Privacy-First Conversation Management.
A technical look at standardized lawful basis in virtualized conversations — consent that lives inside the file, scoped by purpose and time.
Voice and chat conversations are some of the richest personal data a business handles, and some of the hardest to govern. The real problem is not collecting consent. It is keeping that consent meaningful as the data moves between systems, gets re-used for new purposes, and outlives the conversation it came from.
The vCon Lawful Basis extension addresses this by embedding the legal grounds for processing directly inside the conversation container. The lawful basis, the purposes it covers, an expiration, and a cryptographic proof all travel with the data. The result is a machine-checkable record of why processing is allowed, available wherever the conversation goes.
Consent in the AI era
Traditional consent management has four recurring failure modes.
- Consent records sit in a separate database from the data they govern, so compliance checks require reconstruction across systems.
- Permissions are binary, which makes nuanced cases — yes to transcription, no to model training — impossible to express.
- Audit trails are scattered, so proving compliance is an investigation rather than a query.
- AI-era use cases such as model training, inference, and text-and-data-mining were never modeled in older consent schemas.
Consider a healthcare contact center. A single patient call may pass through recording, transcription, sentiment analysis, and eventual use as training data for a future assistant. Each step lives under a different rule — HIPAA for healthcare data, GDPR for EU residents, CCPA for Californians, sectoral rules for AI training. Tracking which permissions apply at which step, when they expire, and how to prove they were given is exactly the operational problem the Lawful Basis extension exists to solve.
The vCon solution
A vCon is a standardized JSON container that packages everything related to a single conversation: the parties, the dialog content, any analysis, and a list of typed attachments. The Lawful Basis extension adds a structured attachment to that list. It declares the legal grounds for processing, the specific purposes those grounds cover, when the basis expires, and how it was established. Because the attachment lives inside the vCon, consent travels with the data and cannot be separated from it.
An illustrative attachment, using the fields the extension defines, looks like this:
// a lawful_basis attachment, carried inside the vCon { "type": "lawful_basis", "lawful_basis": "consent", "purpose_grants": [ { "purpose": "recording", "granted": true }, { "purpose": "transcription", "granted": true }, { "purpose": "ai_training", "granted": false } ], "expiration": "2027-07-01T00:00:00Z", "proof_mechanisms": [ { "type": "verbal_confirmation", "dialog_offset": 12.4 } ] }
The top-level vCon also declares the extension. Placing lawful_basis in must_understand is the safer default: a consumer that does not understand the model should refuse the vCon rather than silently lose the consent record.
What the extension gives you
- Granular, purpose-based permissions. Each entry in
purpose_grants[]names a processing purpose — recording, transcription, analysis, storage, redistribution, model training, inference — and records whether it was granted. Granting transcription while denying training is a single attachment, not a separate document. - Six GDPR-aligned bases. The
lawful_basisfield takes one of the six GDPR bases. The first five require an expiration; legitimate interests may set expiration to null for ongoing grounds. Aligning to GDPR keeps it legible to regulators while remaining usable under CCPA, HIPAA, and similar regimes. - Cryptographic verification. Each attachment carries at least one entry in
proof_mechanisms[]describing how the basis was established: an audio segment in the vCon, a reference to a system of record, or a signed document. Paired with Lifecycle, acceptance and revocation events are recorded on a SCITT ledger, producing a tamper-evident, third-party-verifiable audit trail. - Temporal management. Expiration timestamps invalidate consent automatically. Revalidation intervals can require periodic refresh for sensitive purposes. Clock-skew handling and indefinite-but-revalidated grants are first-class concerns in the spec, not ad-hoc patches in application code.
Regulatory compliance, without a separate stack
The extension is designed to satisfy the operational requirements of the major privacy regimes without forcing a parallel compliance system. Under GDPR, right of access is reading the attachment, rectification is updating or replacing it, the right to be forgotten is a revocation via Lifecycle, and portability is exporting the vCon. Under CCPA, the rights to know, to delete, to opt out of sale, and to non-discrimination are all expressible in purpose grants and Lifecycle events. Under HIPAA, per-purpose authorization, audit trail, and breach support all attach to the conversation itself.
At processing time, pipelines read the attachment and gate behavior on the relevant purpose. Lawful Basis declares the legal grounds; the Lifecycle extension records the events — when consent was accepted, modified, or revoked — each anchored on a SCITT transparency service. Used together, the two answer both “what was allowed” and “what happened, and when, provably.” Most production deployments use both. Signatures use COSE with certificate-chain validation, external proof references include content-integrity hashes, and consent-ledger traffic runs over modern TLS with certificate pinning for critical services.
Three use cases
Multi-channel service
A telco handles voice, chat, and email. Each interaction is a vCon with its own basis. When a chat escalates to a call, the basis travels with the case file, and analysis gates on purpose grants — correct across channels, with no parallel compliance system.
Healthcare telemedicine
Video consultations across jurisdictions, with separate grants for clinical record, quality review, and de-identified research. Expiration drives automatic deletion. One vCon satisfies HIPAA for US patients and GDPR for EU patients without forking the pipeline.
AI training data
A vendor builds from historical recordings. A filter reads purpose grants and includes only conversations where training is granted and unexpired. The model has an auditable provenance trail back to each consenting interaction.
Lawful Basis turns privacy compliance from a paperwork exercise into a property of the data itself. The legal grounds, the purposes they cover, the expiration, and the proof all live inside the vCon, where any downstream system can read them, gate on them, and verify them. Combined with Lifecycle's SCITT-anchored event log, the result is a privacy posture that scales with AI-era data use rather than collapsing under it.
See what your conversations are telling you.
Not a slide pitch, a two-way discovery of where a governed, portable conversation record fits your stack. We’ll be back to you within 24 hours.
Talk to the team →