We use cookies to give you the best experience and to help improve our website
Find out what cookies we use and how to disable them
Standards Development
This document specifies an interoperable, open, and extensible information structure for recording PII Principals' or data subjects' consent to data processing. This document further provides guidance on the use of consent receipts and consent records associated with a PII Principal's data processing consent to support the:
— provision of a record of the consent to the PII Principal;
— exchange of consent information between information systems; and,
— management of the lifecycle of the recorded consent.
This document does not specify an exchange protocol for receipts and records, nor an exact data structure for such exchange.
Regulations for data and privacy protection include requirements for notice and consent to processing of personal information. There is no specification for an interoperable consent record. As a result, neither individuals nor organizations can easily track their consents or know who to hold accountable in the event of a violation of their consent. An interoperable, open and extensible information structure for recording PII Principal's consent to data processing, based on industry codes of practice, supports to ensure consent notification, interoperability and management for people and organizations alike.
PII Principals are regularly asked for consent by organizations who want to collect information about them, usually in conjunction with the use of a service or application. Consent is provided by an individual when they agree to allow an organization to collect, use, or disclose their data, and data about them, according to a set of terms and conditions defined by the collecting organization. A record of a consent enhances the ability to maintain and manage permissions for personal data by both the PII Principal and the PII Controller.
Much like a retailer giving a customer a cash register receipt as a personal record of a purchase transaction, an organization may decide similarly to create a digital record or receipt as proof of an online interaction, to be transparent about data processing. A PII Controller generates a Consent Receipt and provides it to the PII Principal in context to enable them to exercise their privacy rights.
Furthermore, an interoperable structure for consent records opens the possibility for seamless interactions among PII controllers and PII processors, when one may need to prove consent for an individual or act upon it. This is regularly the case when a PII processor collects consent on behalf of a PII controller, or when an organization acquires or handles a database containing PII from another organization.
The elements described in this specification represent privacy-related requirements common to many jurisdictions. The specification includes extension points so that implementors can incorporate information required for their particular regulatory and policy requirements.
The proposed deliverable elaborates on the example presented in ISO/IEC 29184 Appendix B: “Example of a Consent Receipt or Consent Record”.
Regulations for data and privacy protection include requirements for notice and consent to processing of personal information. There is no specification for an interoperable consent record. As a result, neither individuals nor organizations can easily track their consents or know who to hold accountable in the event of a violation of their consent. An interoperable, open and extensible information structure for recording PII Principal's consent to data processing, based on industry codes of practice, supports to ensure consent notification, interoperability and management for people and organizations alike.
PII Principals are regularly asked for consent by organizations who want to collect information about them, usually in conjunction with the use of a service or application. Consent is provided by an individual when they agree to allow an organization to collect, use, or disclose their data, and data about them, according to a set of terms and conditions defined by the collecting organization. A record of a consent enhances the ability to maintain and manage permissions for personal data by both the PII Principal and the PII Controller.
Much like a retailer giving a customer a cash register receipt as a personal record of a purchase transaction, an organization may decide similarly to create a digital record or receipt as proof of an online interaction, to be transparent about data processing. A PII Controller generates a Consent Receipt and provides it to the PII Principal in context to enable them to exercise their privacy rights.
Furthermore, an interoperable structure for consent records opens the possibility for seamless interactions among PII controllers and PII processors, when one may need to prove consent for an individual or act upon it. This is regularly the case when a PII processor collects consent on behalf of a PII controller, or when an organization acquires or handles a database containing PII from another organization.
The elements described in this specification represent privacy-related requirements common to many jurisdictions. The specification includes extension points so that implementors can incorporate information required for their particular regulatory and policy requirements.
The proposed deliverable elaborates on the example presented in ISO/IEC 29184 Appendix B: “Example of a Consent Receipt or Consent Record”.
You are now following this standard. Weekly digest emails will be sent to update you on the following activities:
You can manage your follow preferences from your Account. Please check your mailbox junk folder if you don't receive the weekly email.
You have successfully unsubscribed from weekly updates for this standard.
Comment on proposal
Required form fields are indicated by an asterisk (*) character.