Notice Types In DPV

[smartopian]

This comment is in reference to
"Note: Distinction between Privacy Notice and Consent Notice in particular DPV interpretation of GDPR is not proportionate to context of online notice, and uses brick and mortar data protection terms to describe online data processing permissions.

"In DPV, the concepts dpv:PrivacyNotice and dpv:ConsentNotice have different intended meanings - a consent notice is a specific privacy notice associated with consent, most commonly providing information in order to request consent. Whereas, a privacy notice can also refer to other documents providing information, such as what is commonly called as 'privacy policy'. For the purposes of the consent record, both documents can be included, but dpv:ConsentNotice MUST be used when referring to the notice used for providing information for consent."

There is easily a debate to be had that all notice, notifications, disclosures. (The three general categories of notice when read by an individual is read with the consent of the person, as it is not possible to force people to read notice. This is important in an Online notice context, where it can be assumed the individual is using the legal basis of consent to interact with online software and digital identification (security, tracking and surveillance technologies). Until the GDPR, notice and consent were combined in law. Even now, new regulations still refer to consent, to include notice as this has developed from human consent, into legal policy, with data protection law, where people physically provided explicit consent to a very specific notice.

The Online notice and consent standard 29184 - and 27560, focus is not physical, yet legal terms and contexts in DPV are specified with analogue privacy terms. In addition, regardless of the legal justification for surveillance, tracking, digital identification, or AI, a notice record can be used to provide a consent receipt, which (like in banking) can be used for a secondary purpose of use, with the legal basis of consent. All signs and types of notices can be captured and the use of the surveillance can be enabled with a consent receipt.

To this point - Consent notice - is a made up new term - which appears to be invented in DPV, the term \ Consent Notice is inaccurate, and does not take into the account that in democratic society, Notice (and surveillance / legitimate interest) signs are required. (which is the original research behind notice, transparency, and eventually consent This topic was the focus of my MSC in Surveillance Research, Published in a University Text book - taught in US, Canada and UK --> Towards a Framework of Contextual Integrity legality, trust and compliance of CCTV Signage) p 295

In addition, it does not provide for innovation in legal transparency, wherein a notified record of processing activitiy (a record of Notice) is required for all data processing activities, according to the legal justification. Whether it is an audit logged, notified to the Data Controller (or delegate) for example Airport Facial Recognition, or for Age Estimation Assurance, fraud, and the like.

A very similar set of problems occurred in the banking industry, prior to the common use of transaction receipts.The same issues of transparency were in banking system, lots of people ripped off constantly, with no-recourse, until the introduction of receipts. (for which there is no law mandating them)

This democratised and decentralised the governance of currency, enabling business to scale and innovate. People could return and exchange goods.

Recommendations:

1. Clarify if online notice for consent or not
2. Update notice types - online (or digital notice) - referring to the first instance or record of interaction capture - which is required to be the presentation of the Controller Identification - prior to processing activities. See the newly released for comment - ANCR - Transparency Performance Report - Valid Consent now posted for comments
3. Notification, can be referred to any subsequent notice in a notified record of processing activity, or a Standard Online Notice Record.
4. A Privacy or Security Risk Disclosure is required when risks are not mitigated in the context, for example crossword data transfers, transfers of data under different governance instruments, that are not adequate, and it is up for debate as to wether what is consider a privacy policy online - is actually a disclosure of practices
5. These Categories can be further broken down, for example Notification Types, Privacy Statement, or Digital Privacy Statement, Visual Privacy Signal (from a trustmark) and or privacy broadcast, for those contexts where the collection of data is indirect, and public notice is required.

[coolharsh55]

Hi Mark. Thank you for your proposal. I have difficulty understanding it, and since this isn't the first instance -- I request that you use less text but be more explicit with terms/definitions/use-cases. Please also provide sources for new concepts, of if you are inventing them then how they fit with the existing terms in DPV. Below are comments for your listed recommendations.

1. Clarify if online notice for consent or not

Interpreting as asking to distinguish whether the notice is for consent or not, the concepts Notice and ConsentNotice already do this.

2. Update notice types - online (or digital notice) - referring to the first instance or record of interaction capture - which is required to be the presentation of the Controller Identification - prior to processing activities. See the newly released for comment - ANCR - Transparency Performance Report - Valid Consent now posted for comments

I don't understand this. If there are well-defined types, please propose them. Otherwise we have concepts that are aligned with legal and standardised frameworks, and follow best practices where we can.

3. Notification, can be referred to any subsequent notice in a notified record of processing activity, or a Standard Online Notice Record.

I don't understand this - "notified record of processing activity" and "standard online notice record" are not things I know or defined anywhere else that I can find. Notification is the activity, Notice is the concept - in DPV we have Notice and then how this notice is provided can be expressed as metadata/annotation over it. For e.g. location of a notice is the place (e.g. a webpage or front of store) where the notice is provided/posted.

4. A Privacy or Security Risk Disclosure is required when risks are not mitigated in the context, for example crossword data transfers, transfers of data under different governance instruments, that are not adequate, and it is up for debate as to wether what is consider a privacy policy online - is actually a disclosure of practices

Not sure what the proposal is here. We have Risk in DPV which can be included in notices or any other records/info.

5. These Categories can be further broken down, for example Notification Types, Privacy Statement, or Digital Privacy Statement, Visual Privacy Signal (from a trustmark) and or privacy broadcast, for those contexts where the collection of data is indirect, and public notice is required.

Unclear recommendation. See pt.2 above re. types. For "Privacy Statement" - don't know what this concept it is within the consent notice, but the DPV concept PrivacyNotice already covers existing uses of privacy statements on websites e.g. https://www2.hse.ie/privacy-statement/

[smartopian]

Thank you Harsh for the feedback I will improve the issue greatly, and how to do so in the most helpful way. All guidance accepted,

…

On 30 Mar 2025, at 14:17, Harshvardhan Pandit ***@***.***> wrote: Hi Mark. Thank you for your proposal. I have difficulty understanding it, and since this isn't the first instance -- I request that you use less text but be more explicit with terms/definitions/use-cases. Please also provide sources for new concepts, of if you are inventing them then how they fit with the existing terms in DPV. Below are comments for your listed recommendations. > - Clarify if online notice for consent or not Interpreting as asking to distinguish whether the notice is for consent or not, the concepts Notice and ConsentNotice already do this. > - Update notice types - online (or digital notice) - referring to the first instance or record of interaction capture - which is required to be the presentation of the Controller Identification - prior to processing activities. See the newly released for comment - ANCR - Transparency Performance Report - Valid Consent [now posted for comments](https://kantara.atlassian.net/wiki/spaces/GI/pages/925663233/PCIPR20250317+-+ANCR+Transparency+Performance+Reporting) I don't understand this. If there are well-defined types, please propose them. Otherwise we have concepts that are aligned with legal and standardised frameworks, and follow best practices where we can. > - Notification, can be referred to any subsequent notice in a notified record of processing activity, or a Standard Online Notice Record. I don't understand this - "notified record of processing activity" and "standard online notice record" are not things I know or defined anywhere else that I can find. Notification is the activity, Notice is the concept - in DPV we have Notice and then how this notice is provided can be expressed as metadata/annotation over it. For e.g. location of a notice is the place (e.g. a webpage or front of store) where the notice is provided/posted. > - A Privacy or Security Risk Disclosure is required when risks are not mitigated in the context, for example crossword data transfers, transfers of data under different governance instruments, that are not adequate, and it is up for debate as to wether what is consider a privacy policy online - is actually a disclosure of practices Not sure what the proposal is here. We have Risk in DPV which can be included in notices or any other records/info. > - These Categories can be further broken down, for example Notification Types, Privacy Statement, or Digital Privacy Statement, Visual Privacy Signal (from a trustmark) and or privacy broadcast, for those contexts where the collection of data is indirect, and public notice is required. Unclear recommendation. See pt.2 above re. types. For "Privacy Statement" - don't know what this concept it is within the consent notice, but the DPV concept PrivacyNotice already covers existing uses of privacy statements on websites e.g. https://www2.hse.ie/privacy-statement/ — Reply to this email directly, [view it on GitHub](#277 (comment)), or [unsubscribe](https://github.com/notifications/unsubscribe-auth/ABR6VZ446CTJMGCV2HIIADL2XAYLRAVCNFSM6AAAAAB2CXCLSOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDONRUGY4DGNJWGY). You are receiving this because you authored the thread.Message ID: ***@***.***> [coolharsh55]coolharsh55 left a comment [(w3c/dpv#277)](#277 (comment)) Hi Mark. Thank you for your proposal. I have difficulty understanding it, and since this isn't the first instance -- I request that you use less text but be more explicit with terms/definitions/use-cases. Please also provide sources for new concepts, of if you are inventing them then how they fit with the existing terms in DPV. Below are comments for your listed recommendations. > - Clarify if online notice for consent or not Interpreting as asking to distinguish whether the notice is for consent or not, the concepts Notice and ConsentNotice already do this. > - Update notice types - online (or digital notice) - referring to the first instance or record of interaction capture - which is required to be the presentation of the Controller Identification - prior to processing activities. See the newly released for comment - ANCR - Transparency Performance Report - Valid Consent [now posted for comments](https://kantara.atlassian.net/wiki/spaces/GI/pages/925663233/PCIPR20250317+-+ANCR+Transparency+Performance+Reporting) I don't understand this. If there are well-defined types, please propose them. Otherwise we have concepts that are aligned with legal and standardised frameworks, and follow best practices where we can. > - Notification, can be referred to any subsequent notice in a notified record of processing activity, or a Standard Online Notice Record. I don't understand this - "notified record of processing activity" and "standard online notice record" are not things I know or defined anywhere else that I can find. Notification is the activity, Notice is the concept - in DPV we have Notice and then how this notice is provided can be expressed as metadata/annotation over it. For e.g. location of a notice is the place (e.g. a webpage or front of store) where the notice is provided/posted. > - A Privacy or Security Risk Disclosure is required when risks are not mitigated in the context, for example crossword data transfers, transfers of data under different governance instruments, that are not adequate, and it is up for debate as to wether what is consider a privacy policy online - is actually a disclosure of practices Not sure what the proposal is here. We have Risk in DPV which can be included in notices or any other records/info. > - These Categories can be further broken down, for example Notification Types, Privacy Statement, or Digital Privacy Statement, Visual Privacy Signal (from a trustmark) and or privacy broadcast, for those contexts where the collection of data is indirect, and public notice is required. Unclear recommendation. See pt.2 above re. types. For "Privacy Statement" - don't know what this concept it is within the consent notice, but the DPV concept PrivacyNotice already covers existing uses of privacy statements on websites e.g. https://www2.hse.ie/privacy-statement/ — Reply to this email directly, [view it on GitHub](#277 (comment)), or [unsubscribe](https://github.com/notifications/unsubscribe-auth/ABR6VZ446CTJMGCV2HIIADL2XAYLRAVCNFSM6AAAAAB2CXCLSOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDONRUGY4DGNJWGY). You are receiving this because you authored the thread.Message ID: ***@***.***>