Security Experts:

Kantara Initiative Releases Consent Receipt Form for GDPR

With less than one year before GDPR kicks in, the newswaves have been flooded in recent months with new surveys showing how ill-prepared business still remains. But while there is much news, there has been little in the way of practical technology solutions. The Kantara Initiative released one on Tuesday: a global consent receipt specification that meets GDPR requirements.

'Consent' is one of the big and far-reaching elements of GDPR. Failure to abide by the new consent requirements means failure to comply with GDPR, and potential liability for the regulation's stringent sanctions -- it is no longer simply a matter of preventing breaches.

Consent now must be informed and explicit. It means that in the event of a dispute over the use of personal information, or the transfer of personal data either between applications or to third parties, business will need to be able to prove that consent had indeed been given. Online tick-boxes and assumed consent will not suffice.

Kantara's Consent Receipt 1.0 (CR 1.0) (PDF) allows businesses dealing with EU-based companies to demonstrate they meet the notice requirements of GDPR scheduled to be enforced on May 25, 2018. The specification is available free for download. Its purpose is to decrease the reliance on privacy policies and enhance the ability for people to share and control personal information.

RelatedGDPR Industry Roundup - One Year to Go

The Kantara Initiative is a non-profit alliance of some of the world's companies involved with digital identities. It connects a global, open, and transparent community that includes CA Technologies, Experian, ForgeRock, Digi.me, Internet Society, Nomura Research Institute and SecureKey.

The consent receipt works both ways. While the business can prove that consent was genuinely given, the user can also define exactly what consent is withdrawn; either on its own or in conjunction with the so-called right-to-be-forgotten'.

"Until CR 1.0," explains Colin Wallis, executive director at the Kantara Initiative, "there was no effective privacy standard or requirement for recording consent in a common format and providing people with a receipt they can reuse for data rights.  Individuals could not track their consents or monitor how their information was processed or know who to hold accountable in the event of a breach of their privacy. CR 1.0 changes the game," he added. "A consent receipt promises to put the power back into the hands of the individual and, together with its supporting API -- the consent receipt generator -- is an innovative mechanism for businesses to comply with upcoming GDPR requirements. For the first time individuals and organizations will be able to maintain and manage permissions for personal data."

There is, however, the proverbial elephant in the room. The companies that will be most affected by GDPR and consent are the big tech companies like Google, Facebook and Microsoft. It is unknown at this stage whether Europe will have the political will to fully enforce GDPR against the big American giants. If these companies prevaricate over full compliance without redress from Europe, why should other companies worry about something as esoteric as a consent receipt?

SecurityWeek asked the Kantara developers if this was a concern. It is not. "Markets evolve, technologies emerge and people get tired of the same old same old," said one of the consent receipt developers. "Given the rising anger amongst the people that pay for ads on these platforms, and the increasing creepiness of surveillance capitalism, it's not an unreasonable bet to say that both Google and Facebook's days as kings of their hills are numbered. They won't diminish as quickly as Friendster but they will diminish. Both the tech and business press are typically ahistorical and short sighted, so it's not surprising that they are continually surprised by new developments."

His point is that GDPR reflects an almost worldwide shift in attitudes, with consumers becoming more aware of and cynical towards the use of their personal data within surveillance capitalism. "Despite cartel-like market domination in their areas, the actual switching costs for users (and customers) of Facebook and Google are very low."

However, by embracing the new reality of user-centric regulations, companies that rely on user information will better maintain and indeed increase their user numbers. The same basic principles apply to all businesses. Engaging and conforming with user-centric regulations will only strengthen the relationship between business and customers. Kantara's consent receipt form provides compliance with GDPR, and reassurance to customers.

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.