Consent Receipts For a Usable And Auditable Web of Personal Data


Consenting on the Web, in the context of online privacy and data protection, is universally accepted as a difficult problem, mainly because of its cross-disciplinarity. For example, any approach to online Consenting needs to meet usability, legal, regulatory, technical, and business requirements. To date, effort has been predominantly focused on meeting compliance with regulations and automation, and less on the true re-empowerment of users with respect to their personal data. One approach that has not seen sufficient research is the use of ’Consent Receipts’, which offer a new paradigm of recording interactions concerning consent and using them as proofs in future actions, similar to familiar use of a common shopping receipt. In addition to being a record, receipts encourage accountability in how technology handles consent and is beneficial for all involved stakeholders. For organisations, it assists with legal requirements for demonstration of valid consent, while for users it provides transparency and accountability by being a proof to be used against malpractices related to consent. Receipts also have uses in addition to those related to consent, such as for authorising the holder in exercising related rights. This paper analyses the requirements, uses, and benefits offered by Consent Receipts with an extensive and broad literature review. Since receipts are a novel concept, we identify properties and requirements, and then new mechanisms necessary for the Web to support receipts. We then demonstrate feasibility of receipts through proof-of-concepts in three common real-world use-cases: (a) acceptance of a privacy policy and its subsequent changes; (b) choices expressed via consent dialogues or cookie banners; and (c) verbal interactions with Amazon Alexa.

Publication DOI:
Divisions: College of Business and Social Sciences > Aston Business School > Operations & Information Management
Additional Information: This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see . This work was supported by the European Union’s Horizon 2020 Research and Innovation Program Next Generation Internet (NGI) Trust for Project 3.40 Privacy-as-Expected: Consent Gateway under Grant 825618. The work of Harshvardhan J. Pandit was supported in part by the Irish Research Council Government of Ireland Postdoctoral Fellowship under Grant GOIPD/2020/790, in part by the European Union’s Horizon 2020 Research and Innovation Program NGI Trust for Privacy as Expected: Consent Gateway Project under Grant 825618, and in part by the ADAPT Science Foundation Ireland (SFI) Centre for Digital Media Technology funded by Science Foundation Ireland through the SFI Research Centre Program Co-Funded under the European Regional Development Fund (ERDF) under Grant 13/RC/2106_P2.
Uncontrolled Keywords: Companies,Europe,GDPR,General Data Protection Regulation,Law,Privacy,Technological innovation,Usability,accountability,consent,consent receipt,personal data,web,General Computer Science,General Materials Science,General Engineering
Publication ISSN: 2169-3536
Last Modified: 15 Jul 2024 08:18
Date Deposited: 23 Mar 2022 10:01
Full Text Link:
Related URLs: https://ieeexpl ... ocument/9730898 (Publisher URL)
PURE Output Type: Article
Published Date: 2022-03-08
Published Online Date: 2022-03-08
Accepted Date: 2022-03-02
Authors: Jesus, Vitor (ORCID Profile 0000-0002-5884-0446)
Pandit, Harshvardhan J.



Version: Published Version

License: Creative Commons Attribution

| Preview

Export / Share Citation


Additional statistics for this record