Open in app

Sign in

Write

Sign in

Building a Consent Management System for Web 3.0

Affinidi Pte. Ltd.
10 min readJun 9, 2022

Introduction

There is a greater emphasis on privacy and security today than ever before as more people strive to preserve their digital identities from misuse by cybercriminals and organizations that harvest personal data for advertising purposes.

In parallel, governments and regulators are pushing to improve online privacy , resulting in the proliferation of data protection legislations like the GDPR in the EU. As a result, both from a legal and ethical perspective, there is a growing urgency among companies to protect individuals’ privacy by empowering them to decide how and where their data is used.

An integral part of this process is a consent management system that explicitly informs users about how their data will be used, so users can make an informed decision about which data usage policies they agree to. While there are many consent management systems available today, not all of them are geared for Web 3.0 — widely regarded as the future of the Internet.

In this blog, we will be talking about the benefits of implementing consent management using an emerging standard known as Verifiable Credentials (VCs). We will also dive deep into Affinidi’s consent manager and what it can do for you.

What is Consent Management?

Consent management is the process or system where customers determine what personal data they are willing to share with a business and/or third parties. This user empowerment is a central theme of Self-Sovereign Identity, a powerful framework that allows users to be the ultimate administrators of their personal data. Further, they can determine what parts of their data are shared, thereby bringing users to the center of the data transaction.

Currently, much of consent management is managed through browser cookies. But this method is far from perfect because users can’t granularly choose to disclose only some parts of their information. Moreover, some browsers are planning to phase out certain types of cookies as early as 2023, due in part to concerns about customer privacy.

Bridging this gap is essential, and this is where Verifiable Credentials (VCs) come into play.

Why Consent Management through Verifiable Credentials?

Verifiable credentials are a machine-readable and tamper-evident W3C standard specification for storing and managing personal information. They come with features that are designed for managing digital identity in a web 3.0 infrastructure. This is why implementing consent management through VCs can help create a streamlined system for the future.

Also, here are more reasons why VCs are ideal for a consent management system.

Machine-readable

One of the key applications of web 3.0 is the Semantic Web, an advanced metadata system that structures and arranges all kinds of data in such a way that it’s readable by both machines and humans.

VCs fit this bill perfectly as they can be read by both machines and humans. Moreover, machine readability enables a host of opportunities for automating business logic surrounding user content and data sharing.

Supports Selective Disclosure

VCs support selective disclosure, in which a user can disclose only the selected data that he or she wants to. For example, if a user wants to disclose just their email ID and not their name or gender, VCs enable this.

Tamper-evident

VCs are tamper-evident and can’t be altered unilaterally without destroying the contents. However, they can be revoked by the issuer or the VCs can expire, and both situations require the issuance of a new VC.

As a verifier or manager of user consents, you can rest assured that if the VC is valid and not expired, then it is authentic.

Follows the Principles of Decentralized Identity

Managing consent through VCs follows the principle of decentralized identity as there are no central authorities involved. Further, these VCs are capable of being shared without using a single repository or database.

Every VC is stored by the user in his or her wallet — either custodially or on the edge — and hence can be highly decentralized.

Compliant with Privacy Laws

Established by the EU, the GDPR aims to give individuals complete control over their personal data, including with whom and how they are shared. Three important data protection and privacy principles of GDPR are:

  • Giving users control over the transactional aspects of their digital identity including its monetization.
  • Free movement of data across the union to enable commerce.
  • The right to be forgotten.

VCs adhere to these principles as users control their data and the same can be shared with anyone in any part of the world securely by the user.

Customer-centric Solution

Existing identity solutions such as federated identity, are designed to give businesses control over all their users’ data rather than putting control in the hands of the customer.

VCs reverse this by putting customers at the center of every data transaction. Such customer-centric solutions are increasingly demanded in the world of web 3.0, and expectations of privacy and portability are expected to continue to rise as the widespread adoption of cryptography shifts the balance of ownership towards end customers.

Secure

VCs use public-key cryptography to secure the contents, making them well-protected from hackers and untrusted third parties.

Further, the effort and resources needed to expose the data of a single VC are extremely high in proportion to the reward. Compare this to the traditional system of centralized database, in which, gaining access to one database provides access to potentially millions of customers’ information.

All these make it clear why the concepts of decentralized identity provide a far safer option for storing sensitive data.

Introducing Affinidi’s Consent Manager

Affinidi’s Consent Manager is a privacy and data protection solution that enables application owners and organizations to manage end-customers’ consent through VCs.

Our consent manager is designed as a plug-and-play solution that can integrate with your existing or future applications, and can scale well with your business growth as well.

Broadly speaking, Affinidi’s consent manager empowers administrators to create consent policies and surface them to users to get their consent. Once the user agrees, a VC is generated and stored automatically in the user’s wallet and is also shared with the administrator.

In turn, the administrator can generate a verifiable presentation with some or all of the VCs, and even share proofs of consent with regulatory authorities if required in an audit.

Who should use the Consent Manager?

Affinidi’s consent manager is a generic application that can be used by different entities to get the benefits that matter to them.

It is a good choice for,

  • Developers who prefer to use a plug-and-play module for managing consent across their websites and applications.
  • Users who want to control what information they share and with whom, in order to avail specific services from providers.
  • Communities and individuals who want to build applications in web 3.0.
  • Web apps that require authentication, so users can consent to avail the services offered through the app.
  • Organizations that need to generate reports/audit trails for consent management

If you fall into any of the above categories, you may wonder why you should use Affinidi’s consent manager over other solutions.

Why Use Affinidi’ s Consent Manager?

Affinidi’s consent manager offers many unique features and benefits. Here’s a look at some of them.

  • Provides a tamper-evident and secure way to manage consent
  • Makes it easy to create, update and delete policies, in runtime
  • Follows the principles of decentralized identity management
  • All modules can be reused across applications
  • Integrates with Web and ReactJS
  • Meets compliance with GDPR and other privacy and security regulations
  • Comes with extensive documentation to quickly find all that you need.
  • Backed by technical support on Discord
  • Future-ready and scalable for all web 3.0 applications
  • Supports extensive audits for different internal and external stakeholders.

Now that you know what you gain with our consent manager, let’s get down to the technical aspects.

High-Level Architecture

Affinidi’s consent manager has a simple architecture as it comprises only a small number of modules. This is what makes it easy to implement across any application stack.

Here’s an overview of the architecture.

Components of the Consent Manager

As you can see, the consent manager comprises of two important modules and they are:

  • Consent Manager UI Widget — A pop-up widget that allows users to view the consent policy and approve it. The user can determine the start date for the consent. This is stored as a VC in the user’s cloud wallet first, and on approval, a signed VC is sent to the admin.
  • Consent Manager Admin UI Widget — A UI that allows the admin to create the consent policy. The signed VC from the user is stored in the admin’s wallet for future reference.

Other than these two, we have the optional Consent Management Admin Backend where you can store consent templates to simplify the dev experience. This module also connects to the underlying database. Depending on your implementation, you can choose to connect the Consent Manager UI Widget directly with the Consent Management Admin Backend.

Workflow of the Consent Manager

Moving on, let’s see the consent manager workflow.

Step 1: Create a Consent

The workflow for the consent manager starts with the Admin widget. This is where the Admin of a website or application creates a consent policy for the users.

In this widget, you can create the contents of the consent, the country of jurisdiction, and any other attributes that come with it.

Once you’re happy with the consent, save it.

You can also copy it to a clipboard if you have to collaborate with other team members or get approval from others.

Step 2: Users View the Consent

After the admin saves the content, every user who visits the website or web app can see the consent through the Consent Manager UI Widget. This will pop-up as soon as a user visits the website or wants to use a web app for the first time.

The attributes mentioned by the Admin will be visible to the user, and he or she can choose which of the attributes must be sent to the Admin. Further, the user can determine the start date of the consent and the same will be included in the VC.

After entering these details and reading through the consent, the user can choose to press the “Next” or “Close” button.

If the user chooses the “Close” button, it will be construed that the user has not consented to the terms and conditions mentioned. On the other hand, if the user consents, he or she can press the “Next” button.

Step 3: Enter the Phone Number or Email Address

When the user chooses the “Next” button from the previous screen, he/she will be prompted to enter the email address or phone number associated with their digital wallet, as the VC will be created and stored automatically in it.

A quick note here. A digital wallet is a mobile/desktop app where a user can safely and securely store his or her digital credentials.

After entering the email address or phone number associated with the wallet, the user clicks the “Next” button. If the user doesn’t have a wallet, a new wallet will be created automatically in Affinidi’s cloud wallet.

The consent VC will be shared in this wallet and the user can subsequently access it with the email address or phone number. While logging in the first time, a confirmation code will be sent to the user, and this has to be entered in the next screen.

If the confirmation code matches, a “Success” message is displayed.

As soon as the VC is created, it is also shared with the administrator, and this entity can choose to store it in its wallet. This is later sent to verifiers like regulatory authorities to prove compliance with existing legislation. This VC will contain the DID of the administrator to prove that consent was given to the website/web app maintained by the admin.

Thus, this is the workflow in Affinidi’s consent manager.

Upcoming features

At Affinidi, we constantly strive to create impactful applications. Our roadmap for this product includes the following features

  • End date of consent
  • Automating data sharing or storing based on consent and revocation of consent.
  • Customizing the look and feel
  • Localization support
  • Consent management without email id/phone number
  • Report generation
  • Revocation
  • Customer-facing widgets can be made open source for the community to work on.

If you’re looking for specific features, please reach out to us on Discord, and we will be happy to include them as well.

To learn more about such Web 3.0 and digital identity-based products, join our mailing list.

Consent Management
Decentralized Identity
Privacy
Trusted Data
Data Ownership

--

--

Affinidi Pte. Ltd.

Written by Affinidi Pte. Ltd.

303 Followers

Reclaim your data, Reclaim your Identity, Reclaim Yourself

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams