# Lawful Basis **Draft:** [`draft-howe-vcon-lawful-basis`](https://datatracker.ietf.org/doc/draft-howe-vcon-lawful-basis/) · **Extension name:** `"lawful_basis"` ## What it is Most data privacy regimes — GDPR in the EU, CCPA in California, and a growing list of others — require that you can demonstrate the legal grounds on which you collected, stored, processed, and shared each piece of personal data. For conversations, that question has historically been answered with a separate document, a separate database, or nothing at all. The Lawful Basis extension puts the answer **inside the vCon itself**. The extension defines a structured attachment that records the lawful basis under which the conversation is being processed, the specific purposes that basis covers, when consent (if any) expires, and a cryptographic proof binding the basis to the vCon's content. ## When to use it * Any conversation involving EU data subjects (GDPR consent or legitimate-interest grounds) * Contact-center recordings subject to state-by-state recording-consent laws * Healthcare conversations subject to HIPAA or equivalent * Sales conversations covered by TCPA / Do Not Call obligations * Synthetic-conversation datasets where you want to make the synthetic-data origin auditable rather than implied ## Spec surface The extension adds a single entry to `attachments[]`, using `type: "lawful_basis"` (this is the documented exception to the core spec's "use `purpose`" rule): ```json { "type": "lawful_basis", "encoding": "json", "party": 0, "dialog": 0, "body": { "lawful_basis": "consent", "expiration": "2026-01-02T12:00:00Z", "purpose_grants": [ { "purpose": "recording", "granted": true, "granted_at": "2025-01-02T12:15:30Z" }, { "purpose": "transcription", "granted": true, "granted_at": "2025-01-02T12:15:30Z" }, { "purpose": "analysis", "granted": true, "granted_at": "2025-01-02T12:15:30Z" } ], "proof_mechanisms": [ { "mechanism_type": "audio_recording", "dialog_index": 0, "description": "Verbal consent captured at start of recording" } ] } } ``` **Required body fields:** * `lawful_basis` — one of `consent`, `contract`, `legal_obligation`, `vital_interests`, `public_task`, `legitimate_interests` (the six GDPR bases). The first five require an expiration; `legitimate_interests` can use `null` if the basis is ongoing. * `expiration` — ISO 8601 timestamp, or `null` for ongoing legitimate-interest grounds. * `purpose_grants[]` — at least one entry. Each grant identifies a specific processing purpose (e.g. `recording`, `transcription`, `analysis`, `redistribution`) and whether it was granted. * `proof_mechanisms[]` — at least one entry documenting how the basis was established (e.g. an audio segment containing verbal consent, an external-system reference, a signed document). Don't forget to declare the extension at the top level: ```json { "vcon": "0.4.0", "extensions": ["lawful_basis"], "must_understand": ["lawful_basis"] } ``` Adding `"lawful_basis"` to `must_understand` is the safer default — consumers that don't know how to process lawful-basis data should refuse the vCon rather than silently lose the consent record. ## Python helper The `vcon` library has an `add_lawful_basis_attachment()` helper, but it requires constructing model objects for `purpose_grants` and `proof_mechanisms`. In practice it's often simpler to build the attachment dict directly and append it: ```python from vcon import Vcon v = Vcon.build_new() v.vcon_dict["vcon"] = "0.4.0" # the lib doesn't set this for you # ... add parties, dialog, etc. v.vcon_dict["attachments"].append({ "type": "lawful_basis", "encoding": "json", "party": 0, "dialog": 0, "body": { "lawful_basis": "consent", "expiration": "2026-01-02T12:00:00Z", "purpose_grants": [ {"purpose": "recording", "granted": True, "granted_at": "2025-01-02T12:15:30Z"}, {"purpose": "transcription", "granted": True, "granted_at": "2025-01-02T12:15:30Z"}, ], "proof_mechanisms": [ {"mechanism_type": "audio_recording", "dialog_index": 0, "description": "Verbal consent captured at start of recording"} ], }, }) v.add_extension("lawful_basis") ``` ## Synthetic-data pattern For synthetic conversations (e.g. corpora generated by `vcon_faker`), use `legitimate_interests` with `expiration: null`, and document the synthetic origin in a `proof_mechanism` of type `external_system`: ```json { "lawful_basis": "legitimate_interests", "expiration": null, "purpose_grants": [ { "purpose": "recording", "granted": true }, { "purpose": "transcription", "granted": true }, { "purpose": "analysis", "granted": true }, { "purpose": "redistribution", "granted": true } ], "proof_mechanisms": [ { "mechanism_type": "external_system", "description": "Synthetic conversation generated by vcon_faker; no real data subject" } ] } ``` Also mark the parties as synthetic with `validation: "synthetic"` so downstream consumers know not to treat them as real identities. ## See also * [Privacy-First Conversation Management](/deep-dives/privacy-first-conversation-management.md) — the design rationale and operational pattern. * [Lifecycle](/extensions/lifecycle.md) — the lifecycle extension records consent acceptance and revocation events on a SCITT ledger; the two extensions are designed to be used together. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.conserver.io/extensions/lawful-basis.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.