FYI - Some really good references to support the TPR - for Valid Consent ** Guidelines 05/2020 on consent under Regulation 2016/679 Furthermore, obtaining consent also does not negate or in any way diminish the controller’s obligations to observe the principles of processing enshrined in the GDPR, especially Article 5 of the GDPR with regard to fairness, necessity and proportionality, as well as data quality. Article 29 Working Party: Guidelines on transparency under Regulation 2016/679 . Footnote 14) The requirement for transparency exists entirely independently of the requirement upon data controllers to ensure that there is an appropriate legal basis for the processing under Article 6. 1. Introduction - "Transparency is an overarching obligation under the GDPR "2. , transparency is now included as a fundamental aspect of these principles. Transparency is intrinsically linked to fairness and the new principle of accountability under the GDPR. 4. The concept of transparency in the GDPR is user-centric rather than legalistic and is realised by way of specific practical requirements on data controllers and processor 4. the quality, accessibility and comprehensibility of the information is as important as the actual content of the transparency information, which must be provided to data subjects. 5. The transparency requirements in the GDPR apply irrespective of the legal basis for processing and throughout the life cycle of processing. 18. Of course, the use of digital layered privacy statements/ notices is not the only written electronic means that can be deployed by controllers. Other electronic means include “just- in-time” contextual pop-up notices, 3D touch or hover-over notices, and privacy dashboards. Non-written electronic means which may be used in addition to a layered privacy statement/ notice might include videos and smartphone or IoT voice alerts.25 “Other means”, which are not necessarily electronic, might include, for example, cartoons, infographics or flowcharts. Where transparency information is directed at children specifically, controllers should consider what types of measures may be particularly accessible to children (e.g. these might be comics/ cartoons, pictograms, animations, etc. amongst other measures). 36. WP29: Recommends that the first layer/ modality should include the details of the purposes of processing, the identity of controller and a description of the data subject’s rights. (Note: - For TPR Measurement Purpose) Furthermore this information should be directly brought to the attention of a data subject at the time of collection of the personal data e.g. displayed as a data subject fills in an online form.) The importance of providing this information upfront arises in particular from Recital 39.34 While controllers must be able to demonstrate accountability as to what further information they decide to prioritise, WP29’s position is that, in line with the fairness principle, in addition to the information detailed above in this paragraph, the first layer/ modality should also contain information on the processing which has the most impact on the data subject and processing which could surprise them. Therefore, the data subject should be able to understand from information contained in the first layer/ modality what the consequences of the processing in question will be for the data subject (see also above at paragraph 10). 38. … WP29 recommends that the first “layer” (in other words the primary way in which the controller first engages with the data subject) should generally convey the most important information (as referred to at paragraph 36 above), namely the details of the purposes of processing, the identity of controller and the existence of the rights of the data subject, together with information on the greatest impact of processing or processing which could surprise the data subject. Note: =- I recommend translating the term - Purpose used above into - permissions - for digital identity) 39 “Push” and “pull” notices (like he Consent Receipt) Another possible way of providing transparency information is through the use of “push” and “pull” notices. Push notices involve the provision of “just-in-time” transparency information notices while “pull” notices facilitate access to information by methods such as permission management, privacy dashboards and “learn more” tutorials. These allow for a more user- centric transparency experience for the data subject.
On 31 Mar 2025, at 15:04, Mark Lizar <smartopian@icloud.com> wrote:
HI Everyone,
Now that 27560 is going to be open, I have looked into recent work on 27560, and 29184, so I could try and locate where the consent receipt use case has gone awry exactly, in addition, to provide Transparency Report Specific references to support the use of Consent Receipts, to enable Controller compliance. Its clear the Consent Receipt use case to regulate digital identity trust and address surveillance capitalism is still a big deal, and something that perhaps the ANCR WG can support, to educate the industry on a way for human data control and interoperability with consent and identity management. Aka the Consent Receipt. To this end, I have drafted some comments/ update to the Consent Receipt use case, to the W3C DPV, Group and to provide the legal references to request updates to the proposed 27560.
Would these comments be supported by ANCR. WG?
Best, Marl
Core Consent Receipt Use Case - Permission for Identification (or self-identifying with consent) As the researcher, developer and editor of the Consent Receipt, and editor of the Transparency Performane Report at the ANCR WG. I would like to clarity the core use case for the consent receipt, to demonstrate how to decentralised the govern of digital identification and surveillance with enforceable privacy, transparency, and consent regulation. To this end, I would request a review of notice and consent in DPV (and 27560), with regards to the associated guidance found in particular Associating Identity with Consent <https://harshp.com/research/publications/038-comparison-notice-requirements-consent-29184-gdpr#associating-identity-with-consent> “Additionally, GDPR encourages using an identifier so that controllers can demonstrate the individual’s given consent (Art.7-1), enable them to withdraw it (Art.7-3), and provide them with a history of their consent events (Art.15).”https://harshp.com/research/publications/038-comparison-notice-requirements-... Referencing Guidelines 05/2020 on consent under Regulation 2016/679 ( point to the guidance which has a different interpretation that what is provided here) “64. >>>> Furthermore, there may be situations where a data controller is processing personal data that does not require the identification of a data subject (for example, with pseudonymized data). In such cases, Article 11.1 may also be relevant as it states that a data controller shall not be obliged to maintain, acquire, or process additional information to identify the data subject solely to comply with the GDPR.” In Article 29 Working Party: Guidelines on transparency under Regulation 2016/679 “106. At the same time, the duty to demonstrate that valid consent has been obtained by a controller should not in itself lead to excessive amounts of additional data processing. This means that controllers should have enough data to show a link to the processing (to show consent was obtained) but shouldn’t be collecting any more information than necessary.” The context of the use case The consent receipt version 1.1 , which was adopted as ISO/IEC 27560, was developed through five years of research and two years of drafting and volunteer community work, originating from Hackathons and Campaigns to stop the biggest lie on the internet: whcich is “Our Data Is Collected without Consent.” Which is now showing to cause significant harms on society (References available upon request) The Issue being addressed If an individual must first be identified to access rights to stop being surveilled online, then privacy is not a right; it is a consumer protection with limited capacity to see and control who can surveil PII principals. This is referred to as the surveillance capitalism use case, which the MVCR and Consent Receipt work solves. Key Points: Without this, people can be surveilled, their data scraped (like with AI), and then they have to opt-out of being tracked, referencing a ‘Consumer Protection’ Paradigm where privacy isn't a fundamental right, and consent is required to surveil people. The consent receipt is the solution to this challenge. Using a standard interaction pattern, well-known in society for trust, that requires fair and proportionate transparency (as explained in Guidance for use of GDPR). It's very simple: Put up a sign, provide a notice, and ask for permission—fundamental components of human etiquette, being polite, and reducing frictions. How does it work; How does this consent receipt work so PII principals can provide permission before being surveilled. A Controller presents their identity in a standard notice (layer 1 of online interaction). This generates a notified record when the PII principal interacts with it. That notified processing activity is mirrored as a consent receipt. A controller digital identifier is provided to the PII principal, instead of a PII principal identifier being taken secretly from the data subject. The data subject can use the receipt (in a secure private space like a digital wallet) to interact with the Controller, send more PII, provide permission to be digitally identified, and self-identify. Consent can be withdrawn with a click.
Please consider that at this time, 27560, which is called a consent record, uses a PII principal identifier is in the record header (with an unknown 3rd party ID - for un-notified tracking of people), indicating that this is not consent but a USA-style consumer protection record. Which has significant, security and privacy implications, AS USA Law only affords US citizens consumer rights not afforded to EU or Canadians, under USA Foreign Intelligence Surveillance Laws. As you can imagine, without a real consent receipt and transparency before surveillance, it provides people with much weaker consumer protection, and leaves Canadians open, without rights, or data sovereignty, having a geo-political impact to the international market.
Please update text, here especially,https://harshp.com/research/publications/038-comparison-notice-requirements-...