Evolution of Consent Info API to support Controlled Delegation #276
Description
Problem description
The current version of the Consent Info API (v0.1.0) only supports consent capture through operator-managed channels — either via browser-based AuthCode flow or out-of-band (CIBA) notifications.
While this ensures full operator control, it introduces UX friction and limits applicability in use cases where user interaction with operator portals is not optimal or feasible (e.g., in-app onboarding, backend/ambient checks, or large-scale re-consent campaigns).
Developers and aggregators have expressed the need for a more flexible mechanism to capture consent while maintaining operator accountability and legal compliance.
Possible evolution
Introduce an optional, controlled delegation model where trusted developers can capture consent directly within their own applications, using operator-provided consent texts and parameters.
Under this enhancement:
- The developer retrieves operator-provided consent texts via the Consent Info API.
- The developer presents these texts in-app, using their own UX (without altering the legal content).
- The developer submits the user’s consent response or evidence back to the operator for validation and registration in the operator’s Consent Management system.
- The operator remains fully responsible for storage, audit, transparency, and opt-out.
- Access to this functionality is restricted to trusted developers under operator policy (allow-listing, contractual controls, audits).
This evolution maintains backwards compatibility — the current AuthCode and CIBA flows remain available and unaffected.
Alternative solution
Keep the current Consent Info API as-is and introduce a new standalone API (e.g., Delegated Consent Capture API) using a similar data model and governance principles.
This would allow experimentation and validation under a separate cadence without impacting the existing Consent Info baseline.
Additional context
- The proposal follows discussions held in CAMARA ICM and Backlog Working Groups.
- The enhancement addresses developer UX friction while maintaining operator control and legal accountability.
- Identity assurance during delegated capture remains operator-defined, possibly involving step-up authentication, out-of-band confirmation, or network-based signals.