Campaign · DPV:27560

Stop consent evidence laundering

Stop consent laundering, stop secret surveillance. Petition for a profile that updates the standard toward Digital Consent. DPV:27560 guidance can be interpreted to launder surveillance-by-default as “consent evidence.”

What’s happening

In plain language

A “consent receipt” is supposed to be evidence that meaningful choice happened before identification and surveillance — a record of human control.

But DPV:27560 guidance (and 27560) can instead be interpreted in an identifier-first way: controller-side processing records represented as “consent evidence” (or “privacy receipts”) after tracking has already begun. That is not digital consent. It is post-hoc record-keeping that manufactures the appearance of consent, normalizes surveillance-by-default, and weakens provable accountability.

Why this matters

Safety, security, privacy

Safety

People are pushed into surveillance environments with reduced ability to understand, refuse, or withdraw.

Security

If evidence ordering is not provable, “consent evidence” becomes a tamperable narrative surface.

Privacy

Third-party identifiers inside the record are linkability amplifiers that scale cross-context surveillance.

What we’re asking for

Minimum requirements

We ask DPV maintainers and implementers to adopt guidance that prevents consent evidence laundering.

1. Notice-first sequencing

Anything represented as consent evidence must prove notice occurred before identifier binding and before dpv:Collect / dpv:Use.

You can’t call it consent evidence if tracking started first.

2. Authority + scope-of-authority

Legal basis assertions must be constrained by jurisdiction + competence + constraints + oversight/remedy.

Legal basis claims must be bounded by who can lawfully claim them, where, and under what controls.

3. No identifier-first defaults

Globally stable identifiers must not appear as privileged header elements unless necessity/proportionality and governance constraints are explicitly represented.

Don’t bake cross-context linkability into the default structure.

4. Third-party constraint

Third parties and their identifiers must not appear without explicit disclosure, roles, and transfer context.

No hidden parties and no silent identifier sharing.

5. Integrity + reciprocity

Where consent is the legal basis, evidence should be tamper-evident and independently retainable by the individual.

Consent evidence must be durable, verifiable, and not controller-editable.

Add your name

Sign the petition

Support a DPV-aligned profile that preserves digital consent: PII-Principal-controlled identifier binding and recipient choice. The petition is delivered to DPV:27560 maintainers and implementers with the minimum requirements above.

  • Your signature supports notice-first, authority-scoped guidance.
  • You can ask to be listed publicly as a signatory (opt-in).

Notice — how your information is used

Controller: Global Privacy Rights, https://globalprivacyrights.org. Controller identity record: /.well-known/transparency/cir.json

Contact for access, correction, or deletion: rights@globalprivacyrights.org (acknowledged within 7 days, resolved within 30).

What is collected: your name, email, and location; optionally your organization and a short comment.

Purpose: to administer the petition (count and verify signatures), and only if you opt in, to send campaign updates.

Lawful basis: your consent. Retention: held until the petition concludes, then deleted; deleted sooner on your request or withdrawal.

Your rights: access, correction, deletion, and withdrawal at any time via the contact above. Full rights notice: globalprivacyrights.org/privacy/rights. The controller identity and this notice are inspectable at the transparency endpoint above.

Read the research

Security and privacy considerations

Independent safety, security, and privacy analysis of the “consent evidence laundering” risk:

Share