Consent receipt mechanisms can be especially helpful in automatically generating such records.

“Until CR 1.0 there was no effective privacy standard or requirement for recording consent in a common format and providing people with a receipt they can reuse for data rights.  Individuals could not track their consents or monitor how their information was processed or know who to hold accountable in the event of a breach of their privacy,” said Colin Wallis, executive director, Kantara Initiative.  “CR 1.0 changes the game.  A consent receipt promises to put the power back into the hands of the individual and, together with its supporting API — the consent receipt generator — is an innovative mechanism for businesses to comply with upcoming GDPR requirements.  For the first time individuals and organizations will be able to maintain and manage permissions for personal data.”

CR 1.0 is an essential specification for meeting the proof of consent requirements of GDPR to enable international transfer of personal information in a number of applications.

Much like a retailer giving a customer a cash register receipt as a personal record of a purchase transaction, an organization using CR 1.0 will create a record of a consent transaction and give it to the individual. This transaction record is called a consent receipt.

CR 1.0 can be used by people to communicate consent and the sharing of personal information once it is provided.

Its purpose is to decrease the reliance on privacy policies and enhance the ability for people to share and control personal information.

Kantara’s CR 1.0 specification provides a common standard digital format for providing a record to consumers about privacy and what people have consented to.  The creation and implementation of this standardized format will promote consistent, machine and human understandable consent practices, support consent management interoperability between systems internationally and enable proof of scalable consent.