Consent Receipt API

This server provides a consent receipt generation API. The API consists of a single endpoint:

This endpoint accepts HTTP POST requests with input in the form of JSON (application/json) documents and output in the form of a signed JSON Web Token (application/jwt).

How It Works

The API takes in a JSON document describing the consent transaction for which the receipt is to be generated. This object includes artifacts such as the presiding jurisdiction for the consent action, an identifier for the party consenting. The output of the API is a signed JSON Web Token (JWT) whose payload consists of all of the input data as well as several additional fields. This JWT is digitally signed by the server.

Top-level fields in the input JSON object

Field Name Data Type Description Example Input Required
Section 1:
CR Header
---- This is the first section of the receipt ----
jursidiction string. ISO two-letter country code if applicable, otherwise free text This is the legal jurisdiction under which the processing of personal data occurs US
iat number. Integer number of seconds since 1970-01-01 00:00:00 GMT Timestamp of when the consent was issued 1435367226
moc Method of collection Is used to describe how the consent was collected i.e. webform opt in, or implicit, verbal, etc. web form
iss string. HTTPS URL This is the URI or Internet location of processing, i.e., one party-two party or three
jti string. Unique identifier for this consent receipt

9ef6b81a414b2432ec6e3d384c5a36cea8aa0c30d3dd2b67 364126ed80856f9c20654f032eef87ad981187da8c23c1186eefe 1503714835c2e952bbb3f22729c

sub string. Subject provided identifier, email address - or Claim, defined/namespaced
Section 2:
Data Controller
---------- This section has the data controller, contact and privacy service information ----------
data_controller object

The identity and company of the data controller and any party nominated to be data controller on behalf of org

The object contains information of the data controller in the following fields:

Field Name Data Type Description Example Input Required
on_behalf boolean. acting on behalf of an organization? true
contact string. person to contact Jon Doe
company string. company name Data Controller Inc.
address string. physical address 123 Main St., Anywhere
email string. Email address contact email address
phone string. Phone number contact phone number 00-000-000-0000
{"on_behalf": true, "contact": "Dave Controller", "company": "Data Controller Inc.", "address": "123 St., Place", "email": "", "phone": "00-123-341-2351"}
policy_uri string. HTTP URL the internet and immediately accessible privacy policy of the service referred to by the receipt
Section 3:
Purpose Specification
------------- List Purpose -------------
purpose array of string's arrays. Explicit, Specific and Legitimate: interpreted here as: 'Naming the Service' and 'Stating the Active Purpose ' see Appendix A these requirements [Bob’s store, delivery, ]or [[" CISWG Membership", "Join"]]
Section 4:
Sensitive Personal Information
------------- List 3rd Party Sharing Activities -------------
sensitive array of strings. In many jurisdictions their are additional notice and administrative requirements for the collection, storage and processing of what are called Sensitive Personal Information Categories. These are Sensitive in the business, legal, and technical sense, but not specifically in the personal context. This list of categories are required in some jurisdiction, but, the actual notice and purpose requirements are out the scope of the MVCR. ["health"]
Section 5:
Information Sharing
------------- Sharing information with 3rd parties, what categories, with whom, and how information is shared -------------
sharing object

This refers to the sharing of personal information collected about the individual, with another external party by the data controller (service provider). Should list categories of PII shared, from above list and under what purpose. Sharing is also a container for listing trust marks and trust protocols.

The object contains information of the sharing in the following fields:

Field Name Data Type Description Example Input Required
sharing array of strings. Data categories to share None
party_name string. 3rd party to share data 3rd Party Name or/3rd Party Category
purpose string. How information is shared None
{party_name: "3rd Party Name or/3rd Party Category"}
Section 6:
Optional Or In Review
------------- ------------- -------------
notice string. HTTP URL Link to the short notice enables usability and layered policy. to provide enhanced transparency about data collection and information sharing practices
scopes string. space separated string values What you’re allowed to do on the service (these can be tied to legal / business / technical layers) read update

Digital signature information

The output JWT is signed using the RS256 algorithm defined in JSON Web Signatures. The server's public key is published in JSON Web Key format at:


An example input to the API is the following JSON object:

        "jurisdiction" : "US",
        "iat": 1443282118,
        "moc": "web form",
        "iss": "",
        "jti": "cba37edd4e223a44ea0197498663af81c0d68cdf7b5f13975096e34435339e51f86b6bf674f9725632b6f451b4a78c2fb09d3fcd38c978f004fcf99e65bdceab",
        "sub" : "" ,

        "data_controller" : {"on_behalf": true, "contact": "Dave Controller", "company": "Data Controller Inc.", "address": "123 St., Place", "email": "", "phone": "00-123-341-2351"},
        "policy_uri" : "" ,

        "purpose" : [["Bob's Store", "delivery", "financial"]],

        "sensitive" : ["health"] ,

        "sharing" : {sharing:"financial",party_name: "demographic", purpose: "delivery"},

        "notice" : "" ,
        "scopes" : "read update"

This produces output like the following signed JWT:


The header portion of the JWT contains:

        "alg": "RS256",
        "typ": "JWT"

The payload portion of the JWT contains:

        data_controller: {
          address: "123 St., Place",
          company: "Data Controller Inc.",
          contact: "Dave Controller",
          email: "",
          on_behalf: true,
          phone: "00-123-341-2351",
        iat: 1443282118,
        iss: "",
        jti: "cba37edd4e223a44ea0197498663af81c0d68cdf7b5f13975096e34435339e51f86b6bf674f9725632b6f451b4a78c2fb09d3fcd38c978f004fcf99e65bdceab",
        jurisdiction: "US",
        moc: "web form",
        notice: "",
        policy_uri: "",
        purpose:[["Bob's Store", "delivery", "financial"]],
        scopes: "read update",
        sensitive: ["health"],
        sharing: {
          party_name: "demographic",
          purpose: "delivery",
          sharing: ["financial"]
        sub: ""


Purpose Specification

# Descriptions Short Code Notes
1 Enabling us to carry out the core functions of our site/app/services Core Function
2 Providing contracted or requested services to you. Contracted Service
3 Delivering physical goods to you. Delivery
4 Communicating with you about information or services you specifically request. Contact Requested
5 Providing you with a personalized experience of our site/app/service. Personalized Experience
6 Communicating with you about our other services you may be interested in. Marketing
7 Communicating with you about the services of third parties you may be interested in. Marketing Third Parties
8 Providing the information to third parties to deliver our services on our behalf. Sharing for Delivery
9 Providing the information to third parties to enable them to communicate with you about their own services you may be interested in. Sharing for Marketing
10 Providing the information to third parties to enable them to deliver or improve their own services to you. 3rd Party Sharing for Core Function Service delivery dependent? Or for improved non dependent service deliver?
11 Providing the information to third parties to enable them to deliver or improve their own services to others. 3rd Party Sharing for ...
12 Complying with our legal obligations for record keeping. Legally Required Data Retention Is jurisdiction assumed?
13 Complying with our legal obligations to provide the information to law enforcement or other regulatory/government bodies. Required by Law Enforcement or Government
14 Protecting your vital and health interests. Protecting Your Health
15 Protecting our legitimate interests, yours or those of a third party. Protecting Our Interests Is self interest a valid purpose?
16 Measure or improve our performance or the delivery of our services. Improve Performance

Data Attributes

# Category Description of Category
1 Biographical General information like Name, DOB, Family info (mother’s maiden name), marital status. Historical data like educational achievement, general employment history.
2 Contact Contact – (Address, Email, Telephone Number, etc.)
3 Biometric Biometric – (Photos, fingerprints, DNA. General physical characteristics – height, weight, hair colour. Racial/ethnic origin or identification - whether self-identified or not)
4 Social Contact Communications/Social – (Email, message and phone records – both content and metadata. Friends and contacts data.)
5 Network/Service Network/Service – (Login ids, usernames, passwords, server log data, IP addresses, cookie-type identifiers)
6 Health Health – (Ailments, treatments, family doctor info. X-rays and other medical scan data)
7 Financial Financial – (This includes information such as bank account, credit card data. Income and tax records, financial assets/liabilities, purchase/sale of assets history.)
8 Official ID Official/Government Identifiers – (This includes any widely recognized identifiers that link to individual people. Examples include National Insurance, ID card, Social security, passport and driving license numbers, NHS number (UK). Just the numbers rather than data associated with them.)
9 Social Benefit Data Social Services/Welfare – (Welfare and benefits status and history)
10 Judicial Data Judicial – (Criminal and police records, including traffic offenses.)
11 Asset Data Property/Asset – (Identifiers of property – license plate numbers, MAC addresses for mobiles, other device identifiers. Not financial assets. Could include digital assets like eBook and digital music data)
12 HR Data Human Resources – (Records held about employees/ members/ students not elsewhere defined. Incl. HR records such as job title, attendance/disciplinary records. Salary - as opposed to income.)
13 Mental Health Psychological/Attitudinal – (Inc. religious, political beliefs, sexual orientation and gender identity – though not genetic gender which is Biometric. Traits and personality measures or assessments, but not psychological health - which is health data).
14 Membership Membership – (Political, trade union affiliations, any other opt-in organizational/group membership data - third party organizations only. Includes name of employer when not held by employer. Could extend to online platform membership. Some might be more sensitive than others – may want a separate category)
15 Behavioral Behavioral – (Any data about the behavior, habits or movements of an individual - electronic or physical. Location, browser/search history, web page usage (analytics), energy usage (smart meters), login history, calendar data, etc.)
16 Profiling Profile – (Marketing and social segmentation data. Any categorization that impacts information presented or decisions made about an individual. This might be observed or derived data (algorithmic) or volunteered by the individual. Profile data is often generated from behavioral data).