Why Consent Receipts are Important

This blog provides the background as to why Consentua has embraced the Kantara Initiatives Consent Receipt Specification.

One of the drivers in adopting the specification for Consentua is the heritage and experience of the team that created it. Having almost 100 years worth of combined IT experience, we had a numerous stories and experiences of projects and products that had gone wrong. One of ingredients of projects that had been a success was their basis on standards.

Standards

Standards are very important. They drive a minimum level of quality. Standards when applied ensure that when a product says it will do X. It does X. Standards are a foundation from which to build upon. But, standards evolve and change. Consent Receipt standards are no different.

In terms of the new market of consent management, having standards means a number of things. Firstly, it means customers can start to easily compare different consent service offerings on a more like for like basis. This mean these different offerings can compete more on value add, price or service quality.

Secondly, standards provide a guarantee of interoperability. This is important as GDPR demands portability of data. Plus, if service A can work with service B, this means the whole market has a better chance of success. A reason why any CD works in any CD player is down to standards.

Finally, because the consent management market is still immature, the availability of a standard such as the Kantara Consent Receipt Specification gives consumers and producers more confidence the market opportunity is stable. This attracts investment and innovation.

Kantara are the organisation behind OAuth2.0 too. This is a great piece of standards work in its own right. As it now means your identity can be seamlessly shared across the web in a secure fashion. From a user perspective this is ease of use heaven.

The use of a single digital identity is becoming more common too. This is seen in the rise of the Personal Information Managers. Some of the PIMs Consentua is working with are digi.me and meeco.me. PIMs will also facilitate a citizens ability to earn money from their personal data too.

So bringing ease of managing your identity, alongside the consolidation of your identity under one platform, will have an impact on consent. It means that any consent to use personal data from a 3rd party is now hitting a common identity. A single place. This will give citizens more control. But at the moment the consent receipts are all over the place. A way needs to be found that will consolidate into a single view all the consent receipts held by citizen.

The consent receipt therefore will have an important role in the future. It will act as the bridge to bring all the receipts together into one place (a virtual place). But then what? What if these receipts are the active gate keepers of a digital identities consent to share personal data?

The variability of consent (I can change my mind) means a different answer is likely depending on the party requesting and the location/time/day that the request was made. This means that consent interactions are only going to increase as more and more things become connected to the internet. All wanting a slice of your personal data.

Future World

In the future, consent interactions are slowly going to be automated and the citizen will likely group and order consent based on a scenario and an outcome. More a set of ethical rules and thresholds. The rule set will be set verbally by the citizen and will arbitrarily change based on mood and location.

The role of the consent receipt is to be this dynamic store of consent. Based on the purposes previously agreed to by the citizen, the consent request is processed and acted upon in realtime. Consent management services will need to handle this variability and flexibility. The Kantara Consent Receipt specification has already thought ahead in terms of these types of requirement.

From a Consentua perspective we are investing in this next generation of consent interaction. We foresee a time when consent bots based on your collection of consent receipts will automatically handle consent in a consistent and trusted fashion. But this requires a…

Consentua believes that in the not to distant future, when consent management is mainstream. This is when millions of citizens have interacted with a consent service and consent receipts are plenty. The next consumer demand will be for a single view of consent.

Currently, our focus is on business customers. As these organisations are the data processors/controllers requiring the consent. However, once consent receipts are common, Consentua plan to be creating a consumer app.

This new app is waiting for a new extension from the consent receipt standards team which is an Interoperability Exchange Protocol. This new protocol will mean that included in the message payload is the location of the consent receipt host.

This means that if a consent receipt has followed the standard and is made open by the receipt owner, that a consent repository such as Consentua will be able to read a consent receipt stored in another consent repository.

Now the achilles heel of any single view of consent is your digital identity. But, as we know this is being fixed by such things as the OAuth2.0 evolution and the rise of the PIMs.

Conclusion

The good news is that Kantara are already exploring through a joint working group the link between consent and identity. The other piece of good news is that an interoperability work stream is also working on an active trial of a PIM interacting with a consent repository. With Consentua playing an active role in shaping and using the standard we are supporters of this activity.

Consentua, digi.me, Consentric, (with others welcome) will be testing the interoperability of consent receipts. Then by the middle of next year I would hope the early versions of an Interoperability Exchange Protocol will materialise. Again, along with others Consentua is stepping up and taking on the challenge of helping to move the standard along.

Then by 2019/20 we should be ready for the combined citizen centric view of consent. Then we can start getting serious with the automation and management of consent entirely on a citizens behalf.

However, the one thing that underpins all the above is the Kantara Consent Receipt Specification.

To that end, the team at Consentua want to say a big thank you to all parties who have been complicit in the creation of the consent receipt. We are pleased to be adherents to the specification and proud to be shaping the next stage.

For with out the Kantara Consent Receipt specification, Consentua would not be able to say it is a technology built on the shoulders of giants. Thank you.

Consentua V Competitors

The easiest way to manage consent is to deploy a tool which simply records and helps you to manage your consent requirements and your customer’s consent decisions. Consentua is one such tool, a lightweight low impact API. It gives users choice and control over what happens to their personal data.

You can also consider a more complex, feature rich Personal Information Manager that will own your and your customer’s personal data interactions. This tool would become your golden record of identity. It would capture and manage consent for that users identity.

Consentua V Competitors.

The table below is a comparison of Consentua versus a PIM based approach to managing user consent.

Criteria

Personal Information Manager - handling consent

Consentua - handling consent

Consentua Comment

Can I use an anonymous identifier. 

No

Yes

Consentua just needs a common identifier with those systems it is capturing and storing consent for.  No personal data required so less risk, cost and faster.

Cloud / SaaS

Yes

Yes

Secure, redundant, resilient cloud infrastructure provided by Azure and BlueMix. 

Secure

Yes

Yes

Unique token accessed URI per Consentua client and user.  Encrypted data exchange. 

Less than an hour to install?

No

Yes

Quick to set up.  Easy to use.  Scalable across an organisation.

Freemium

No

Yes

Try before you buy Consentua. 

By Interaction Charging Model

No

Yes

Consentua use is linked to user value generated.  Not that you are simply a member of the club,

Predictable Costs

Yes

Yes

Can cap or even predict amount of interactions, based on experience & trial period.  Purchase suitable ‘bucket’ of consent interactions in advance.

Licence version

Yes

Yes

Consentua is available under licence

White Label

No

Yes

Your brand, our brand.  Your call.

Users are free?

No

Yes

User interactions and dashboards are free. 

Enterprise Wide

Yes

Yes

As long as all user identifiers are common across an enterprise, Consentua can be THE consent service for that enterprise, (& beyond)

Multi Language

Yes

Yes

Consentua can handle the same consent framework across any language or jurisdiction.

Multiple Consents

No

Yes

Group consents allow consent across time, space, location or circumstance.

Standards Based

Some

Yes

Adhering to the Kantara Consent Receipt standard. 

SDK

No

Yes

Drops into existing app (iOS & Android).  Available as a plugin for 3rd party software soon. 

Other GDPR Benefits

No

Yes

Ask Consentua and it can show which users have consented to what.  From who needs to be forgotten to who wants the best possible service.  All available within a few clicks.

Re-use your PIA?

No

Yes

Create your own consent template from the PIA along with your brand values and service needs.  You are in control over the consent being requested.

Easy external Access

No

Yes

Just grant the external service an API URI and they can access your Consentua service. 

Does the person who pays the bill have control?

No

Yes

Your admins have control over your consentua service.  Creating templates, adding users, adding roles, adding consent services. 

Collective Knowledge

No

Yes

Industry associations, trade groups, clusters of common consent can re-use consent templates.  Facilities best practice.

Different levels of consent easily explained? 

No

Yes

The quid pro quo explained. My data for this level of service.   With all levels in between.  

User Impact minimal

No

Yes

Consentua is intuitive, once a user is notified to go to their ‘new consent’ view they start interacting & set the the level of service to be received versus consent granted.

User Benefits of exchange personal data are clear

No

Yes

Consentua provides that clear, unambiguous, ongoing view of consent. Plus it explains what I get as a user from the data exchange.  

Realtime

Not always

Yes

If the user changes their consent everyone can be told.  But, the recommended use is to only check consent when required, (i.e. before a campaign, before an interaction). 

Different Roles

No

Yes

Multiple roles can be created within a service, but 3 access privileges (SystemAdmin/ClientAdmin/ClientUser)

Bonus Benefits for using Consentua:

Consentua facilitates an improvement in trust between the data subject and your organisation. Improves operational efficiency and reduces risk. Provides a single enterprise and organisation wide view of consent.
Establish your ‘Consentfulness’ score Prepare for an AI driven world using the forthcoming Consentua bots.

Conclusion

The easiest way for 99% of organisations to quickly control the management of consent under GDPR is to use a purpose built consent manager such as Consentua. It is a flexible, secure and lightweight API solution. It encourages trust and improved customer service.

Deploying a whole PIM suite may be the right thing to do for some organisations but it is likely to be a more complex process for a less flexible long term solution. The reliance on using your user’s personal data also means there is risk of unauthorised access.

Consentua helps a DPO manage a single point of entry into your organisation to see who has consented to what. It helps your marketing team get closer to, and know more about, your cutstomers. It provides choice and control.

How do I get Consentua?

Simple.
Go to www.consentua.com to learn more.
Contact the team at contact@consentua.com Start preparing your consent template by taking the output from the privacy impact assessment (PIA) that will be conducted as part of the GDPR preparations to build your unique consent management service. Install the API so it works with your enterprise/business systems. Consentua requires a common user id so it will work with your systems. Consentua does not hold any user data other than this ID. Start using Consentua!