Consent Receipts – 101 & Update – Closing the loop with users

From IIW

Consent Receipts

Tuesday 5A Convener: John Wonderliech

Notes-taker(s): Jim Fournier

Tags for the session - technology discussed/ideas considered:

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

ConsentReceipt.org

Biggest lie on the internet

Alice & Bob comments on blog

Alice wants to comment on Bob’s site:

  • collect info
  • notice
  • submit

Bob makes commitment

How does Alice know its true?

Minimum viable set of info for receipt?

Do piracy policies protect your privacy? No

  • Risk management for corp

Receipt for value 

  • follows transaction
  • memorialize commitment by Bob to Alice

Status of project:

JSON object notation in process

Health? In Canada depends entirely on consent

If not option to say No, its notice not consent

Should not use info for any other purpose

Same blank looks in Silicon Valley in China, why can’t we just use the data?

Whats the difference between whats in receipt and privacy policy?

  • Evil Bob’s privacy policy favors corp entirely as broadly as possible.
  • Nobody reads them, may or may not comply locally.
  • Receipt shows Alice what she agreed to. Surfaces by UX perspective
  • Privacy = contract of adhesion
  • Whats the URI in effect at the time of transaction?
  • Change in terms of service notice now.
  • Creates shared display and enforces old terms until new agreed.

In the US FTC, promise what you will, but abide by it.

  • If Alice doesn’t agree to new policy.
  • Don’t go back to site.

Add this to your CRM

For EU GDPR:

  • fine = 4% of global revenue
  • if marketing material is added, must be user opt-in option
  • now receipt shows opt-in 
  • that can become part of CRM for Bob
  • mass personalization based on consent

Without receipt Bob can’t currently track which terms apply to which user.

  • Share the terms with the user, keep a record of them, and share that with user.

Google Groupon-like example, unauthorized charge to mom’s account for daughter’s action.

  • Should have been a receipt in new paradigm. 

How do I revoke consent?

  • GDPR says has to be as to revoke as to give.
  • UUID reference number, but up to Bob how to do it.
  • CR opens channel to do it.
  • In health or research one-way door, HR, internal enterprise, could simply be notice.

PIMS not getting traction yet, last pass, one pass, key pass, could add CR.

Bob could ask for proof of identity.

How different than PP?

  • Doesn’t replace, creates communication record of actual exchange.
  • Information power asymmetry. 

Could tie PP to Terms of Service and keep better records. 

Semantic standard plugin can only happen with standard.

CR contains URL of existing PP

  • no crypto sig in early example
  • for enterprise will get more robust

creates point of agreement, protects enterprise too

now UUID on receipt 

  • minimum viable 2 party isolated transaction
  • some use-cases don’t want 3rd party

Goal is to address power imbalance, organizations winning, gov, corp

  • also compliance and human rights under GDPR

comment:

  • simplified ToS on a page
  • for start up offer vetted standard 

Can help Enterprise manage risk: working example Optinon in UK

No metric for companies that want to claim that they are better on privacy.