ISO/IEC TS 27560
ISO/IEC TS 27560:2023 — Privacy technologies — Consent record information structure
(first edition)
Abstract
ISO/IEC TS 27560 "specifies an interoperable, open and extensible information structure for recording PII principals' consent to PII processing. [ISO/IEC TS 27560] provides requirements and recommendations on the use of consent receipts and consent records associated with a PII principal's PII processing consent, aiming to support the: provision of a record of the consent to the PII principal; exchange of consent information between information systems; management of the life cycle of the recorded consent.”
[Source: ISO/IEC TS 27560:2023]
Introduction
This Technical Specification specifies an interoperable, open and extensible information structure for recording and potentially sharing PII Principals' (data subjects') consent to data processing.
Scope
In addition to the specification, the standard provides requirements and recommendations on the use of consent receipts and consent records associated with a PII Principal’s data processing consent to support the:
Provision of a record of the consent to the PII Principal;
Exchange of consent information between information systems; and
Management of the lifecycle of the recorded consent.
The standard does not specify an exchange protocol for receipts and records, nor an exact data structure for such exchanges.
Structure
Main sections:
5: Overview of consent records and consent receipts
6: Elements of a consent record and consent receipt
Annex A: Examples of consent records and receipts
Annex B: Example of consent record life cycle
Annex C: Performance and efficiency considerations
Annex D: Consent record encoding structure
Annex E: Security of consent records and receipts
Annex F: Signals as controls communicating PII principal's preferences and decisions
Annex G: Guidance on the application of consent receipts in the context of privacy information management systems
Annex H: Mapping to ISO/IEC 29184
Status
The first edition was published as a Technical Specification in 2023.
ISO made the downloadable standard free of charge in 2025 to encourage uptake and so promote the sharing of privacy consents. See https://www.iso.org/standard/80392.html
An early revision is ongoing with an expanded scope to encompass the former ISO/IEC TS 27569 project (which has presumably been cancelled?).
The second edition has passed a vote at Committee Draft stage. It has a new title: "Structure of personally identifiable information (PII) processing records."
Commentary
If only ISO would release all the ISO27k infosec standards free of charge, encouraging everyone to improve security for all!
I missed the announcements about the current revision project e.g. its scope and purpose.