Re: Purpose categories in the online context

Hi Harsh et al,

The purpose category as specified in the consent receipt has been an on-going work item for the CR v1.1 work and apart of the common record structure used for receipts.  This was not defined in v1.1 of the Consent Receipt, as we did not have the complete information.

Also, we were examining the references to these elements from multiple sources, like the GDPR category of controller and the PII Controller Category.  In the past we had thought that this was inhereted through the  Industry or Sector sic codes or code of practice.

Now, it is clear through the review of Governance frameworks like NIST privacy framework,  Surveillance Codes of Practice and other industry related governance programs that the Purpose Category is also the Operator Category, it can be formally defined by an industry code of conduct, or it can be defined by the context in which a notice receipt (or consent receipt is created)

In addition, this purpose category is also referred to as the fiduciary category, in that for sensitive personal data  categories. An explicit consent requires often legally requires informed consent,  knowledgable consent, and now with PIPEDA. Meaningful consent, each with different legal scope and requirements for a legal notice for processing.

Going forward it is clear that governance frameworks are competing on certifying operator categories for fiduciary data governance transparency and I think this new use of this category is big development and driver for future use of the DPV.

In the CR update the purpose category field is defined as a field selected by the operator or defined by the context of use as recorded in a receipt, and is often defined by the industry body or association which governs the data operating context.

In some uses, the purpose category is called the operator category in implementation, where a certification program and auditing organisation runs the operator governance framework which controllers can subscribe too.  Recommend referring to industry for formal definitions, leaving it as self selecting, or creating a generic category base.

E.G - Video Surveillance Operator, Data Trust Operator,

- M



On 30 Jun 2020, at 09:40, Harshvardhan J. Pandit <me@harshp.com<mailto:me@harshp.com>> wrote:

Hi Georg, Everyone.
Thank you for suggesting the purpose categories.

There are two things within the email that I want to separate in terms of context here: purpose and purpose category.
My interpretation of this is that the category is a top-level abstract concept and the purpose is a more specific iteration of it.

1) Network Communication
- I honestly do not understand this in terms of 'purpose', but from what little I can grasp - it concerns network connectivity? Someone better informed about this should identify how this fits with the DPV taxonomies.
- As an additional note on the email: We do not quantify within the DPVCG (yet) about the legal bases required for certain purposes. Therefore, I have ignored aspects of legal bases e.g. requires consent
- This raises an interesting body of work: should the DPV provide a way to associate legal bases for specific purposes or processing items or personal data categories (or combinations thereof). From my pov - this is specifying policies and interpretations of laws. So if there is interest - we should note it as an use-case and work on best supporting it in terms of providing necessary vocabulary.

2) Essential functionality
- This is again completely subjective given that essentiality changes with context. I also do not understand this as a purpose category.
- In line with the earlier point - should DPV provide a way to indicate a purpose is 'essential', or to put it in more legal terms - specify a purpose as based on a certain legal basis such as legitimate interest or legal obligation to indicate it is not optional.

3) Analytics
- This is tricky for me to clarify. DPV does not have 'analytics' as a purpose because (if I remember the workshop discussions correctly) we decided that whatever the analytics is being used for is the actual purpose e.g. personalisation, optimisation.
- So within this context, how to indicate analytics as a (sub-)purpose associated with a larger purpose? Is 'analytics' possible to be expressed as a combination of analytics (processing) for personalisation (purpose)

4) Advertising
- DPV does not contain 'advertising' as a purpose category (again some discussion happened at the workshop)
- DPV does contain personalised products, recommendations, benefits. So where does 'advertising' fit in to these?
- To me, when 'advertising' is a purpose it means 'personalised advertising' -> which should be a subset of personalised recommendations? Is there some weird cross with Marketing here?

5) Cloud infrastructure and traffic distribution
- I don't understand this as a 'purpose' - same issue as (1) network
- Seems to me that this is relevant to 'Service Provision' that is present in DPV?

6) Communication
- Where does this fit into the existing DPV taxonomy?
- We have customer care, is this the same?

7) Document consent
- alternative title for this should be 'record consent' which is IMHO more clear and consistent with common usage
- I would suppose this is a legal requirement, so as a purpose where does this fit? Service Provision?
- This also brings up the larger issue of what to call purposes that are there because they are legal obligations e.g. share data with the authorities

8) Content Management
- This falls under Service Provision IMO
- However, the definition notes that this applies also to 3rd party content including advertising - so I'm skittish about this because this makes the purpose not independent of advertising

9) Customer Management
- DPV has customer care - but the definition is different from Signatu's
- Customer Management here is defined in terms of registering prospective customers etc -> is this profiling? is this analytics?

10) E-commerce
- DPV has sell products to data subject

11) Marketing
- DPV does not have marketing, we have dpv:CreateProductRecommendations which meantions svpu:Marketing (SPECIAL) as a related term
- IMHO it should have marketing as a basic purpose category
- Note: Personalised Marketing is then a subset of Marketing

12) Optimisation
- DPV has optimisations for consumer, controller, optimisation of UI/UX

13) Payment
- DPV does not have payment
- IMHO it should have payment - but the title needs to better reflect its indication of transaction
- Fraud Prevention and Detection - which is mentioned in the description of payment in Signatu's description, is present in DPV
- This raises the issue of purpose dependencies - here fraud detection is a 'sub-purpose' of payment. How to specify this using the DPV?
- When done by subclassing both (payment + fraud detection), it is not clear which is 'primary' and 'secondary' in terms of application here.

14) Personalisation
- DPV provides personalisation for recommendations, benefits, and service personalisation
- Signatu's description mentions ads and user profiling which are different purposes (continuing from previous points on this)

15) Survey and Reviews
- Not sure how one would intepret this, but DPV has R&D as well as improvement of existing products
- IMHO provision of a survey is not a purpose into itself. It is what is being done with the survey data that is the purpose. So if it is understanding user requirements - then the purpose should be analytics or R&D (AFAIK)
- Other aspects mentioned in the description e.g. review, rate service, read other reviews - seem to me to be Service Provision

16) Search
- Service Provision?

17) Security
- DPV has Security as a purpose but the description only mentions data which IMO should be amended to a more generic description of security

18) Single Sign-on
- DPV has identity verification - so this would be a subset of that?
- Defining this purpose seems to imply using a third-party for identity verification purposes

19) Social Media
- Isn't this part of Marketing?

20) Tag management
- I don't know what this purpose means or how this relates to purposes in DPV

21) Registration and Authentication
- IMO this is covered with Identity Verification

Regards,
Harsh


On 23/06/2020 10:36, Georg Philip Krog wrote:
Dear DPV folks,
Signatu contributes to the DPV with some *purpose categories* (in the table below).
These are typical processing purposes of the 3rd parties (in Signatu 3rd party registry) that load remote resources on websites to track end users.
Some of these categories overlap with those in the existing DPV.
Purpose category Tag vendorCategoriesDescription Purpose
Network Communication signatu:network-communication Site sets cookies to carry out the transmission of a communication over an electronic communications network (to route information over a network by identifying the communication ‘endpoints’, or to exchange data items in their intended order, or to detect transmission errors or data loss) Does not require consent. to transmit users’ communication to us and from us back to users over an electronic communications network. If the cookies are disabled, the requested functionality will not work.
Essential Functionality signatu:service-provision A resource used on a site that 1)the user takes a positive action to request the service with a clearly defined perimeter, 2)is strictly needed to enable the service; if the resources are disabled, the service will NOTwork. Does not require consent. to deliver this service as requested by the user. If the cookies are disabled, the requested functionality will not work.
Non-essential Functionality signatu:service-functionality A resource used on a site that 1)the user did NOTtake a positive action to request the service with a clearly defined perimeter, 2)is NOTstrictly needed to enable the service; if the resources are disabled, the service will work. Requires consent. to deliver functionalities that the user did not request or that are not strictly needed to enable the service. If the cookies are disabled, the requested functionality may not work.
Analytics signatu:analytics A platform that measures and reports user interaction with a website.  to report user behaviour and events on this service and traffic on pages.
Advertising signatu:audience-targeting A provider of technology and data to define a target audience of a target market for a particular advertisement or message. to deliver to users personalised adds that we predict users like to view based on users’ profile and previous browsing behaviour.
Cloud Infrastructure and Traffic Distribution signatu:cloud An infrastructure of servers, software and network to support computing in a cloud computing model. to distribute the content of this service, analyze the data to optimize server performance, or to find and resolve problems of our software that prevent its correct operation.
Communication: email, phone, sms, chat, push messages signatu:communication A technology that enables communication bewteeen parties such as email, phone or chat between a website and its users. to communicate with users via email, phone, sms, chat or push messages regarding your requests.
Document Consent signatu:compliance A technology that enables a website or app to comply with the law, such as a Consent Management Platform that records end users consent. to record users’ consent events, dates and times of consents, user IDs or unique cookie IDs.
Content Management signatu:content-management A platform to manage the 1st and 3rd party content (including advertising) of a website. to enable users to view, listen to and interact with content delivered on a page of this service.
Customer Management signatu:crm A platform that registers prospective, existing and lost customers. to register prospective, existing and lost customers to track sales.
E-commerce signatu:e-commerce A platform that sells products and/or services online. to offer and carry out sales of products and services online.
Marketing signatu:marketing-tool A technology that enables companies to market their services and/or products. to register users’ phone number and/or email on our marketing phone list and/or email list, and to phone you, send you sms, send you email messages and/or web and mobile push messages. These messages contain information about our products, services, promotions. You can unsubscribe at any time.
Optimisation signatu:optimisation A platform that enables websites, apps etc to improve sales and users’ experience. to test and compare versions of a page of this service to know which version that performs best, and to identify and correct errors in our software.
Payment signatu:payment A platform that transacts a payment. to process users’ payment transactions, and send emails to users regarding users’ payments, and to monitor, prevent and detect fraudulent payment transactions.
Personalisation signatu:personalisation A technology that enables the creation of user profiles and showing users content or ads that are tailored to the interests and preferences of the user. to deliver to users content that we predict users like to see on this service.
Surveys and Reviews signatu:reviews A platform that enables users to review and rate a service and/or a product, and also to read other users’ reviews. to collect users’ market research answers or enable users to review and rate a service or a product or to read other users’ reviews.
Search signatu:search A web search engine that searches the World Wide Web in a systematic way for particular information specified in a textual web search query. to search for particular information specified in users’ textual search query.
Security signatu:security A technology that enables breach protection. to find security flaws, monitor our software for compromise, contain threats, and protect and secure our own and our users' environments.
Single Sign On signatu:single-sign-on A technology that enables users to use one set of login credentials (e.g., name and password) to access multiple applications. SSO can be used by enterprises, smaller organizations to sign up or log in to this service by using social media authentication credentials.
Social Media signatu:social A platform that enables users to interact, communicate and share content with other users. to optimise the advertisement and increase economic opportunity of this service by making it visible on social media.
Tag Management signatu:tag-management A technology used by websites to more easily activate, deactivate and manage 3rd party technologies, and, more recently, the data that they collect. to activate or deactivate the technologies (tags, scripts etc) used on this service.
Registration and Authentication signatu:verification A technology that enables a website or an app to authenticate users and prevent fraud. to register, authenticate and identify users to enable users to sign up or log in to this service.
Best regards,
--
Georg Philip Krog
signatu <https://signatu.com<https://signatu.com/>>

--
---
Harshvardhan Pandit, Ph.D
Researcher at ADAPT Centre, Trinity College Dublin
https://harshp.com/research/