Consent implementation with Pryv.io

Table of contents

  1. Introduction
  2. How to collect consent with Pryv.io
    1. Consent request
    2. Hands-on example
  3. References

Introduction

Managing consent is a critical issue for many developers when building personal data collecting applications. More than a checking-box option, it is what allows users to keep control over their personal information and businesses to keep track of data-related accesses and the purposes for which each data can be used.

This guide describes how Pryv.io implements consent to satisfy existing and forthcoming data protection and privacy requirements.

Explicit consent is one of the most challenging legal basis to satisfy, as it only allows you to collect data for specific purposes the data subject consented to; meaning that you must provide him with a clear explanation on what you are willing to do and obtain explicit permission.

However, consent can sometimes be implicit. For example, when hospitals need to collect and process personal data from emergency patients, or when a doctor shares a patient's data to a colleague to get a second opinion. In this case, your legal justification for processing personal data will not be "consent", but another one that would have been carefully defined as required by art. 6 GDPR. If explicit consent is not your legal basis, we recommend that you go directly to the API Reference to learn how to create an access token and track actions performed with it. Indeed, regardless of the legal basis on which you process personal data, you are still accountable for the actions performed on your users' data and need to ensure appropriate data audit capabilities (access control right).

In what concerns consent as a lawful base, Pryv made it easy for you: in the next few paragraphs, we will show you how to achieve it by simply building your app on top of Pryv.io.

Privacy is embedded as default in Pryv, with dynamic consent as its cornerstone for organizations to account for privacy when building their products and apps on top of Pryv.io.

Data in Pryv.io accounts is organized in streams and events, and accesses are distributed over streams. This means that when you wish to collect/process particular data from your app user, you actually need to request access on the "stream" in which this particular data is located.

Let's keep things simple for now; thus, suffice to say that consent from the user will focus on "streams". If you wish to learn more about the Pryv.io Data Model, you can do so in this tech guide or this video.

With Pryv.io, we are aiming at implementing a way of collecting consent that is straightforward, transparent, and meets the very specific requirements of the regulation: freely given, specific, informed and unambiguous (Article 4 of the GDPR).

Below are the step-by-step instructions on how to request consent from your user:

You will need to customize a few parameters to adapt it to your needs and ensure that you collect data from your users in the right way. In the auth request that the app will perform, the parameter clientData will be the one containing the consent information:

{
    "app-web-auth:description":
        {
            "type": "note/txt",
            "content": "This is a consent message."
        }
}

The consent request must follow very specific requirements that you need to keep in mind when customizing your consent message:

The parameter requestedPermissions of the auth request contains details about the data that will be collected, meaning the concerned streams from the user's Pryv.io account and the level of permission required on these streams (read, write, contribute or manage):

{
    "streamId": "diary",
    "defaultName": "Journal",
    "level": "read"
}

If the user decides to "Accept" the consent request, the web page will open the authenticated Pryv API endpoint and grant access to the app on the requested streams:

This will return information about the access in use:

{
    "name": "demo-request-consent",
    "type": "app",
    "permissions": [
        {
            "streamId": "diary",
            "level": "read"
        }
    ],
    "clientData": {
        "app-web-auth:description": {
            "type": "note/txt",
            "content": "This is a consent message."
        }
    },
    "user": {
        "username": "mariana"
    },
    "id": "ckg9hiq4o008n1ld3xy7t46d6",
    "token": "ckg9hiq4n008m1ld3uhaxi9yr",
    "created": 1602685422.023,
    "createdBy": "ckbi19ena00p11xd3eemmdv2o",
    "modified": 1602685422.023,
    "modifiedBy": "ckbi19ena00p11xd3eemmdv2o",
    "meta": {
        "apiVersion": "1.6.7",
        "serverTime": 1602860299.642,
        "serial": "2019061301"
    }
}

Hands-on example

Let's illustrate the consent request process with a practical example. Bob wishes to invite Alice on a date to a restaurant but doesn't know her food preferences. He wants to request access on Alice's stream "Nutrition" to subtly analyze what she likes to eat...How can he do so?

He must prepare the payload for the Auth request containing:

The payload looks as following:

{
    "requestPermissions": [{
        "streamId": "nutrition",
        "defaultName": "Nutrition",
        "level": "read"
    }],
    "clientData": {
        "app-web-auth:description": {
            "type": "note/txt",
            "content": "Hi there! This is Bob. I'd really like to know more about what your tastes and preferences, and I'd need your approval to read personal information from your stream Nutrition. If you consent to share it with me, please click on Accept. 

            You have a certain number of rights under the GDPR: the right to access personal data I may hold about you, the right to request that I amend any personal data which is incorrect or out-dated, and the right to request that I delete any personal information that I have about you. If you'd like to exercise any of these rights, please contact me at bob@privacy.com."
        }
    },
    "requestingAppId": "Alice's food preferences"
}
Before sign in and consent request After sign-in and accepting consent request
app-1 app-2

Bob is now ready to discover what Alice really likes...

References

Data privacy requirements and legislation

For more information about how the GDPR requirements affect Swiss companies, you can read our article "GDPR, Swiss DPA & ePrivacy – what Swiss companies should know".

Personal data scope

You can find more information on what is defined as "personal data" in our FAQ.

Data modelling

Pryv.io Data Model is summarized in this video. To learn how to model your data into streams and events, you can check our tech guide on data modelling.

Web app examples

You can found our sample web apps in our Github repository.