystem:
The Individual: Managing Consent
Organisations: Dealing with managing identities with consent
Service Providers: using rich consent to deliver services
Health Care: consent directors and portability
Government: Open Consent
IOT: Dynamic Consent
13. CONSENT & INFORMATION SHARING WG
If you would like to chat, or get a copy of
this presentation
If you would like to get involved in
developing the receipt infrastructure – join
us at CISWG https://kantarainitiative.org/
confluence/display/infosharing/Home
To keep Track: Follow us on Twitter
@kantaraCISWG