DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


The claims herein are directed to a method which would be classified under one of the listed statutory classifications (i.e., 2019 Revised Patent Subject Matter Eligibility Guidance (hereinafter “PEG”) “PEG” Step 1=Yes). Claims 1-21 are rejected under 35 U.S.C. 101 because the claimed invention is directed to abstract idea without significantly more. The claim(s) recite(s) the following limitations that are considered to be abstract ideas:
Claims 1, 11, and 21
receive a privacy risk score associated with the requesting device, the privacy risk score characterizing a degree of cyber risk for sharing data with the requesting device at a current time;
receive initial privacy settings for the user in response to presenting the privacy risk score, the initial privacy settings identifying an initial range of desired privacy characterizing the user data allowable for sharing with the requesting device; 
automatically determine and present a reward incentive based on the privacy risk score and the initial privacy settings associated with sharing additional user data with the requesting beyond that identified by the initial privacy settings, the reward incentive being correlated to a degree of the additional user data shared;
upon receiving an override indication overriding the initial privacy settings to accept the reward incentive and thereby allow sharing of the additional user data beyond the initial range, then:
determine updated privacy settings based on the override indication;
dynamically manage sharing of the user data with the requesting to limit to that allowed based on the updated privacy settings.
 	The limitations of independent claim 1, 11, and 21, as detailed above, as drafted, falls within the “Certain Method of Organizing Human Activity” grouping of abstract ideas namely “advertising, marketing or sales activities or behaviors” the claims merely receive data, analyze the data, determine a result, transmit tailored content to the user based on the result, receive additional information, analyze the additional information, determine a result, and transmit data to an advertiser. Accordingly, the claims recite an abstract idea (i.e. “PEG” Revised Step 2A Prong One=Yes). 	This judicial exception is not integrated into a practical application. In particular the claims recites the additional elements of using a device, GUI, computing device, and I/O device, computer readable medium, processor, and memory. The aforementioned additional generic computing elements perform the steps of the claims at a high level of generality (i.e. As a generic medium performing generic computer function of receiving, determining, and managing ) such that it amounts no more than mere instructions to apply the exception using a generic computer component. The claims does/do not include additional elements that are sufficient to amount to significantly more than the judicial exception because the additional elements above do not integrate the abstract idea/judicial exception into a practical application because it does not impose any meaningful limits on practicing the abstract idea. More specifically, the additional elements fail to include (1) improvements to the functioning of a computer or to any other technology or technical field (see MPEP 2106.05(a)), (2) applying or using a judicial exception to effect a particular treatment or prophylaxis for a disease or medical condition (see Vanda memo), (3) applying the judicial exception with, or by use of, a particular machine (see MPEP 2106.05(b)), (4) effecting a transformation or reduction of a particular article to a different state or thing (see MPEP 2106.05(c)), or (5) applying or using the judicial exception in some other meaningful way beyond generally linking the use of the judicial exception to a particular technological environment, such that the claim as a whole is more than a drafting effort designed to monopolize the exception (see MPEP 2106.05(e) and Vanda memo). Rather, the limitations merely add the words “apply it” (or an equivalent) with the judicial exception, or mere instructions to implement an abstract idea on a computer, or merely uses a computer as a tool to perform an abstract idea (see MPEP 2106.05(f)), or generally link the use of the judicial exception to a particular technological environment or field of use (see MPEP 2106.05(h)). 	Thus, the claim is “directed to” an abstract idea (i.e. “PEG” Revised Step 2A Prong Two=Yes)
 	Step 2B: The claim does not include additional elements that are sufficient to
amount to significantly more than the judicial exception. As discussed above with respect to
integration of the abstract idea into a practical application, the additional elements of device, GUI, computing device, I/O device, computer readable medium, processor, and memory, amounts to no more than mere instructions to apply the exception using a generic computer component. Mere instructions to apply an exception using a generic computer component cannot provide an inventive concept.
 	“Generic computer implementation” is insufficient to transform a patent-ineligible
abstract idea into a patent-eligible invention (See Affinity Labs, _F.3d_, 120 U.S.P.Q.2d 1201
(Fed. Cir. 2016), citing Alice, 134 S. Ct. at 2352, 2357) and more generally, “simply appending
conventional steps specified at a high level of generality” to an abstract idea does not make that
idea patentable (See Affinity Labs, _F.3d_, 120 U.S.P.Q.2d 1201 (Fed. Cir. 2016), citing Mayo,
132 S. Ct. at 1300). Moreover, “the use of generic computer elements like a microprocessor or
user interface do not alone transform an otherwise abstract idea into patent-eligible subject
matter (See FairWarning, 120 U.S.P.Q.2d. 1293, citing DDR Holdings, LLC v. Hotels.com, L.P.,
773 F.3d 1245, 1256 (Fed. Cir. 2014)). As such, the additional elements of the claim do not add a
meaningful limitation to the abstract idea because they would be generic computer functions in
any computer implementation. Thus, taken alone, the additional elements do not amount to
significantly more than the above-identified judicial exception (the abstract idea). Looking at the
limitations as an ordered combination adds nothing that is not already present when looking at
the elements taken individually. There is no indication that the combination of elements
improves the functioning of the computer or improves any other technology. Their collective
functions merely provide generic computer implementation.
 	The Examiner notes simply implementing an abstract concept on a computer, without
meaningful limitations to that concept, does not transform a patent-ineligible claim into a patent eligible one (See Accenture, 728 F.3d 1336, 108 U.S.P.Q.2d 1173 (Fed. Cir. 2013), citing
Bancorp, 687 F.3d at 1280), limiting the application of an abstract idea to one field of use does
not necessarily guard against preempting all uses of the abstract idea (See Accenture, 728 F.3d
1336, 108 U.S.P.Q.2d 1173 (Fed. Cir. 2013), citing Bilski, 130 S. Ct. at 3231), and further the
prohibition against patenting an abstract principle “cannot be circumvented by attempting to
limit the use of the [principle] to a particular technological environment” (See Accenture, 728
F.3d 1336, 108 U.S.P.Q.2d 1173 (Fed. Cir. 2013), citing Flook, 437 U.S. at 584), and finally
merely limiting the field of use of the abstract idea to a particular existing technological
environment does not render the claims any less abstract (See Affinity Labs, _F.3d_, 120
U.S.P.Q.2d 1201 (Fed. Cir. 2016), citing Alice, 134 S. Ct. at 2358; Mayo, 132 S. Ct. at 1294;
Bilski v. Kappos, 561 U.S. 593, 612 (2010); Content Extraction & Transmission LLC v. Wells
Fargo Bank, Nat’l Ass’n, 776 F.3d 1343, 1348 (Fed. Cir. 2014); buySAFE, Inc. v. Google, Inc.,
765 F.3d 1350, 1355 (Fed. Cir. 2014). 	Applicant herein recites a general purpose computer and general purpose
computing components (as evidenced from [0012] of the applicant’s specification for example, “requesting device selected from a group comprising: a mobile device; an 
augmented reality device; a virtual reality device; a personal computer; a server hosting one or more websites; an internet of things (loT) device; and a personal digital assistant...” and at [0076], “Instructions may be executed by one or more processors, such as one or more general purpose microprocessors, application specific integrated circuits (ASICs), field programmable logic arrays (FPGAs), digital signal processors (DSPs), or other similar integrated or discrete logic circuitry. The term "processor," as used herein may refer to any of the foregoing examples or any other suitable structure to implement the described techniques. In addition, in some aspects, the functionality described may be provided within dedicated software modules and/or hardware, and at [0034] that the input and output devices are general purpose input and output devices.
 	 Finally, the following limitations, if removed from the abstract idea, would be considered insignificant extra solution activity as they are directed to merely receiving, storing and/or transmitting data:
Claims 1, 8 and 15
receive a privacy risk score associated with the requesting device, the privacy risk score characterizing a degree of cyber risk for sharing data with the requesting device at a current time;
receive initial privacy settings for the user via a graphical user interface (GUI) of the I/O device in response to presenting the privacy risk score on the GUI, the initial privacy settings identifying an initial range of desired privacy characterizing the user data allowable for sharing with the requesting device; 
            Thus, taken individually and in combination, the additional elements do not amount to
significantly more than the above-identified judicial exception (the abstract idea). (i.e. “PEG”
Step 2B=No) 	The dependent claims 2-10, 12-20 appear to merely further limit the abstract idea and  as such, the analysis of dependent claims 2-10, 12-20 results in the claims “reciting” an abstract idea (i.e. “PEG” Revised Step 2A Prong One=Yes), the claims do not recited additional elements that integrate the exception into a practical application (i.e. “PEG” Revised Step 2A Prong Two=Yes) the additional elements do not amount to an inventive concept (significantly more) other than the above-identified judicial exception (the abstract idea). (i.e. “PEG” Step 2B=No). 	Thus, based on the detailed analysis above, claims 1-21 are not patent eligible.
Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claim(s) 1-21 is/are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Lavine et al. (US 2021/0390196).

 	Claim 1, 11, 21  Lavine discloses a computing device having a processor coupled to a memory and coupled to an I/O device for managing sharing of user data associated with a user via the computing device when interacting online with a requesting device, the memory storing instructions, which when executed by the processor configure the computing device to: 	 receive a privacy risk score associated with the requesting device, the privacy risk score characterizing a degree of cyber risk for sharing data with the requesting device at a current time;  (see for example [0174], a privacy score . In some embodiments, privacy score may be associated with the access rights and permission settings the user has specified. In some embodiments, privacy score is used as a component of an overall user score calculation. In some embodiments, privacy score may display multiple privacy scores based on different user data types. For example, a user may have different privacy scores for their PII and their profiling data based upon the access rights and permission settings they provided to the blockchain consent network.)
 	receive initial privacy settings for the user via a graphical user interface (GUI) of the I/O device in response to presenting the privacy risk score on the GUI, the initial privacy settings identifying an initial range of desired privacy characterizing the user data allowable for sharing with the requesting device; ([0174, discloses displaying a privacy score based on access rights and permission setting the user has specified, figure 9., [0054] privacy settings)(applicant’s specification states that a privacy range is merely user data) using broadest reasonable interpretation Lavine discloses at [0054] privacy settings define what types of profile data may be used)
 	automatically determine and present on the GUI, a reward incentive based on the privacy risk score and the initial privacy settings associated with sharing additional user data with the requesting device beyond that identified by the initial privacy settings, the reward incentive being correlated to a degree of the additional user data shared; ( see for example [0173 and specifically [0180] where rewards are based on scores (see fig 9.)  the score(s) may serve to indicate people who are actively engaged with brands, may reflect the recency of information, and/or it may serve to scale rewards based on completeness of information shared overall or to specific brands. [0191] the rewards are displayed on the user interface)
 	upon receiving an override indication from the GUI overriding the initial privacy settings to accept the reward incentive and thereby allow sharing of the additional user data beyond the initial range,( see for example [0052, 0103] a user may update data in the data vault associated with a Company, such as permission data (consent, revoke), compliance data, status data, contact data, or the like, also at [0164 -0166],  data preferences 702 may include interactive display elements enabling a user to specify consent to the system. In some embodiments, data preferences 702 may enable the user to specify access rights that are application for all enterprises throughout the system.) then:
 	determine updated privacy settings based on the override indication; ([0166 and 0184], specifically 0184 that discloses specifying access rights and permission settings via the UIs discussed herein. Therefore, the user may associate a consent, e.g., implemented via a consent token recorded to a blockchain, that indicates that a user has consented to the use of the data type) and
 	dynamically manage sharing of the user data with the requesting device to limit to that allowed based on the updated privacy settings. ([0166 and 0184], limits the data by revoking access)

 	Claims 2,12: Lavine discloses the device of claim 1 wherein managing sharing of the user data to limit to that allowed comprises the processor being further configured to: limit to only selected one or more data types defined by the updated privacy settings. ([0113], consent token includes data type information. Also see [0135])

 	Claim 3, 13: Lavine discloses the device of claim 1 further comprising the reward incentive determined further based on a pre-defined value associated with each type of the user data shared online. ([0017, 0173], a user's score may reflect a value placed on the user's profile generally, value assigned to one or more data types contained in the profile, value assigned to a specific data set in the user's profile, value assigned to the user's data by a specific brand partner,)

 	Claims 4, 14:  Lavine discloses device of claim 1, wherein the reward incentive is a digital asset selected from a group comprising: loyalty points, rewards points, cryptocurrency, and cash. ([0016, 0173], cryptocurrency)

 	Claims 5, 15: Lavine discloses the device of claim 2 wherein the data type of the user data is selected from a possible set of types comprising: online presence information, user name, social insurance number, date of birth, and identification information from the user data that is allowable for sharing online. ([0063, 0102], username)

 	Claims 6, 16: Lavine discloses the device of claim 2, wherein in response to interacting online with the requesting device, the processor is further configured to:
  	obtain the privacy risk score for the requesting device from an intermediary device in communication with the computing device and the requesting device, the privacy risk score dependent upon at least one of: a device type for the requesting device and a location of the requesting device relative to the computing device; [0052, 0110] and
 	wherein dynamically managing sharing of the user data to limit to only the selected one or more data types based on the updated privacy settings is further permitted based on the privacy risk score being below a defined threshold to permit said sharing. ([0166 and 0184], limits the data by revoking access)

 	Claims 7, 17: Lavine discloses the device of claim 6 wherein if the privacy risk score is below the defined 25 threshold but above a second defined threshold, the processor is further configured to: 
 	adjust the sharing of the user data defined by the updated privacy settings to further limit to only a subset of the selected one or more data types. ([0007], consent to only a subset of data types)

 	Claims 8, 18: Lavine discloses the device of claim 6, wherein the requesting device is a device connected online to the computing device and configured to request the user data while  interacting online, the requesting device selected from a group comprising: a mobile device; an augmented reality device; a virtual reality device; a personal computer; a server hosting one or more websites; an internet of things (loT) device; and a personal digital assistant. ([0134], mobile device)

 	Claims 9, 19: Lavine discloses the device of claim 1, wherein the processor is further configured for updating the initial privacy settings subsequent to the current time based on: obtaining a behaviour map for the user associated with the user data over a past time period from the current time, the behaviour map characterizing online sharing activity of prior user data and comprising a set of past data types shared and indicating a number of times the set of past data types have  been shared online in the past time period; and; updating the initial privacy settings in real-time based on the behaviour map and thereby the reward incentive.([0115], data vault is a structured data storage architecture which implements historical tracking. In some embodiments, data vault contains a set of uniquely linked tables. In some embodiments, the linkage information of the set of uniquely linked tables is stored outside the data vault. For example, there may be a linkage database that stores linkage information between different data types of user data.. the linked table of Lavine is equivalent to a behavioral map, since it includes tracking data of the user)

 	Claims 10, 20: Lavine discloses the device of claim 9 wherein the processor is further configured to automatically update the initial privacy settings further based on: retrieving a set of attributes characterizing the user; determining at least one other user of another computing device having a profile with attributes similar to the user; obtaining a second behaviour map for the at least one other user over a second past time period, the second behaviour map comprising a second set of past data types shared online by the at least one other user during the second past time period; and further updating the initial privacy settings based on the second behaviour map.( [0115 and 0178])

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
 	Mahaffey et al. (US 2016/0099963) - determining an enterprise risk level, for sharing security risk information between enterprises by identifying a security response by a first enterprise and then sharing the security response to a second enterprise when a relationship database profile for the first collection indicates the security response may be shared. 	Heath – (US 2013/0268357) - system to provide an online and/or mobile security of a user's privacy and/or security method of internet or mobile access or system, apparatus, computer readable medium, or system using encryption technologies and/or filters to access data, encrypt and/or decrypt data, sync data, secure data storage and/or process data using cloud technology across many different networks and/or fiber optic communications from an endpoint accessed through multiple devices, browsers, operating systems
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DARNELL A POUNCIL whose telephone number is (571)270-3509. The examiner can normally be reached Monday - Friday 10:00 - 6:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Abhishek Vyas can be reached on (571) 270-1836. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/D.A.P/Examiner, Art Unit 3621                                                                                                                                                                                                        
/John Van Bramer/Primary Examiner, Art Unit 3621