Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


As a,User of a web site
I wantto acquire access to some resource
so thatSo that i I can download content of or physically access some venue
Acceptance Criteria - what the user should know
Verifier or Brandand who else sees the data (that may be in the TOU)
Purposes that they can understandand whether they are required or optional
Retention Timeif longer that the life of the transaction


  • Some messages suitable to deliver in plain English during provision process (not just in T&C): (2.7.1)
    “Your [Insert name of App] data will not be released from your device [or the issuing authority] without your permission.”
    “If you are asked to release data you feel uncomfortable sharing, do not share it”
    “If your [mDL] data changes on record with the state, it will be updated on your [app] shortly after is is received by the [issuing authority]”
    “If you believe your digital identity data is being misused, report it [here]”
  • User receives Digital ID lifecycle notifications, for example: (4.4.3)
    “Driving privilege suspended pending renewal of physical credential, credential may be used for Identity purposes only”
    “Driving privilege suspended as per state law, credential may be used for Identity purposes only” 
  • The follow is considered to be bad advice is is to be avoided. It will seldom not usually be of any use to the user (through too much detail or too technical collections of terms) and will be very annoying. 
    • User receives notice of each data field being requested by the relying party and has the user has the option to approve or decline sending each field before sending the data to the relying party. (4.4.4)
    • User Consent to release each field of data, or decline transaction in physical domain, consistent with the ISO 18013-5 standard supported. (5.2.2)