Consent Receipt

From IDESG Wiki
Jump to navigation Jump to search

Source Document

Creator: Kantara Initiative

Date: Feb 20 2018 = Eighth draft of version 1.1.0


Consent Receipt Specification


Category: Access Management Protocol Specification

Description: A consent receipt is a record of a consent provided to an individual at the point in a person agrees to the sharing of personal information.  Its purpose is to capture the privacy policy and its purpose for sharing personal information so it can be easily used by people to communicate and manage consent and sharing of personal information once it is provided. It can also be used between data controllers for shared information.


The consent receipt to a natural person Subject is required whenever the user consents for a site Data Controller to maintain User Private Information about the Subject.


  • The user goes to a site and is asked to create a User Object containing User Private Information about the subject. At the close of the session the consent Receipt must be made available to the user with material that meets the requirements of the spec.
  • The user provides information to the site that meets the specifications of the General Data Protection Regulation, then the site needs to establish some means of connecting with the user and sends a consent receipt to the address provided.
  • The user visits a site that places cookies on the user computer for continuity of the user experience. If no User Private Information is retained by the site, no consent receipt is required.
  • The User Private Information is provided by one Data Controller to another per consent that was established by the provider. One of the two sites must provide a consent receipt to the user.

Privacy: The primary purpose of the consent receipt is compliance with the General Data Protection Regulation or GDPR

Security: While the GDPR does mandate responsibility of the Data Controller and specifies notification of security breeches, it is unclear if such notification would be in the form of a Consent Receipt.

Interoperability: It is expected that Consent Receipts can be interchanged between Data Controllers and that interop sessions are to be scheduled by Kantara.