Consent concepts
owner,
GPT suggests data custodian authorized party service provider
let’s go with provider or party.
consent applies to a resource instance (SSN) or type (bank account transaction). but can treat instance as a pathological type that has just one instance.
do we need actions allowed if party is specified? party might share. or purposes/uses
marketing, sharing, etc
can owner provide blanket consent to any party? or any party in some category? or a party in some group (eg, as defined by Consumer Reports companies)? can one party inherit consent from another?
actions for concept request consent grant consent; (and party confirms/attests?) revoke consent exploit consent
should exploiting consent be part of this concept? what if exploit does not meet consent constraint?
should concept keep record of exploited consent actions? this seems to extend it to a logging concept. maybe just have an action for approving of disapproving of an exploitation.
duration, expiration rights assertion: not attestation requesting data be fixed, deleted, etc consent important element of control tracing essential for accountability