Kantara CISG WG Use Case; Work Group Participation Agreement

Kantara CISWG
Consent Receipt Implementation Use Case

The Consent & Information Sharing WG is developing a reference implementation for v0.8 draft of the Consent Receipt specification.

To test and evaluate the consent receipt v0.8 specification this use case first reviews the policy and consent receipt elements in the Kantara Initiative CISWG sign up process. Makes recommendations and requests for review.

The aim is to use the Kantara Initiative and the CISWG Work Group sign-up form to create an example implementation of the Consent Receipt . Building upon the beta v0.7 beta sign up form.

https://kantarainitiative.org/beta-signup/

In this use case;

1. the Kantara Brand is reviewed for expected practices
2. Work Group Participation Agreement: Consent (s)
3. the Privacy Policy is reviewed,
4. the personally identifiable information (PII) sharing practices of the WG member’s PI are also reviewed.
5. Personal information (PI) collection, sharing, and usage practices are reviewed a. Device ID, IP address, cookie data,
6. 3rd Party Sharing of PI & PII

All of the consent & information sharing practices are listed, and with this information, the consent receipt specification is used to create a consent receipt.

1. The Kantara Brand Review

Kantara has a trusted and unique brand in trusted services, in that it is a community of people invested in standards development, developing trusted technology, policy, protocols around identity and policy.

Kantara Initiative is comprised of open and transparent Work Groups, where members agree to participate in a WG by consenting to a workgroup participation agreement. 2. Work Group Participation Agreement: Consent Option (s) Review of Consents in beta sign up form In the current CISWG Participation Agreement sign up form there are 4 active consent options, each option is reviewed with recommendations for consent enhancement.

1. Consent to Join the Work Group a. Recommend adding a link to withdraw consent to participate as a member b. Link to and/or display policy information for what happens when consent is withdrawn (**** need WG review)
2. Authority to consent on behalf of organization (requires link to withdraw/update authority to act on behalf)
3. Consent Preference - voting or non-voting (link to policy for changing voting status)
4. Agree to the Kantara Initiative IPR Policy Option

All of the consent options are selected by the new participant and when Submit is clicked, the form and selected consent options are submitted.

3. Privacy Policy Review To implement a consent receipt the privacy policy needs to be reviewed to collect consent and policy components which should be a) reviewed by the Kantara organization b) consent enhancement recommendations.
   Kantara Initiative Privacy Policy https://kantarainitiative.org/confluence/display/GI/Privacy+Policy) ● In the privacy policy there is a reference to an implied consent to transfer personal information across jurisdictional borders which is not compliant with current Privacy Shield practices ● Recommend adding an explicit consent to transfer PII to US in the WPA form

4. PII Sharing Practices ● Member data shared on WG WIKI in participation roster (link to participant roster) ● All post to mailing list are captured in a public achieved (link to mailing list privacy policy) WG PI Sharing practices

5. PI Sharing Practices

● Share IP with Google Analytics (non-identified data) (https://support.google.com/analytics/answer/6004245?hl=en) ● Session cookies for the wiki and confluence are terminated once the sessions ends

5. 3rd Party Sharing Practices

When reviewing the 3rd Party Sharing practices for both PII and PI, it became clear that there were some sharing. a. Google Analytics; Analytical services collect some sort of personally identifiable information as a rule of thumb, which is why it this sharing should also be disclosed this fact to people via something like a privacy policy: b. Google requires users of Google Analytics to use a privacy policy. When you sign up for Google Analytics, you consent to their terms that state under "7. Privacy":

Results The results of the consent audit for the CIS WG participation agreement provided a number of recommendations for consent enhancement in addition to some recommendations for review by the Kantara Organisation.

Importantly, it is clear that the current priacy policy is not in compliance with consent and information regulations, nor does it reflect the brand trust that is inherent to the Kantara organization.

In this regard recommend to implement the consent receipt and for the WG membership be able to withdraw consent (as easily as it is provided) as this will further reflect the trusted brand that Kantara has built.

Most if not all of the participants in Kantara are volunteers, and, as a result it is important to be transparent and clear about information sharing practices.

As Kantara is a trust brand it is expected that the consent and information sharing practices are listed in the privacy policy and practices are clear, easy to access and manage.