Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

This action is in response to an amendment filed 10/15/21.
Claims 1, 6-12 and 16-25 are pending.

Response to Arguments
Rejections Under 35 U.S.C. §112
The applicant’s amendments filed 10/15/21 are sufficient to overcome the previous rejections which are consequently withdrawn.

Double Patenting Rejection
The terminal disclaimer filed 10/15/21 is sufficient to overcome the previous rejection which is consequently withdrawn.

Rejections Under 35 U.S.C. §103
The rejection relied upon the teachings of Luah to address the limitation(s) reciting capturing the underlying code of the consent capture mechanism. The applicant has amended the claims to remove this limitation(s). Accordingly, Luah is no longer relied upon and arguments directed at Luah are moot. 
Further, as indicated below, it is noted that Dotan teaches capturing a selection or a text entry via the mechanism (col. 7, lines 32-39 “the cursor data might indicate the user 46 clicked at … a radio button associated with a particular account”, col. 7, lines 55-59 “the user 46 may enter text”).

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 6-12, 16-21 and 23-24 are rejected under 35 U.S.C. 103 as being unpatentable over US 8,589,183 to Awaraji et al. (Awaraji) in view of US 8,677,472 to Dotan et al. (Dotan).

Claim 1: Awaraji discloses a method comprising: 
receiving, by computing hardware, an indication of consent to process personal data associated with a data subject (col. 7, lines 17-23 “the client consents to the service provider performing the service”); 
accessing a consent capture mechanism, wherein the consent capture mechanism is used in capturing the consent form the data subject (col. 7, lines 17-23 “the client consents to the service provider performing the service”, note that receipt of this consent must have been captured by some “mechanism”);
capturing consent capture mechanism data associated with the consent capture mechanism during the browsing session (col. 7, lines 17-23 “the client consents to the service provider performing the service”); 
generating, by computing hardware, a digital consent receipt (col. 8, lines 41-44 “a symmetric key is generated”); and 
providing the digital consent receipt to the first entity (col. 6, lines 55-59 “the service provider is … given access to any information to which the service provider has been granted 

Awaraji does not disclose the method further comprising: 
accessing a webpage hosting a consent capture mechanism using a virtual browser during a virtual browsing session, wherein the consent capture mechanism is used in capturing the consent from the data subject; 
wherein the consent capture mechanism data indicates at least one of a selection or a text entry made by the data subject via the consent capture mechanism to provide the consent; and
modifying, by the computing hardware, the digital consent receipt to include metadata related to the consent capture mechanism data.

Dotan teaches identifying a user input capture mechanism receiving the user input for data processing (col. 7, lines 19-28 “rendered web pages”); and
accessing a webpage hosting a capture mechanism using a virtual browser during a virtual browsing session wherein the capture mechanism is used in capturing the input from the data subject (col. 7, lines 19-28 “capture rendered web pages … produced by the virtual web browser 82”);
wherein the capture mechanism data indicates at least one of a selection or a text entry made by the data subject via the consent capture mechanism to provide the consent (col. 7, lines 32-39 “the cursor data might indicate the user 46 clicked at … a radio button associated with a particular account”, col. 7, lines 55-59 “the user 46 may enter text”).

It would have been obvious at the time of filing to identify and capture data from the consent capture mechanism (Dotan col. 7, lines 19-28 “capture rendered web pages”, Awaraji col. 8, lines 41-65 “stored in a transaction record”) including an indication of a selection or text entry (Dotan col. 7, lines 32-39 “clicked at … a radio button associated with a particular account”, col. 7, lines 55-59 “the user 46 may enter text”) and to modify the consent receipt with the data (Awaraji col. 8, lines 41-65 “stored in a transaction record”). Those of ordinary skill in the art would have been motivated to do so as a known means of collecting user input which would 

Claim 6: Awaraji and Dotan teach the method of Claim 1, wherein the consent comprises consent for a vendor utilized by the first entity to process the personal data (Fig. 2, Service Provider #1, Service Provider #2).

Claim 7: Awaraji and Dotan teach the method of Claim 6, the method further comprising providing the digital consent receipt to the vendor (Fig. 2, Service Provider #1, Service Provider #2).

Claim 8: Awaraji and Dotan teach the method of Claim 1, the method further comprising: 
receiving, from a second entity, a request to process the personal data associated with the data subject (col. 6, lines 36-40 “receives the service request”); 
determining, based on the digital consent receipt, whether the data subject has consented to the second entity processing the data (col. 6, lines 36-40 “if the service provider is not preauthorized”); 
in response to determining that the data subject has not consented to the second entity processing the personal data, having, by the computing hardware, the data subject prompted to provide consent for the second entity to process the personal data (col. 6, lines 36-40 “sends a request to the client to permit the service provider to access the information”); 
receiving, by the computing hardware, the consent from the data subject for the second entity to process the one or more pieces of personal data associated with the data subject by the third entity (col. 6, lines 45-47 “the client can … approve the entire request”); and 
in response to receiving consent for the second entity to process the personal data associated with the data subject, modifying, by the computing hardware, the digital consent receipt based on the consent for the second entity to process personal data associated with the 

Claim 9: Awaraji and Dotan teach the method of Claim 8, the method further comprising providing the digital consent receipt to the second entity (col. 6, lines 55-59 “the service provider is … given access to any information to which the service provider has been granted access”).

Claim 10: Awaraji disclose a method comprising: 
providing, by computing hardware, a consent capture mechanism for initiating a transaction between an entity and a data subject, the transaction involving the collection or processing of personal data associated with the data subject by the entity (col. 7, lines 17-18 "a client requests service from service provider 3 as part of Step 31", e.g. col. 10, lines 40-46 "smart forms"); 
receiving, by the computer hardware, a request to initiate the transaction between the entity and the data subject via the consent capture mechanism (col. 7, lines 17-18 "a client requests service from service provider 3 as part of Step 31");
in response to receiving the request, generating, by the computing hardware, a unique consent receipt key (col. 8, lines 41-64 "the symmetric key ... encrypted with the trusted information broker's public key"); 
receiving, by the computing hardware, from the data subject, a unique subject identifier (col. 8, lines 41-64 "the symmetric key ... encrypted with the patient's public key");

electronically associating, by the computing hardware, the unique subject identifier, the unique consent receipt key, and the unique transaction identifier (col. 8, lines 41-64 "stored in a transaction record”);
in response to receiving the request to initiate the transaction between the entity and the data subject (col. 7, lines 17-18 “a client requests service from service provider 3”): 
capturing the consent capture mechanism by capturing consent capture mechanism data associated with the consent capture mechanism (col. 7, lines 17-23 “the client consents to the service provider performing the service”). 

Awaraji does not teach in response to receiving the request to initiate the transaction between the entity and the data subject:
initiating a virtual browsing session on a consent receipt capture server;
accessing a webpage hosting the consent capture mechanism using a virtual browser during the virtual browsing session;
scanning the webpage to identify the consent capture mechanism; and
wherein the consent capture mechanism data indicates at least one of a selection or a text entry made by the data subject via the consent capture mechanism to provide the consent;
electronically associating, by the computer hardware, the unique subject identifier, the unique consent receipt key, the unique transaction identifier, and metadata associated with the computer code associated with the consent capture mechanism.

Dotan teaches in response to receiving a user interaction:
initiating a virtual browsing session on server (see e.g. Fig. 1, VM Server 80, Virtual Browser 81);

scanning the webpage to identify the user input mechanism (col. 7, lines 19-28 “capture rendered web pages … produced by the virtual web browser 82”);
capturing capture mechanism data that indicates at least one of a selection or a text entry made by the data subject via the capture mechanism (col. 7, lines 32-39 “the cursor data might indicate the user 46 clicked at … a radio button associated with a particular account”, col. 7, lines 55-59 “the user 46 may enter text”).

It would have been obvious at the time of filing to identify and capture data from the user interface (Dotan col. 7, lines 19-28 “capture rendered web pages”, Awaraji col. 8, lines 41-65 “stored in a transaction record”) including an indication of a selection or text entry (Dotan col. 7, lines 32-39 “clicked at … a radio button associated with a particular account”, col. 7, lines 55-59 “the user 46 may enter text”) and to modify the consent receipt with the data (Awaraji col. 8, lines 41-65 “stored in a transaction record”). Those of ordinary skill in the art would have been motivated to do so as a known means of collecting user input which would have produced only the expected results and would have allowed for additional documentation of the consent (see e.g. Awaraji col. 8, lines 13-15 “audit trail”).

Claim 11: Awaraji and Dotan teach the method of Claim 10, the method further comprising: 
identifying, based at least in part on a privacy policy associated with the transaction at a time of the transaction, at least one third party entity entitled to process the personal data associated with the data subject under the transaction (Awaraji col. 6, lines 55-59 “the service provider is advised of the results of the information request … and is given access to any information to which the service provider has been granted access”); and 
in response to identifying the at least one third party entity, transmitting a copy of the unique consent receipt key to the at least one third party entity (Awaraji col. 6, lines 55-59 “the service provider is … given access to any information to which the service provider has been granted access”, col. 8, lines 44-45 “this symmetric key is transmitted … as part of the authorization”).

Claim 12: Awaraji, and Dotan teach the method of Claim 11, the method further comprising: 

modifying the copy of the consent receipt key to indicate the type of personal data (col. 9, lines 6-14 “store a reference to … the public keys for any service providers permitted to access the transaction data”).

Claim 16: Awaraji, and Dotan teach the method of Claim 10, the method further comprising providing the consent receipt key to a plurality of third parties to the transaction (Awaraji col. 6, lines 55-59 “the service provider is … given access to any information to which the service provider has been granted access”, Awaraji col. 8, lines 44-45 “this symmetric key is transmitted … as part of the authorization”).

Claim 17: Awaraji disclose a method comprising: 
providing a user interface for initiating a transaction between an entity and a data subject (col. 7, lines 17-18 "a client requests service from service provider 3 as part of Step 31", e.g. col. 10, lines 40-46 "smart forms"); 
receiving a request to initiate the transaction between the entity and the data subject (col. 7, lines 17-18 "a client requests service from service provider 3 as part of Step 31"); 
in response to the request:

capturing user interface data for the user interface (col. 7, lines 17-18 "a client requests service from service provider 3 as part of Step 31"); 
receiving, from the data subject, a unique subject identifier (col. 8, lines 41-64 "the symmetric key ... encrypted with the patient's public key"); 
electronically storing the unique subject identifier, the unique consent receipt key, and a unique transaction identifier associated with the transaction in computer memory (col. 8, lines 41-64 "stored in a transaction record … a transaction ID … the symmetric key … encrypted with the patient’s public key … the symmetric key … encrypted with the service provider’s public key”);
electronically associating the unique subject identifier, the unique consent receipt key, and the unique transaction identifier (col. 8, lines 41-64 "stored in a transaction record”); and 
transmitting a consent receipt to the data subject, the consent receipt comprising at least the unique subject identifier and the unique consent receipt key (col. 7, lines 27-29 "The trusted information broker consolidates this information and presents it to the client as part of Step 35").

Awaraji does not disclose 
accessing a webpage hosting the user interface using a virtual browser during a virtual browsing session; 
capturing user interface data for the user interface during the virtual browsing session, wherein the user interface data indicates at least one of a selection or a text entry made by the data subject via the user interface to provide the consent; and
modifying the unique consent receipt key to include the underlying computer code.

Dotan teaches 
accessing a webpage hosting the consent capture mechanism using a virtual browser during a virtual browsing session (col. 7, lines 19-28 “capture rendered web pages … produced by the virtual web browser 82”); 
capturing user interface data for the user interface during the virtual browsing session, wherein the user interface data indicates at least one of a selection or a text entry made by the data subject via the user interface to provide the consent (col. 7, lines 32-39 “the cursor data might indicate the user 46 clicked at … a radio button associated with a particular account”, col. 7, lines 55-59 “the user 46 may enter text”).

It would have been obvious at the time of filing to identify and capture data from the user interface (Dotan col. 7, lines 19-28 “capture rendered web pages”, Awaraji col. 8, lines 41-65 “stored in a transaction record”) including at least a selection or text entry (Dotan col. 7, lines 32-39 “a radio button associated with a particular account”, col. 7, lines 55-59 “the user 46 may enter text”) and to modify the consent receipt with the data (Awaraji col. 8, lines 41-65 “stored in a transaction record”). Those of ordinary skill in the art would have been motivated to do so as a known means of collecting user input which would have produced only the expected results and would have allowed for additional documentation of the consent (see e.g. Awaraji col. 8, lines 13-15 “audit trail”).

Claim 18: Awaraji and Dotan teach the method of Claim 17, the method further comprising: 
identifying at least one second entity associated with the transaction (e.g. col. 9, lines 6-14 “store a reference to … any service providers permitted to access the transaction data”, Fig. 2, Service Provider #2); and 
transmitting the consent receipt to the at least one second entity (col. 6, lines 55-59 “the service provider is … given access to any information to which the service provider has been granted access”, col. 8, lines 44-45 “this symmetric key is transmitted … as part of the authorization”).

Claim 19: Awaraji and Dotan teach the method of Claim 17, the method further comprising: 

transmitting the consent receipt to the vendor (col. 6, lines 55-59 “the service provider is … given access to any information to which the service provider has been granted access”).

Claim 20: Awaraji and Dotan teach the method of Claim 18, wherein the request to initiate the transaction includes consent to the use of the vendor by the entity as part of the transaction (col. 6, lines 36-40 “the service provider”).

Claims 21 and 24: Awaraji and Dotan teach the method of Claims 1 and 17, wherein the virtual browsing session is different than a browsing session being used by the data subject to access the webpage (see e.g. Dotan fig. 1, “Browser window” 68, “Virtual Browser” 82).

Claim 23: Awaraji and Dotan teach the method of Claim 10, wherein the consent receipt capture server is different computing hardware than computing hardware being used by the data subject to access the webpage (see e.g. Awaraji fig. 1, “Client (Patient)”, “Trusted Information Broker”).

Claims 22 and 25 are rejected under 35 U.S.C. 103 as being unpatentable over US 8,589,183 to Awaraji et al. (Awaraji) in view of US 8,677,472 to Dotan et al. (Dotan) in view of US 2005/0198646 to Kortela (Kortela).

Claims 22 and 25: Awaraji and Dotan teach the method of Claims 1 and 17, but do not explicitly teach: 
identifying a particular web browser utilized by the data subject to access the webpage; and 
initializing the virtual browsing session using an identical web browser to the particular web browser.

Kortela teaches identifying a particular web browser (par. [0006] “reading electronic data … identifying the browser”); and 
initializing the virtual browsing session using an identical web browser to the particular web browser (par. [0006] “implementing a virtual browser and appropriate for the identified browser”).

It would have been obvious at the time of filing to identifying and initialize the virtual browsing session using an identified web browser (Kortela par. [0006] “implementing a virtual browser and appropriate for the identified browser”, Dotan col. 7, lines 19-28 “capture rendered web pages … produced by the virtual web browser 82”). Those of ordinary skill in the art would have been motivated to do so because “each browser has to be separately taken into account” (Kortela par. [0004]).

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JASON D MITCHELL whose telephone number is (571)272-3728. The examiner can normally be reached Monday through Thursday 7:00am - 4:30pm and alternate Fridays 7:00am 3:30pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lewis Bullock can be reached on (571)272-3759. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/JASON D MITCHELL/Primary Examiner, Art Unit 2199