⚖️Lawful Basis

Draft: draft-howe-vcon-lawful-basis · Extension name: "lawful_basis"

What it is

Most data privacy regimes — GDPR in the EU, CCPA in California, and a growing list of others — require that you can demonstrate the legal grounds on which you collected, stored, processed, and shared each piece of personal data. For conversations, that question has historically been answered with a separate document, a separate database, or nothing at all.

The Lawful Basis extension puts the answer inside the vCon itself. The extension defines a structured attachment that records the lawful basis under which the conversation is being processed, the specific purposes that basis covers, when consent (if any) expires, and a cryptographic proof binding the basis to the vCon's content.

When to use it

• Any conversation involving EU data subjects (GDPR consent or legitimate-interest grounds)

• Contact-center recordings subject to state-by-state recording-consent laws

• Healthcare conversations subject to HIPAA or equivalent

• Sales conversations covered by TCPA / Do Not Call obligations

• Synthetic-conversation datasets where you want to make the synthetic-data origin auditable rather than implied

Spec surface

The extension adds a single entry to attachments[], using type: "lawful_basis" (this is the documented exception to the core spec's "use purpose" rule):

{
  "type": "lawful_basis",
  "encoding": "json",
  "party": 0,
  "dialog": 0,
  "body": {
    "lawful_basis": "consent",
    "expiration": "2026-01-02T12:00:00Z",
    "purpose_grants": [
      { "purpose": "recording",     "granted": true, "granted_at": "2025-01-02T12:15:30Z" },
      { "purpose": "transcription", "granted": true, "granted_at": "2025-01-02T12:15:30Z" },
      { "purpose": "analysis",      "granted": true, "granted_at": "2025-01-02T12:15:30Z" }
    ],
    "proof_mechanisms": [
      {
        "mechanism_type": "audio_recording",
        "dialog_index": 0,
        "description": "Verbal consent captured at start of recording"
      }
    ]
  }
}

Required body fields:

• lawful_basis — one of consent, contract, legal_obligation, vital_interests, public_task, legitimate_interests (the six GDPR bases). The first five require an expiration; legitimate_interests can use null if the basis is ongoing.

• expiration — ISO 8601 timestamp, or null for ongoing legitimate-interest grounds.

• purpose_grants[] — at least one entry. Each grant identifies a specific processing purpose (e.g. recording, transcription, analysis, redistribution) and whether it was granted.

• proof_mechanisms[] — at least one entry documenting how the basis was established (e.g. an audio segment containing verbal consent, an external-system reference, a signed document).

Don't forget to declare the extension at the top level:

Adding "lawful_basis" to must_understand is the safer default — consumers that don't know how to process lawful-basis data should refuse the vCon rather than silently lose the consent record.

Python helper

The vcon library has an add_lawful_basis_attachment() helper, but it requires constructing model objects for purpose_grants and proof_mechanisms. In practice it's often simpler to build the attachment dict directly and append it:

Synthetic-data pattern

For synthetic conversations (e.g. corpora generated by vcon_faker), use legitimate_interests with expiration: null, and document the synthetic origin in a proof_mechanism of type external_system:

Also mark the parties as synthetic with validation: "synthetic" so downstream consumers know not to treat them as real identities.

See also

• Privacy-First Conversation Management — the design rationale and operational pattern.

• Lifecycle — the lifecycle extension records consent acceptance and revocation events on a SCITT ledger; the two extensions are designed to be used together.