[KI-LC] Initial Comments on Privacy Policy for Consent Receipt Implementation

Mark Lizar mark at smartspecies.com
Wed Jul 1 09:25:45 CDT 2015

Upon a quick Review of the Privacy Policy there are a few red flags that I should mention are
http://kantarainitiative.org/confluence/display/GI/Privacy+Policy <http://kantarainitiative.org/confluence/display/GI/Privacy+Policy>
Unable to find a Privacy policy  link of the main website, was only able to find it on the join the WG form. (lack of usable transparency over privacy practices)
“We may use your information to:
To provide you with personalized content.”
- Is there personalised content or ads?  if not this should be removed. If this is true, this should arguably be a listed purpose and reflected the consent receipt

3. Consent for cross-border transfer of information:

Kantara Initiative is a business alliance of individuals, organizations, and companies operating globally. Please note that while the Website is located in the United States, data collected on the Website may be transferred to, and stored or processed in, other countries, including countries where Kantara Initiative members are located. Laws of these other countries may not be the same as the laws regulating the use and transfer of personal data in your country. By entering your personal information on this Web site, you are consenting to the transfer of that information to the United States or to other countries for the purposes described in this privacy policy.

its not clear why personal information would be transferred to another country other than the US
why this would be done without explicit consent - seem to ambiguous and I suggest a review
If this is necessary, then this will require something like Safe Harbour or BCRS to make compliant, (or) adding more purposes and consent options.
Possible Solution
Storing information in the US  should be added to the consent receipt as a purpose and be explicitly agreed to in the join form.
Remove/change ,” may be transferred to other countries … “  unless Kantara is unaware, or does this without consent.  If this is the case, then, Safe Harbour needs to be used.

Consent Receipt Best Practices

We are starting to work on best practices for an implementation of a consent receipt

These will include:

Posting a privacy policy at - www.yourdomain/privacypolicy
Linking the privacy policy on  the home page.
Listing clearly the purposes for the use of personal information consented to in the membership agreement.
Listing contact details for a privacy officer/data controller on the policy and on the receipt
note: this could be forwarded to staff address.  In this regard, Oliver has already made an email  address privacy-controller at kantarainitiative.org <mailto:privacy-controller at kantarainitiative.org> that we can use, which forwards email to staff at kantarainitiative.org <mailto:staff at kantarainitiative.org>
adding Kantara twitter to the consent receipt would be bonus
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kantarainitiative.org/pipermail/lc/attachments/20150701/ae41c8b3/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 496 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://kantarainitiative.org/pipermail/lc/attachments/20150701/ae41c8b3/attachment.sig>

More information about the LC mailing list