Consent & Privacy Framework

The UBU Finance backend implements a comprehensive Consent & Privacy Framework that provides fine-grained consent management with OAuth scope integration, ensuring compliance with privacy regulations and best practices.

Overview

The Consent & Privacy Framework allows users to have granular control over how their data is used within the system. It implements consent tokens that can be embedded in OAuth scopes, providing a transparent and auditable mechanism for managing user consent.

Key Features

Fine-Grained Consent Scopes

The framework provides a set of predefined consent scopes that cover different aspects of data usage:

• Essential Services: Required data for core functionality
• Analytics & Improvements: Data used to improve services and user experience
• Marketing Communications: Consent for marketing messages
• Third-Party Data Sharing: Consent to share data with trusted partners
• Location Services: Use of location data for location-based services
• Biometric Authentication: Use of biometric data for authentication
• SMS Notifications: Consent to receive SMS notifications

Each scope includes: - Clear description of the data usage - Category classification - Whether it's required or optional - Expiration period (if applicable) - List of third parties that may receive the data

Consent Tokens

The framework generates and manages consent tokens that:

• Are cryptographically signed using JWT
• Can be embedded in OAuth scopes
• Have configurable expiration dates
• Can be revoked at any time
• Are version-controlled for audit purposes

Comprehensive Audit Trail

All consent-related actions are recorded in an immutable audit trail, including:

• When consent was granted
• When consent was revoked
• Changes to consent scopes
• IP address and device information

UI Integration

The framework is designed to integrate with user interfaces that:

• Clearly explain data usage per feature
• Provide transparent information about third parties
• Allow users to manage their consent preferences

Implementation Details

The Consent & Privacy Framework is implemented in app/security/consent_framework.py and provides the following components:

• ConsentFramework: The main framework that manages consent scopes and tokens
• ConsentScope: Model for defining consent scopes
• ConsentToken: Model for consent tokens
• ConsentRecord: Model for audit trail records
• require_consent: A dependency that can be added to API endpoints to enforce consent requirements

Usage Examples

Requiring Consent for an Endpoint

from app.security.consent_framework import require_consent

@app.post("/api/user-analytics")
async def submit_analytics_data(
    data: AnalyticsData,
    consent_check: bool = Depends(lambda req: require_consent(req, req.state.user_id, "analytics"))
):
    # Process analytics data
    return {"status": "success"}

Granting Consent

from app.security.consent_framework import consent_framework

@app.post("/api/consent")
async def grant_consent(
    request: Request,
    consent_data: ConsentRequest
):
    token = consent_framework.grant_consent(
        user_id=request.state.user_id,
        scope_ids=consent_data.scopes,
        request=request
    )

    return {"status": "success", "token_id": token.token_id}

Revoking Consent

from app.security.consent_framework import consent_framework

@app.delete("/api/consent/{token_id}")
async def revoke_consent(
    request: Request,
    token_id: str
):
    success = consent_framework.revoke_consent(
        user_id=request.state.user_id,
        token_id=token_id,
        request=request
    )

    return {"status": "success" if success else "not_found"}

Getting User's Active Consents

from app.security.consent_framework import consent_framework

@app.get("/api/consent")
async def get_user_consents(request: Request):
    active_consents = consent_framework.get_active_consents(request.state.user_id)

    return {
        "consents": active_consents,
        "available_scopes": {
            scope.scope_id: {
                "name": scope.name,
                "description": scope.description,
                "required": scope.required
            }
            for scope in consent_framework.get_all_scopes()
        }
    }

Integration with OAuth

The Consent Framework integrates with OAuth by embedding consent scopes in OAuth tokens:

# When generating an OAuth token
oauth_scopes = ["openid", "profile"]

# Add consent scopes that the user has granted
active_consents = consent_framework.get_active_consents(user_id)
for scope_id, has_consent in active_consents.items():
    if has_consent:
        oauth_scopes.append(f"consent:{scope_id}")

# Generate OAuth token with consent scopes
token = generate_oauth_token(user_id, oauth_scopes)

Best Practices

When using the Consent & Privacy Framework:

1. Be Transparent: Clearly explain what data is being collected and how it will be used
2. Minimize Data Collection: Only collect data that is necessary for the feature
3. Respect User Choices: Honor consent preferences and make it easy to revoke consent
4. Keep Records: Maintain comprehensive records of consent for compliance purposes
5. Regular Reviews: Periodically review consent mechanisms and update as needed

Compliance Considerations

The Consent & Privacy Framework is designed to help meet requirements for:

• General Data Protection Regulation (GDPR)
• California Consumer Privacy Act (CCPA)
• Personal Information Protection and Electronic Documents Act (PIPEDA)
• Other privacy regulations

It provides the technical foundation for compliance, but organizations should consult with legal experts to ensure full compliance with applicable regulations.