Home
Technical Infrastructure & Services
The Open Privacy Network (OPN) provides regulator-grade transparency infrastructure enabling active-state signalling, consent verification, and distributed governance at internet scale. Built upon international standards and designed for cross-border interoperability, OPN creates a foundation for trust in digital interactions whilst maintaining individual privacy control and regulatory oversight capabilities.
Get Started
Technical Background & Architecture
Controller Registry
Public registry of verified PII Controllers with transparency performance indicators, enabling trustworthy identification and accountability across jurisdictions.
Notice Event Ledger
Immutable audit trail of consent exchanges and authorisation events, providing regulatory-grade evidence for compliance and enforcement.
Gateway Services
API infrastructure for machine-readable notice, consent records, and verification, enabling seamless integration with existing systems.
Micro-Credential System
Verifiable credentials for DPO certifications and signed consent receipts, establishing professional authority and authenticity.
Core Design Principles
Decentralised Governance
The OPN operates without a central authority controlling consent decisions. Distributed verification and validation mechanisms ensure no single point of failure or control, whilst regulatory oversight operates through transparency rather than intermediation. Individuals maintain sovereign control over their authorisations, with the infrastructure simply providing the rails for these decisions to be recorded, verified, and respected across participating organisations.
Privacy-by-Default
The architecture employs Controller-ID instead of User-ID in initial exchanges, fundamentally inverting the traditional model. Minimal data disclosure patterns ensure that organisations identify themselves before users need to authenticate. Anonymous interaction remains the default until authentication is explicitly chosen by the individual, with selective attribute disclosure preventing unnecessary data exposure.
Standards-Based Foundation
Built upon ISO/IEC 27560 Consent Record Information Structure, W3C Verifiable Credentials and Data Privacy Vocabulary, OAuth 2.0, OpenID Connect, and aligned with Convention 108+ legal frameworks. This standards-based approach ensures broad compatibility, reduces implementation barriers, and provides a common language for consent across systems and jurisdictions.
Regulatory Grade Infrastructure
Comprehensive audit trails support investigation and enforcement activities by regulators. Transparency performance measurement provides quantifiable metrics for compliance assessment. Cross-border accountability mechanisms enable international cooperation, whilst compliance reporting automation reduces administrative burden on both organisations and regulatory authorities.
Human Consent Protocol Specification
Protocol Architecture
The Human Consent Protocol defines standardised patterns for consent exchange, fundamentally transforming how organisations and individuals interact around privacy and data processing.
Traditional Black-Box Model
User → [User-ID] → Organisation → Privacy Policy
In traditional systems, users are identified immediately, and personal data is shared before they truly understand the scope of processing. Privacy policies are presented after the fact, creating an imbalanced power dynamic where organisations hold all the information whilst individuals are expected to make informed decisions without proper context.
Anchored Glass-Box Model
User → [Controller-ID] → Notice Receipt → Organisation
The anchored model inverts this relationship. Organisations identify themselves first using their Controller-ID, whilst users remain anonymous initially. This creates transparency before transaction, allowing individuals to review what will happen with their data before deciding whether to proceed with authentication or authorisation.
Technical Flow
01
Notice Publication
Organisation publishes machine-readable notice with Controller-ID, making their processing intentions clear and verifiable before any user interaction.
02
Anonymous Notice Pull
User pulls Notice Receipt using Controller-ID without any authentication required, preserving anonymity during the crucial information-gathering phase.
03
Ledger Anchoring
Notice Receipt is anchored in the Notice Event Ledger, creating an immutable record of what was presented to the user at that specific moment.
04
Informed Review
User reviews notice before deciding to authenticate or authorise, ensuring decisions are made with full information about processing purposes and scope.
05
Consent Recording
If user proceeds, consent record is issued and signed by certified DPO, creating a legally binding and verifiable record of the agreement.
Consent Receipt Structure (ISO/IEC 27560)
Required Fields
  • Controller identity and contact information
  • Purpose of processing with specific use cases
  • Legal basis for processing under applicable law
  • Data categories and retention periods
  • Third-party disclosures and transfer mechanisms
  • Individual rights and access procedures
  • Consent preferences and scope limitations
  • DPO signature and timestamp for authenticity
Optional Fields
  • Consent token for AI training provenance
  • Micro-credentials for attribute verification
  • Delegation and authorisation chains
  • Revocation mechanisms and procedures

Why ISO/IEC 27560?
This international standard provides a common structure for consent records, enabling interoperability across systems and jurisdictions whilst ensuring all essential elements are captured for regulatory compliance and individual rights protection.
Consent Token Infrastructure
Provenance Verification
Consent tokens enable verification of data provenance for AI training, ensuring that datasets can demonstrate lawful basis and appropriate consent for secondary processing purposes.
Reusable Credentials
Micro-credentials allow attribute verification without exposing raw data, enabling privacy-preserving authentication and authorisation across services and applications.
Dynamic Authorisation
Real-time consent checks ensure that processing only occurs when active, valid consent exists, preventing reliance on stale or withdrawn authorisations.
Audit Trails
Comprehensive audit trails for secondary purpose use provide evidence of lawful processing and enable individuals to see exactly how their data has been utilised.
Universal Transparency Privacy Controls
Technical Implementation
API Endpoints
GET /controller/{controller-id}/notice
POST /consent/create
GET /consent/{consent-id}
PATCH /consent/{consent-id}/revoke
GET /user/consent-history
GET /user/third-party-disclosures
POST /rights/access-request
Authentication Methods
  • OAuth 2.0 authorisation flows for secure delegation
  • OpenID Connect identity integration for federated authentication
  • Verifiable presentation protocols for credential sharing
  • Zero-knowledge proofs for selective disclosure without data exposure
Data Formats
  • JSON-LD for machine-readable notices with semantic context
  • W3C Verifiable Credentials for tamper-evident consent receipts
  • ISO/IEC 27560 structure for standardised consent records
  • Schema.org extensions for transparency metadata and discoverability

Developer Resources
Comprehensive API documentation, SDK libraries in multiple languages, and sandbox environments are available to support rapid integration and testing.
Control Interface Standards
Access Controls
  • View consent history with full audit trail
  • Download portable consent receipts
  • Verify third-party controller identities
  • Request data access reports
Authorisation Controls
  • Grant granular purpose-specific permissions
  • Revoke consent for specific purposes or globally
  • Authorise secondary uses (including AI training)
  • Manage delegation and proxy authorisations
Preference Controls
  • Set default authorisation levels
  • Configure notification preferences
  • Establish trust policies for controller verification
  • Define acceptable use parameters
These universal controls provide individuals with meaningful agency over their personal data across all participating organisations. The standardised interface ensures consistent experience regardless of which controller is processing data, whilst the technical infrastructure guarantees that preferences are respected and can be verified through audit trails.
Controller Registry Architecture
Registry Components
Controller Profile
Each registered controller maintains a comprehensive profile containing legal entity identification, contact information including DPO and privacy inquiry channels, jurisdiction and regulatory authority relationships, unique Controller-ID issuance, and TrustMark status with associated performance level.
The profile serves as the authoritative source of truth for controller identity, enabling both individuals and systems to verify legitimacy before engaging in data processing relationships. Regular audits and updates ensure profile accuracy and currency.
Transparency Performance Indicator Report (TPI-R)
The TPI-R provides quantifiable metrics for transparency quality:
  • Notice accessibility score measuring how easily individuals can access and understand privacy notices
  • Consent infrastructure completeness assessing implementation of required consent mechanisms
  • Rights access responsiveness tracking timeliness and quality of data subject request handling
  • Third-party disclosure transparency evaluating clarity around data sharing practices
  • Overall transparency rating providing at-a-glance assessment of controller performance
Verification Mechanisms
Multi-layered verification ensures registry integrity:
01
Business Registration
Validation of legal entity status through official registries and documentation
02
DPO Certification
Verification of Data Protection Officer credentials and authority
03
Infrastructure Testing
Technical assessment of notice and consent system implementation
04
Audit Trail Sampling
Review of consent record quality and completeness
05
Regulatory Endorsement
Recognition or approval from relevant data protection authorities
International Interoperability
The Controller Registry supports multi-jurisdiction operations through carefully designed alignment mechanisms:
Convention 108+ Alignment
Full alignment with the modernised Convention 108, ensuring compatibility with Council of Europe standards and facilitating cross-border data flows amongst signatory nations.
GDPR Adequacy Recognition
Support for GDPR adequacy decisions and mechanisms, enabling seamless operations within the European Economic Area and with recognised adequate jurisdictions.
Australian Privacy Principles
Mapping to Australian Privacy Principles (APPs) ensuring compliance with Australian privacy law whilst maintaining interoperability with other frameworks.
Canadian PIPEDA Integration
Integration with Canada's Personal Information Protection and Electronic Documents Act, supporting consent requirements and accountability obligations.
UK GDPR Compatibility
Post-Brexit compatibility with UK GDPR requirements, ensuring continued operation despite divergence from EU regulations.
Mutual Recognition
Agreements enabling reciprocal recognition of transparency certifications and controller registry entries across participating jurisdictions.
OPN Data Notary Services
Service Overview
Certified OPN Data Notaries provide specialised services for organisations implementing transparency infrastructure. Acting as trusted intermediaries with technical and legal expertise, Data Notaries bridge the gap between privacy requirements and practical implementation.
Harmonisation Services
Standardise notices across jurisdictions, map legal requirements to technical specifications, ensure Convention 108+ and multi-law compliance, and harmonise consent record structures for consistent implementation regardless of operating jurisdiction.
Labelling Services
Create machine-readable privacy labels, tag purposes and data categories for automated processing, classify risk levels for appropriate safeguards, and label AI training data provenance for ethical transparency.
Notification Services
Event-driven consent notifications keeping individuals informed, third-party disclosure alerts for transparency, rights request processing notifications ensuring timely responses, and consent expiration reminders preventing unlawful processing.
Record Management
Consent receipt generation and secure storage, audit trail maintenance for regulatory compliance, version control for privacy notices tracking changes over time, and archival and retention compliance ensuring proper lifecycle management.
Receipt Management
Signed consent receipt issuance with DPO authority, micro-credential generation for attribute verification, consent token creation for AI provenance tracking, and comprehensive verification and validation services.
Certification Requirements
Technical Competency
  • ISO/IEC 27560 implementation expertise for consent record structures
  • W3C standards proficiency including Verifiable Credentials
  • API development and integration capabilities
  • Security and cryptography fundamentals for data protection
Legal Knowledge
  • Multi-jurisdiction privacy law understanding across key frameworks
  • Convention 108+ framework implementation and compliance
  • Regulatory reporting requirements and procedures
  • Rights access procedures and remediation mechanisms
Operational Excellence
  • Service level agreement management and delivery
  • Incident response procedures for privacy breaches
  • Quality assurance processes ensuring consistent service
  • Continuous improvement practices and client feedback integration
Professional Standards
  • Code of Conduct adherence with ethical obligations
  • Confidentiality and ethics in client relationships
  • Conflict of interest management and disclosure
  • Ongoing professional development and skill maintenance
Data Notary Certification Pathway
1
Prerequisites Assessment
Digital Privacy Officer Level 2 or equivalent certification, minimum 2 years privacy or data governance experience, and technical implementation project portfolio demonstrating practical expertise.
2
4-Week Training Programme
Week 1: Technical architecture and standards
Week 2: Service delivery and operations
Week 3: Multi-jurisdiction compliance
Week 4: Practical implementation and case studies
3
Certification Examination
Comprehensive assessment covering technical implementation scenarios, legal compliance cases, service delivery simulations, and ethics and professional judgement evaluations.
4
Certification Issuance
Verifiable micro-credential issued upon successful completion, professional registry listing, and authorisation to provide certified Data Notary services.
5
Ongoing Requirements
Annual recertification review, 20 hours continuing education, service quality audits, and professional conduct review ensuring maintained competency.
Gateway Services
Gateway infrastructure connecting AI systems, digital identity platforms, and applications to transparency networks. The Gateway provides the technical bridge enabling real-world systems to participate in the OPN ecosystem whilst maintaining security, performance, and regulatory compliance.
Gateway Capabilities
Machine-Readable Notice Distribution
Controller-ID resolution to notice endpoints enabling automatic discovery, notice versioning and updates tracking changes over time, multi-language notice serving for international operations, and format translation supporting JSON-LD, Schema.org, and other standards.
Consent Verification
Real-time consent status checks preventing processing without valid authorisation, purpose-specific authorisation validation ensuring scope compliance, third-party consent verification for data sharing scenarios, and consent token validation for AI training provenance.
Event Recording
Notice pull event logging creating audit trail of access, consent grant and revocation recording for accountability, rights request tracking ensuring compliance with statutory timelines, and third-party disclosure logging for transparency reporting.
Regulatory Reporting
Automated compliance report generation reducing administrative burden, transparency performance metrics enabling continuous improvement, audit trail export for regulatory investigations, and cross-border flow documentation supporting adequacy requirements.
Gateway Architecture
API Gateway Layer
  • RESTful API endpoints for standard HTTP operations
  • GraphQL query interface for flexible data retrieval
  • WebSocket connections for real-time updates
  • Rate limiting and authentication protecting infrastructure
Verification Layer
  • DPO signature verification ensuring authenticity
  • Micro-credential validation for trust establishment
  • Controller Registry lookup for identity confirmation
  • Trust chain verification preventing fraud
Integration Layer
  • OAuth 2.0 / OpenID Connect for modern authentication
  • SAML support for enterprise SSO integration
  • Webhook notifications for event-driven architectures
  • SDK libraries in Python, JavaScript, Java, and Go
Regional Hubs
Distributed infrastructure for optimal performance:
  • Australian hub (Sydney) serving Asia-Pacific region
  • UK hub (London) serving Europe and Africa
  • Canadian hub (Toronto) serving Americas
  • Low-latency regional routing ensuring responsiveness
Implementation Support
Developer Tools
Comprehensive API documentation and interactive sandbox, reference implementations in open-source repositories, testing and validation tools for quality assurance, and integration examples and tutorials accelerating adoption.
Technical Assistance
Implementation consulting for architecture design, architecture review ensuring best practices, performance optimisation for scale and efficiency, and security assessment identifying and mitigating risks.
Certification & Micro-Credentials
Digital Privacy Officer Certification
Comprehensive training and certification pathway developing expertise across technical, legal, and operational dimensions of privacy transparency infrastructure.
Level 1: Foundation
Investment: £280
Digital transparency fundamentals, Human Consent Protocol overview, Controller-ID and notice patterns, rights access and transparency principles. Open, inclusive, and freely accessible to all privacy professionals beginning their transparency journey.
Level 2: Safety & Security Officer
Investment: £440
Risk assessment methodologies for privacy impact, incident response procedures and breach notification, transparency performance monitoring and metrics, compliance reporting and regulatory liaison. Specialised for operational professionals managing day-to-day privacy operations.
Level 3: Digital Privacy Officer
Investment: £1,000
Comprehensive governance framework implementation, consent receipt signing authority, multi-jurisdiction compliance strategy, AI and digital identification governance. Professional certification with legal signing authority for consent receipts.
Level 4: Knowledge Authority
Investment: £1,480
Subject matter expert designation, standards development participation, regulatory consultation capability, thought leadership and research contributions. Advanced certification for senior practitioners shaping the future of privacy transparency.
Advanced Specialisations
Cyber-Privacy Design-Engineering
Investment: £1,600
Privacy-by-design implementation in system architecture, transparency registry systems development and deployment, technical architecture for consent infrastructure, and integration with digital identity platforms. Focused on technical professionals building privacy infrastructure.
  • System architecture design patterns
  • Technical specifications and API design
  • Security and cryptography implementation
  • Performance optimisation and scaling
Programme Trainer Certification
Investment: £2,000
Train-the-trainer methodology and pedagogy, curriculum delivery licensing for organisational use, organisational training programmes development, and regional capacity building initiatives. Enables professionals to deliver OPN training programmes internally or commercially.
  • Adult learning principles
  • Instructional design and delivery
  • Assessment and evaluation methods
  • Programme customisation techniques
Micro-Credentials for Specialised Skills
GenAI Governance
AI training data provenance, consent tokens for secondary use, ethical AI transparency, regulatory oversight mechanisms
Harmonisation Specialist
Multi-jurisdiction legal mapping, Convention 108+ implementation, notice standardisation across laws, interoperability frameworks
Technical Implementation
API integration and gateway services, ISO/IEC 27560 implementation, consent receipt infrastructure, security and cryptography
Record & Receipt Management
Audit trail architecture, version control and archival, Notice Event Ledger operations, regulatory reporting automation
Certification Process
1
Prerequisites
Experience verification, educational background, current role assessment
2
Training
Self-paced modules, live sessions, practical exercises, peer collaboration
3
Examination
Knowledge assessment, practical scenarios, ethics evaluation
4
Certification
Verifiable micro-credential, signing authority, registry listing
5
Ongoing
Continuing education, annual review, code adherence
Implementation Guides & Reference Specifications
Available Resources
Comprehensive documentation and tooling supporting rapid implementation of OPN infrastructure across diverse technical environments and organisational contexts.
Human Consent Protocol Specification
Complete technical specification defining protocol operations, API endpoint definitions with request/response schemas, data format schemas and validation rules, and integration patterns for common use cases. The definitive reference for protocol implementation.
Anchored Notice Implementation Guide
Step-by-step implementation instructions with examples, Controller-ID setup and registration procedures, notice publishing infrastructure requirements and architecture, testing and validation procedures ensuring compliance with protocol specifications.
Consent Receipt Generation Guide
ISO/IEC 27560 structure implementation details, DPO signature procedures and key management, micro-credential issuance workflows, and consent token creation for AI provenance tracking. Ensures receipt validity and regulatory compliance.
Gateway Integration Guide
Architecture patterns for different deployment scenarios, API integration examples in multiple programming languages, authentication flows including OAuth 2.0 and OpenID Connect, and security best practices protecting infrastructure and data.
TrustMark Implementation Guide
Active-state signalling setup for real-time status, real-time status broadcast mechanisms, user interface integration patterns, and verification mechanisms ensuring authenticity. Enables transparent controller status display.
Open-Source Tooling
Reference Implementations
Production-ready implementations demonstrating best practices:
  • Python: consent-receipt-py - Full-featured library for consent receipt generation and validation
  • JavaScript: ancr-js - Node.js and browser-compatible implementation of anchored notice protocol
  • Java: opn-java-sdk - Enterprise-grade SDK with Spring Boot integration examples
  • Go: consent-gateway-go - High-performance gateway service implementation
Developer Tools
  • Controller-ID generator - Command-line tool for generating and registering Controller-IDs
  • Consent receipt validator - Verification tool ensuring ISO/IEC 27560 compliance
  • Notice structure checker - Validates machine-readable notice formatting
  • TrustMark simulator - Testing tool for active-state signalling implementations
Testing Infrastructure
Comprehensive testing environment supporting development:

Sandbox Environment
Full-featured testing environment with synthetic data, allowing developers to test implementations without affecting production systems or real user data.
  • Mock gateway services simulating production behaviour
  • Validation test suites ensuring protocol compliance
  • Performance testing tools for scale verification
  • Integration testing frameworks
All tools and implementations are available under permissive open-source licences, enabling both commercial and non-commercial use whilst fostering community contribution and collaborative improvement.
Get Started
For Organisations
  1. Assessment - Evaluate current privacy infrastructure, identify gaps, and determine readiness for transparency implementation. Review existing consent mechanisms, notice accessibility, and audit trail capabilities.
  1. Planning - Design transparency implementation roadmap aligned with business priorities. Establish milestones, resource requirements, and success metrics. Engage stakeholders across legal, technical, and operational teams.
  1. Training - Certify DPO and technical staff through appropriate certification levels. Build internal capability for ongoing operation and continuous improvement of transparency infrastructure.
  1. Implementation - Deploy infrastructure with Data Notary support. Integrate gateway services, publish machine-readable notices, implement consent receipt generation, and establish audit trails.
  1. Certification - Achieve TrustMark status demonstrating transparency excellence. Undergo verification process, complete transparency performance assessment, and join Controller Registry.
For Service Providers
  1. Certification - Complete Data Notary training programme, demonstrating technical competency, legal knowledge, and operational excellence. Obtain professional certification and signing authority.
  1. Onboarding - Setup service infrastructure including gateway connections, record management systems, and client service platforms. Establish quality assurance processes and service level agreements.
  1. Client Acquisition - Market Data Notary services to organisations requiring transparency implementation support. Leverage OPN network and professional registry for visibility and credibility.
  1. Service Delivery - Support client implementations through harmonisation, labelling, notification, and receipt management services. Maintain professional standards and code of conduct.
  1. Growth - Expand service offerings across additional jurisdictions, develop specialised capabilities in emerging areas like GenAI governance, and build regional capacity through training programmes.
For Developers
  1. Sandbox Access - Register for sandbox environment and obtain API credentials. Explore interactive documentation and familiarise yourself with available endpoints and data structures.
  1. Documentation Review - Study integration guides, protocol specifications, and best practices. Review reference implementations in your preferred programming language.
  1. Reference Implementation - Clone open-source repositories, run example applications, and experiment with protocol operations in sandbox environment.
  1. Integration - Build transparency features into applications, implementing consent verification, notice pull, and receipt validation. Test thoroughly using validation tools.
  1. Community - Join developer Discord for technical support, share implementations and learnings, contribute to open-source projects, and participate in standards development.
Resources
  • Documentation portal
  • API reference
  • SDK downloads
  • Video tutorials
  • Case studies
Support
  • Technical consultation
  • Implementation planning
  • Training programmes
  • Community forums
  • Expert assistance
Community
  • Developer Discord
  • Monthly webinars
  • Annual conference
  • Working groups
  • Newsletter updates
Contact
Technical Support
For technical implementation assistance, API integration questions, gateway services support, and developer resources:
Certification Programmes
For information about Digital Privacy Officer certification, Data Notary training, micro-credentials, and professional development programmes:

Office Hours
Technical support available Monday-Friday, 09:00-17:00 in respective regional time zones (Sydney, London, Toronto).
Certification enquiries typically receive response within 24 hours during business days.
Stay Connected
  • Join our developer Discord community
  • Subscribe to monthly newsletter
  • Follow updates on professional networks
  • Attend quarterly webinars and workshops
  • Participate in annual OPN Conference
For Organisations
Ready to implement transparency infrastructure? Contact us to schedule an assessment and discuss your implementation roadmap.
For Service Providers
Interested in becoming a certified Data Notary? Enquire about training programmes and certification pathways.
For Developers
Need sandbox access or integration support? Reach out for API credentials and technical documentation.
For Regulators
Exploring transparency infrastructure for policy development? We welcome dialogue with data protection authorities and standard-setting bodies.
The Open Privacy Network operates as a collaborative initiative with governance distributed across participating organisations, certified professionals, and regulatory authorities. We welcome engagement from all stakeholders committed to advancing digital transparency and individual privacy rights.