Consent Receipts For a Usable And Auditable Web of Personal Data

Vitor Jesus; Harshvardhan J. Pandit

doi:10.1109/ACCESS.2022.3157850

Consent Receipts For a Usable And Auditable Web of Personal Data

Vitor Jesus, Harshvardhan J. Pandit

Operations & Information Management

Research output: Contribution to journal › Article › peer-review

Abstract

Consenting on the Web, in the context of online privacy and data protection, is universally accepted as a difficult problem, mainly because of its cross-disciplinarity. For example, any approach to online Consenting needs to meet usability, legal, regulatory, technical, and business requirements. To date, effort has been predominantly focused on meeting compliance with regulations and automation, and less on the true re-empowerment of users with respect to their personal data. One approach that has not seen sufficient research is the use of ’Consent Receipts’, which offer a new paradigm of recording interactions concerning consent and using them as proofs in future actions, similar to familiar use of a common shopping receipt. In addition to being a record, receipts encourage accountability in how technology handles consent and is beneficial for all involved stakeholders. For organisations, it assists with legal requirements for demonstration of valid consent, while for users it provides transparency and accountability by being a proof to be used against malpractices related to consent. Receipts also have uses in addition to those related to consent, such as for authorising the holder in exercising related rights. This paper analyses the requirements, uses, and benefits offered by Consent Receipts with an extensive and broad literature review. Since receipts are a novel concept, we identify properties and requirements, and then new mechanisms necessary for the Web to support receipts. We then demonstrate feasibility of receipts through proof-of-concepts in three common real-world use-cases: (a) acceptance of a privacy policy and its subsequent changes; (b) choices expressed via consent dialogues or cookie banners; and (c) verbal interactions with Amazon Alexa.

Original language	English
Pages (from-to)	28545-28563
Journal	IEEE Access
Volume	10
Early online date	8 Mar 2022
DOIs	https://doi.org/10.1109/ACCESS.2022.3157850
Publication status	Published - 8 Mar 2022

Bibliographical note

This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/ .

This work was supported by the European Union’s Horizon 2020 Research and Innovation Program Next Generation Internet (NGI) Trust for Project 3.40 Privacy-as-Expected: Consent Gateway under Grant 825618. The work of Harshvardhan J. Pandit was supported in part by the Irish Research Council Government of Ireland Postdoctoral Fellowship under Grant GOIPD/2020/790, in part by the European Union’s Horizon 2020 Research and Innovation Program NGI Trust for Privacy as Expected: Consent Gateway Project under Grant 825618, and in part by the ADAPT Science Foundation Ireland (SFI) Centre for Digital Media Technology funded by Science Foundation Ireland through the SFI Research Centre Program Co-Funded under the European Regional Development Fund (ERDF) under Grant 13/RC/2106_P2.

Keywords

Companies
Europe
GDPR
General Data Protection Regulation
Law
Privacy
Technological innovation
Usability
accountability
consent
consent receipt
personal data
web

Access to Document

10.1109/ACCESS.2022.3157850Licence: CC BY 3.0

Consent_Receipts_for_a_Usable_and_Auditable_Web_of_Personal_Data
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
Final published version, 1.4 MBLicence: CC BY 3.0

Cite this

@article{484c16b527a24fc9b5df872de42eb1ec,

title = "Consent Receipts For a Usable And Auditable Web of Personal Data",

abstract = "Consenting on the Web, in the context of online privacy and data protection, is universally accepted as a difficult problem, mainly because of its cross-disciplinarity. For example, any approach to online Consenting needs to meet usability, legal, regulatory, technical, and business requirements. To date, effort has been predominantly focused on meeting compliance with regulations and automation, and less on the true re-empowerment of users with respect to their personal data. One approach that has not seen sufficient research is the use of {\textquoteright}Consent Receipts{\textquoteright}, which offer a new paradigm of recording interactions concerning consent and using them as proofs in future actions, similar to familiar use of a common shopping receipt. In addition to being a record, receipts encourage accountability in how technology handles consent and is beneficial for all involved stakeholders. For organisations, it assists with legal requirements for demonstration of valid consent, while for users it provides transparency and accountability by being a proof to be used against malpractices related to consent. Receipts also have uses in addition to those related to consent, such as for authorising the holder in exercising related rights. This paper analyses the requirements, uses, and benefits offered by Consent Receipts with an extensive and broad literature review. Since receipts are a novel concept, we identify properties and requirements, and then new mechanisms necessary for the Web to support receipts. We then demonstrate feasibility of receipts through proof-of-concepts in three common real-world use-cases: (a) acceptance of a privacy policy and its subsequent changes; (b) choices expressed via consent dialogues or cookie banners; and (c) verbal interactions with Amazon Alexa.",

keywords = "Companies, Europe, GDPR, General Data Protection Regulation, Law, Privacy, Technological innovation, Usability, accountability, consent, consent receipt, personal data, web",

author = "Vitor Jesus and Pandit, {Harshvardhan J.}",

note = "This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/ . This work was supported by the European Union{\textquoteright}s Horizon 2020 Research and Innovation Program Next Generation Internet (NGI) Trust for Project 3.40 Privacy-as-Expected: Consent Gateway under Grant 825618. The work of Harshvardhan J. Pandit was supported in part by the Irish Research Council Government of Ireland Postdoctoral Fellowship under Grant GOIPD/2020/790, in part by the European Union{\textquoteright}s Horizon 2020 Research and Innovation Program NGI Trust for Privacy as Expected: Consent Gateway Project under Grant 825618, and in part by the ADAPT Science Foundation Ireland (SFI) Centre for Digital Media Technology funded by Science Foundation Ireland through the SFI Research Centre Program Co-Funded under the European Regional Development Fund (ERDF) under Grant 13/RC/2106_P2.",

year = "2022",

month = mar,

day = "8",

doi = "10.1109/ACCESS.2022.3157850",

language = "English",

volume = "10",

pages = "28545--28563",

journal = "IEEE Access",

issn = "2169-3536",

publisher = "IEEE",

}

TY - JOUR

T1 - Consent Receipts For a Usable And Auditable Web of Personal Data

AU - Jesus, Vitor

AU - Pandit, Harshvardhan J.

N1 - This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/ . This work was supported by the European Union’s Horizon 2020 Research and Innovation Program Next Generation Internet (NGI) Trust for Project 3.40 Privacy-as-Expected: Consent Gateway under Grant 825618. The work of Harshvardhan J. Pandit was supported in part by the Irish Research Council Government of Ireland Postdoctoral Fellowship under Grant GOIPD/2020/790, in part by the European Union’s Horizon 2020 Research and Innovation Program NGI Trust for Privacy as Expected: Consent Gateway Project under Grant 825618, and in part by the ADAPT Science Foundation Ireland (SFI) Centre for Digital Media Technology funded by Science Foundation Ireland through the SFI Research Centre Program Co-Funded under the European Regional Development Fund (ERDF) under Grant 13/RC/2106_P2.

PY - 2022/3/8

Y1 - 2022/3/8

N2 - Consenting on the Web, in the context of online privacy and data protection, is universally accepted as a difficult problem, mainly because of its cross-disciplinarity. For example, any approach to online Consenting needs to meet usability, legal, regulatory, technical, and business requirements. To date, effort has been predominantly focused on meeting compliance with regulations and automation, and less on the true re-empowerment of users with respect to their personal data. One approach that has not seen sufficient research is the use of ’Consent Receipts’, which offer a new paradigm of recording interactions concerning consent and using them as proofs in future actions, similar to familiar use of a common shopping receipt. In addition to being a record, receipts encourage accountability in how technology handles consent and is beneficial for all involved stakeholders. For organisations, it assists with legal requirements for demonstration of valid consent, while for users it provides transparency and accountability by being a proof to be used against malpractices related to consent. Receipts also have uses in addition to those related to consent, such as for authorising the holder in exercising related rights. This paper analyses the requirements, uses, and benefits offered by Consent Receipts with an extensive and broad literature review. Since receipts are a novel concept, we identify properties and requirements, and then new mechanisms necessary for the Web to support receipts. We then demonstrate feasibility of receipts through proof-of-concepts in three common real-world use-cases: (a) acceptance of a privacy policy and its subsequent changes; (b) choices expressed via consent dialogues or cookie banners; and (c) verbal interactions with Amazon Alexa.

AB - Consenting on the Web, in the context of online privacy and data protection, is universally accepted as a difficult problem, mainly because of its cross-disciplinarity. For example, any approach to online Consenting needs to meet usability, legal, regulatory, technical, and business requirements. To date, effort has been predominantly focused on meeting compliance with regulations and automation, and less on the true re-empowerment of users with respect to their personal data. One approach that has not seen sufficient research is the use of ’Consent Receipts’, which offer a new paradigm of recording interactions concerning consent and using them as proofs in future actions, similar to familiar use of a common shopping receipt. In addition to being a record, receipts encourage accountability in how technology handles consent and is beneficial for all involved stakeholders. For organisations, it assists with legal requirements for demonstration of valid consent, while for users it provides transparency and accountability by being a proof to be used against malpractices related to consent. Receipts also have uses in addition to those related to consent, such as for authorising the holder in exercising related rights. This paper analyses the requirements, uses, and benefits offered by Consent Receipts with an extensive and broad literature review. Since receipts are a novel concept, we identify properties and requirements, and then new mechanisms necessary for the Web to support receipts. We then demonstrate feasibility of receipts through proof-of-concepts in three common real-world use-cases: (a) acceptance of a privacy policy and its subsequent changes; (b) choices expressed via consent dialogues or cookie banners; and (c) verbal interactions with Amazon Alexa.

KW - Companies

KW - Europe

KW - GDPR

KW - General Data Protection Regulation

KW - Law

KW - Privacy

KW - Technological innovation

KW - Usability

KW - accountability

KW - consent

KW - consent receipt

KW - personal data

KW - web

UR - https://ieeexplore.ieee.org/document/9730898

U2 - 10.1109/ACCESS.2022.3157850

DO - 10.1109/ACCESS.2022.3157850

M3 - Article

SN - 2169-3536

VL - 10

SP - 28545

EP - 28563

JO - IEEE Access

JF - IEEE Access

ER -

Consent Receipts For a Usable And Auditable Web of Personal Data

Abstract

Bibliographical note

Keywords

Access to Document

Other files and links

Fingerprint

Cite this