Page tree

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


  1. The ISO/IEC SC 27 Committee in April 2020 to start an ISO Working Draft based on the Consent Notice Receipt
  2. The Consent Notice Receipt was published in appendix D, of ISO/IEC 29184 (June 6,2020)  titled 'Online privacy notice and consent' 
    1. this establishes  the Consent Notice Receipt as an authoritative data governance tool to provide transparency over the control and interoperability of data processing by services between jurisdictions     
  3. V1.1  to V 1.2 Notice; regarding 'well known issues and developments' (WKID) Updates, 
    1. delegation (on-behalf)
    2. proof of notice receipt
    3. Consent Notice Receipt (Human Definition) 
      1. a receipt to prove awareness of any policy or notice regarding surveillance; a physical sign, a blinking light, T&C's, privacy policies, cookie notices, online consent forms etc, any notice or notification to inform people about the active state of processing and accountability.
      2. Consent is a human centric term which is technically a multi-permissoned active state at any one point of time reflecting hidden and personal capabilities per context, biological, social, legal, but more importantly, the physical environment which dictates security and controls considerations for the individual.  
      3. generated from the notice and or sign presented to the Individual in the individuals physical context indicating the system permissions/data protection and controls scopes/ relevant to the person and context. 
      4. the consent notice receipt MUST function to link privacy rights information and access into the processing context, using a receipt for proof and post interaction access to those rights. 
    4. a key challenge was the legal ontology for Purpose Specification
      1. to address this, Kantara CISWG members supported
        1. the launch of the W3C Data Privacy Vocabulary Group on the eve of the GDPR @ ODI in London in conjunction with MIT Media Labs 
      2. updating / replacing the MVCR Appendix with the contributions of the Personal Data Categories from Jason Cronk (revised by the Open Consent Group), now an agreed and adopted category basis for semantic control interoperability 
      3. Purpose category, referencing an industry or sector code of conduct. Often referred to as a trust framework, pr code of conduct for practices that are nuanced as like a digital identity governance scheme for (micro)credentials and certification.  Codes of conduct are often championed at a national and international to be approved by Data Protection and Privacy Regulators for an industry and sector. 
    5. Legal Justifications for Processing
      1. For people the purpose is used to make choices and decisions it is used to inform people so they can grant consent or assent in some way for a specified purpose.
      2.  Behind this purpose specification is the legitimacy of the processing which is technically broken down into recognized legal reasons for surveillance 
        1. Now greatly simplified with the GDPR  setting an international standard and ISO 29184, as a set of standard legal justifications,.
        2. Consent
        3. Contract
        4. Legitimate Interest
        5. In the Pubic's Interest
        6. for the Vital Interest of the Individual
        7. for a required  legal obligation
      3.  with a conformity assessment built in,  any notice can be extended to provide a consent notice receipt to a person - where by standards are used to specifying the legal justification, purpose, data categories, so that the rights available for person are accessible and viewable in context. (the objective of the CR receipt format ) Regardless of service and terms


Governance Interoperability: 

Standardized Privacy Notice Semantics for Transborder identity and data governance Governance

Human Governance Interoperability



People first must have some sort of notice that they are providing consent before consent is possible.  People must first be aware of surveillance before it can be trusted / consistently depended upon, or trustworthy in context This is required for human usability and is described  in  terms of transparency (or conformance assessment) of the notice and its effectiveness for  privacy risk management and  data governance



Legal Governance Interoperability

A privacy notice is the only required elements for all personal data privacy processing across all privacy legislated jurisdictionsThe harmonization's of the legal semantics, via international standards and the adoption of best practices.   Notice is the most similar across all jurisdictions and it is also the only privacy element that is constant in all frameworks.  

Notice for security, privacy, health and safety is universally required in governance, and where there is none. Like big data, there is little to no providence Technically

Technically Governance Interoperability  : (Decentralized



Active state event receipts enable in context transparency to support rights that are proportionate and reciprocal, meaning that the Individual can see the active state of the legal entity and status of the service, independent of the service, ( reciprocal transparency) and then have the choice to use rights as defined by legal justification and context 

Legal Justification Standards for Dynamic Data Flow Controls

For a high privacy assurance and transparency an online privacy notice can be structure and labelled to automate the permissioning over the  flow and control of processing  


In all  contexts, notifications a  inform the lifecycle of legal justification for processing and its relationship, and receipts render this lifecycle  making transparent active state to which rights apply in context, and what the performance of those rights ares legally expected by people.   The

CR V1.2 Updates


Proposed to advance CR V1.


the receipt is further defined and fields and broken down into


  1. Notice field object
    1. Location & Time 
    2. Location – twin - 
    3. Physical Device - 
  2. PII Controller object
    1. Jurisdictions, 
  3. Link to physical notice 
  4. Extend it (Legal Justification)  
  5. Privacy Stakeholders 
  6. Categories of controllers  
  7. Consent Purpose Specification (v.1.1) 
  8. Purpose Category 
  9. Purpose Descriptions  
  10. Purpose Sensitive Categories of Data  
  11. Sensitive data category  
  12. Personal Data Category  
  13. Personal Data Types/attributes etc  
  14. Personal Data Processing Treatment 
  15. Storage 
  16. Security (cert/sighed key) 
  17. Extensions –Requirements (according to Context)  

Notice & Notifications

Notice can itself be extended with a Notification for the maintenance of a consent record, and consent based relationship.  Notice Receipt Receipts facilitate a Semantic Governance Framework  

A notice of controller is the first section of the receipt  1, can be extended with these receipt profiles