This request form is essentially research to develop the minimum viable consent receipt request form Draft 01 in an agile manner.
The aim is to innovate the questions and the quality of compliance. Correlating the laws from different jurisdictions and requirements to the questions and element in the form.
From here it would be great to map more notice requirements from the consent map to the form below, as well, to improve on the questions and approach so that we can include more requirements in less questions.
At the bottom of the form are the references; to california law, FTC needs to be added and referenced in the question. (these are the minimum requirements)
So far I have mapped the California laws and the basic components to the consent receipt so far.
Action Item for Draft 1: list the references for how this complies with FTC Guidelines,
This form aims to highlight if any other US Federal laws (which cover sensitive personal information) and Government standards is also needed to the receipt maker.
This by itself provides a valuable service to the company, as well as provides us with what we hypothesis to be the minimum viable consent receipt.
The questions I hope this research can answer is: (Add More if you like)
1. Can the consent receipt provide compliance guarantees with notice requirements?
2. How can this be measured? (Compliance Scale)
3. Does this pose any legal challenges
The Consent Receipt Request Form Step-by-step Outline
************************** Consent Receipt Request ************************
[Header; Date Time]
Dear [Insert Data Controller or Org Name]
I [Insert Identifier used for consen] have consented to your (policy, and TOS)
Date & Time of Consent
URL of web page with consent mechanism
Policies Consented ] [Put in Links] (with Confirm Checkbox)
So I can genuinely give my fully informed consent (and in accordance with the laws listed below [footnote]) please send me the information requested below via this “Open Notice” form.
Drop in Google Form:
(I can make a google form for this and we can use the embed code and drop it in the website to start with, I think will have many versions of this form. Do you think it might be a good idea to keep it in Google Form until we are ready to move into the website?
Step 1. (if not produced in form above)
Confirm Consent Policy Links
What is your link to your TOS
Step 2. Questions For Company
0. Please indicate the category of personal information that you collect (Personal Information (check), Sensitive Personal Information (what type - drop down list) (1)
1. Please restate the purpose for this consent (s)
2. What are the contact details and address of the data controller responsible for the compliance of the consent agreement. (such as the privacy/ data protection officer at )
3. Please indicate the length and scope of this consent
How long does this consent last for?
At what point, if any will you require consent maintenance?
4. Additional fields [based on California jurisdiction]:
a. How do you deal with the do not track signal (consent preference)? (5)
[Obey, Ignore] - Link to description (7)
6.What process (or communication channel) do you communicate changes to your policies and change of personal data use?
7. In the future, when my personal details change, when your policies changes or when the nature of your use of my data or service changes, what process do I use to:
Access/Correct my information ? (personal data store, UMA)
Manage consent?(personal data store, UMA)
Get informed of critical notices for my personal security and privacy
Inquire about purpose use
8. Please provide a link to a list of other parties that are collecting personal identifiers, tracking part of my web session with you.
9. Please indicate if these parties have consented to follow the same privacy policies and terms.
References Related to this Form
References to laws in your jurisdiction which require these fields: X,Y,Z [from the consent legal map].
(1) Identify the categories of personally identifiable information that the operator collects through the Web site or online service about individual consumers who use or visit its commercial Web site or online service and the categories of third-party persons or entities with whom the operator may share that personally identifiable information.
(2) If the operator maintains a process for an individual consumer who uses or visits its commercial Web site or online service to review and request changes to any of his or her personally identifiable information that is collected through the Web site or online service, provide a description of that process.
(4) Identify its effective date.
(5) Disclose how the operator responds to Web browser “do not track” signals or other mechanisms that provide consumers the ability to exercise choice regarding the collection of personally identifiable information about an individual consumer’s online activities over time and across third-party Web sites or online services, if the operator engages in that collection.
(6) Disclose whether other parties may collect personally identifiable information about an individual consumer’s online activities over time and across different Web sites when a consumer uses the operator’s Web site or service.
a How do you respond to Do Not Track preferences?
FTC - Guidelines
US - Standards
Privacy Bill Of Rights