[KI-LC] Initial Comments on Privacy Policy for Consent Receipt Implementation

Colin Wallis colin_wallis at hotmail.com
Mon Jul 13 22:28:39 CDT 2015

Thanks Mark
I've (personally) commented <<inline>> below.

From: mark at smartspecies.com
Date: Mon, 13 Jul 2015 13:51:23 -0400
To: lc at kantarainitiative.org
CC: wilton at isoc.org
Subject: [KI-LC] Initial Comments on Privacy Policy for Consent Receipt	Implementation

Hi LC, 
I have updated the comments a little with a couple of policy notes and some edits. Robin do you have any thoughts about these comments? ( There are many ways to address notice and consent issues. )
Kind Regards, 
Upon a quick Review of the Privacy Policy there are a  couple of comments: http://kantarainitiative.org/confluence/display/GI/Privacy+Policy

Unable to find a Privacy policy  link of the main website, was only able to find it on the join the WG form. (lack of usable transparency over privacy practices)<<CW: We should link to it from the landing page of the main website as well as the WG GPA form, but..any word changes needed?>>

“We may use your information to: To provide you with personalized content.”

- Is there personalised content or ads?  if not this should be removed. If this is true, this should arguably be a listed purpose and possibly reflected in a consent receipt. 
<<CW: I don't believe there is, or has ever been, but was probably considered as 'future proofing' Kantara's website activity.  I support removing this statement>>..

Consent for cross-border transfer of information:"Kantara Initiative is a business alliance of individuals, organizations, and companies operating globally. Please note that while the Website is located in the United States, data collected on the Website may be transferred to, and stored or processed in, other countries, including countries where Kantara Initiative members are located. Laws of these other countries may not be the same as the laws regulating the use and transfer of personal data in your country. By entering your personal information on this Web site, you are consenting to the transfer of that information to the United States or to other countries for the purposes described in this privacy policy."

its not clear why personal information would be transferred to another country other than the US

why this would be done without explicit consent - seem to ambiguous and I suggest a review
If this is necessary, then this will require something like Safe Harbour or BCRS to make compliant, (or) adding more purposes and consent options. 
<<CW: I don't know the background either, but I could imagine 2 possible intentions: 1) geographically distributed data centers for cloud based SaaS offerings like Confluence, 2) the opening of another (European?) office for Kantara which might require some transfer>> 
Possible Solutions

Storing information in the US  could be added to the consent receipt as a purpose and be explicitly agreed to in the join form. 
Remove/change ,” may be transferred to other countries … “  unless Kantara is unaware, or does this without consent.  If this is the case, then, Safe Harbour needs to be used. 
<<CW: So working on my assumptions above, and the notion of another office has not gone away, I think we need to do both of these suggestions above>>.

We are starting to work on best practices for an implementation of a consent receipt, these can be found here 
LC mailing list
LC at kantarainitiative.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kantarainitiative.org/pipermail/lc/attachments/20150714/0b03ca0b/attachment-0001.html>

More information about the LC mailing list