Why Consent Receipts are Important

This blog provides the background as to why Consentua has embraced the Kantara Initiatives Consent Receipt Specification.

One of the drivers in adopting the specification for Consentua is the heritage and experience of the team that created it. Having almost 100 years worth of combined IT experience, we had a numerous stories and experiences of projects and products that had gone wrong. One of ingredients of projects that had been a success was their basis on standards.


Standards are very important. They drive a minimum level of quality. Standards when applied ensure that when a product says it will do X. It does X. Standards are a foundation from which to build upon. But, standards evolve and change. Consent Receipt standards are no different.

In terms of the new market of consent management, having standards means a number of things. Firstly, it means customers can start to easily compare different consent service offerings on a more like for like basis. This mean these different offerings can compete more on value add, price or service quality.

Secondly, standards provide a guarantee of interoperability. This is important as GDPR demands portability of data. Plus, if service A can work with service B, this means the whole market has a better chance of success. A reason why any CD works in any CD player is down to standards.

Finally, because the consent management market is still immature, the availability of a standard such as the Kantara Consent Receipt Specification gives consumers and producers more confidence the market opportunity is stable. This attracts investment and innovation.

Kantara are the organisation behind OAuth2.0 too. This is a great piece of standards work in its own right. As it now means your identity can be seamlessly shared across the web in a secure fashion. From a user perspective this is ease of use heaven.

The use of a single digital identity is becoming more common too. This is seen in the rise of the Personal Information Managers. Some of the PIMs Consentua is working with are digi.me and meeco.me. PIMs will also facilitate a citizens ability to earn money from their personal data too.

So bringing ease of managing your identity, alongside the consolidation of your identity under one platform, will have an impact on consent. It means that any consent to use personal data from a 3rd party is now hitting a common identity. A single place. This will give citizens more control. But at the moment the consent receipts are all over the place. A way needs to be found that will consolidate into a single view all the consent receipts held by citizen.

The consent receipt therefore will have an important role in the future. It will act as the bridge to bring all the receipts together into one place (a virtual place). But then what? What if these receipts are the active gate keepers of a digital identities consent to share personal data?

The variability of consent (I can change my mind) means a different answer is likely depending on the party requesting and the location/time/day that the request was made. This means that consent interactions are only going to increase as more and more things become connected to the internet. All wanting a slice of your personal data.

Future World

In the future, consent interactions are slowly going to be automated and the citizen will likely group and order consent based on a scenario and an outcome. More a set of ethical rules and thresholds. The rule set will be set verbally by the citizen and will arbitrarily change based on mood and location.

The role of the consent receipt is to be this dynamic store of consent. Based on the purposes previously agreed to by the citizen, the consent request is processed and acted upon in realtime. Consent management services will need to handle this variability and flexibility. The Kantara Consent Receipt specification has already thought ahead in terms of these types of requirement.

From a Consentua perspective we are investing in this next generation of consent interaction. We foresee a time when consent bots based on your collection of consent receipts will automatically handle consent in a consistent and trusted fashion. But this requires a…

Consentua believes that in the not to distant future, when consent management is mainstream. This is when millions of citizens have interacted with a consent service and consent receipts are plenty. The next consumer demand will be for a single view of consent.

Currently, our focus is on business customers. As these organisations are the data processors/controllers requiring the consent. However, once consent receipts are common, Consentua plan to be creating a consumer app.

This new app is waiting for a new extension from the consent receipt standards team which is an Interoperability Exchange Protocol. This new protocol will mean that included in the message payload is the location of the consent receipt host.

This means that if a consent receipt has followed the standard and is made open by the receipt owner, that a consent repository such as Consentua will be able to read a consent receipt stored in another consent repository.

Now the achilles heel of any single view of consent is your digital identity. But, as we know this is being fixed by such things as the OAuth2.0 evolution and the rise of the PIMs.


The good news is that Kantara are already exploring through a joint working group the link between consent and identity. The other piece of good news is that an interoperability work stream is also working on an active trial of a PIM interacting with a consent repository. With Consentua playing an active role in shaping and using the standard we are supporters of this activity.

Consentua, digi.me, Consentric, (with others welcome) will be testing the interoperability of consent receipts. Then by the middle of next year I would hope the early versions of an Interoperability Exchange Protocol will materialise. Again, along with others Consentua is stepping up and taking on the challenge of helping to move the standard along.

Then by 2019/20 we should be ready for the combined citizen centric view of consent. Then we can start getting serious with the automation and management of consent entirely on a citizens behalf.

However, the one thing that underpins all the above is the Kantara Consent Receipt Specification.

To that end, the team at Consentua want to say a big thank you to all parties who have been complicit in the creation of the consent receipt. We are pleased to be adherents to the specification and proud to be shaping the next stage.

For with out the Kantara Consent Receipt specification, Consentua would not be able to say it is a technology built on the shoulders of giants. Thank you.

Chris Cooper

Co-creator of Consentua our new GDPR consent service. Principal of KnowNowCities SmartCities experts. Chief innovator & co-founder of KnowNow Information.

Share This