Consent Receipts – 101 & Update – Closing the loop with users
Consent Receipts
Tuesday 5A Convener: John Wonderliech
Notes-taker(s): Jim Fournier
Tags for the session - technology discussed/ideas considered:
Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:
ConsentReceipt.org
Biggest lie on the internet
Alice & Bob comments on blog
Alice wants to comment on Bob’s site:
- collect info
- notice
- submit
Bob makes commitment
How does Alice know its true?
Minimum viable set of info for receipt?
Do piracy policies protect your privacy? No
- Risk management for corp
Receipt for value
- follows transaction
- memorialize commitment by Bob to Alice
Status of project:
JSON object notation in process
Health? In Canada depends entirely on consent
If not option to say No, its notice not consent
Should not use info for any other purpose
Same blank looks in Silicon Valley in China, why can’t we just use the data?
Whats the difference between whats in receipt and privacy policy?
- Evil Bob’s privacy policy favors corp entirely as broadly as possible.
- Nobody reads them, may or may not comply locally.
- Receipt shows Alice what she agreed to. Surfaces by UX perspective
- Privacy = contract of adhesion
- Whats the URI in effect at the time of transaction?
- Change in terms of service notice now.
- Creates shared display and enforces old terms until new agreed.
In the US FTC, promise what you will, but abide by it.
- If Alice doesn’t agree to new policy.
- Don’t go back to site.
Add this to your CRM
For EU GDPR:
- fine = 4% of global revenue
- if marketing material is added, must be user opt-in option
- now receipt shows opt-in
- that can become part of CRM for Bob
- mass personalization based on consent
Without receipt Bob can’t currently track which terms apply to which user.
- Share the terms with the user, keep a record of them, and share that with user.
Google Groupon-like example, unauthorized charge to mom’s account for daughter’s action.
- Should have been a receipt in new paradigm.
How do I revoke consent?
- GDPR says has to be as to revoke as to give.
- UUID reference number, but up to Bob how to do it.
- CR opens channel to do it.
- In health or research one-way door, HR, internal enterprise, could simply be notice.
PIMS not getting traction yet, last pass, one pass, key pass, could add CR.
Bob could ask for proof of identity.
How different than PP?
- Doesn’t replace, creates communication record of actual exchange.
- Information power asymmetry.
Could tie PP to Terms of Service and keep better records.
Semantic standard plugin can only happen with standard.
CR contains URL of existing PP
- no crypto sig in early example
- for enterprise will get more robust
creates point of agreement, protects enterprise too
now UUID on receipt
- minimum viable 2 party isolated transaction
- some use-cases don’t want 3rd party
Goal is to address power imbalance, organizations winning, gov, corp
- also compliance and human rights under GDPR
comment:
- simplified ToS on a page
- for start up offer vetted standard
Can help Enterprise manage risk: working example Optinon in UK
No metric for companies that want to claim that they are better on privacy.