Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

1.	Applicant’s amendment filed 09/08/2022 is entered. Claim 9 is canceled. New claims 1-22 depending from claim 1 are added. Claims 1, 4-5, 8,10, 11, 14-15, 18-19 and 20 are currently amended. Claims 1, 11 and 20 are independent claims. Claims 2-8, 10, 21-22  depend from claim 1, claims 12-19 depend from claim 11. Claims 1-8, 10-22 are pending for examination.
	This is a Final Rejection.

Response to Arguments
2.1.	Applicant's arguments filed 09/8/2022 with regards to rejection of claims 1-19 under 35 USC 101 directed to an abstract idea without significantly more,  have been fully considered but they are not persuasive for following reasons.
	Examiner respectfully disagrees with the Applicant’s arguments, “ it is clear from amended claim 1 that the claim is directed to managing user interactions with an online store. Claim 1 provides a solution to the problem of managing user interactions and obtaining user consent to privacy settings at an online store, which is a problem necessarily rooted in technology. As previously explained, ensuring user privacy and obtaining clear user consent to privacy settings at an online resource, such as an online store, has become a prominent concern in recent years. There is no non-computer equivalent to this problem, because there is no non-computerized way for a physical store to collect a customer’s personal data without the customer being explicitly aware of this data collection (and thus having the explicit opportunity to provide consent or not),”  because managing user interactions using a generic computer does not result in improving a problem related to technology as the limitations are drafted,  but the use of generic computer for generic user interactions for receiving inputs/data or transmitting data including consent related to privacy data of the user are recited at a high level of generality that is as a general means of receiving/collecting information from a user and providing information in response and amount to mere data gathering, which is a form of insignificant extra‐solution activity.  The arguments “In contrast, a user’s personal data (such as IP address, geographical location, etc.) can be easily collected during online interactions without the user being explicitly aware of this collection. problem is uniquely found in online environments, there have been the need for governments to put in place regulations, such as the General Data Protection Regulation (GDPR) in Europe, that place requirements on online service providers to clearly communicate privacy settings to users and obtain explicit user consent to privacy settings. If this problem was not unique to online environments and online interactions, there would be no need for such regulations”, are not relevant to the drafted limitations of claim 1 because the expectations and reasonings described herewith are not part of any computer steps/functions in the claim as drafted.
	Examiner respectfully disagrees with the Applicant’s arguments, “ the Applicant submits that claim 1 is “necessarily rooted in technology”, similar to the claims found to be patent eligible in DDR Holdings, LLC v. Hotels.com L.P. at least because: “they do not merely recite the performance of some business practice known from the pre-Internet world along with the requirement to perform it on the Internet. Instead, the claimed solution is necessarily rooted in computer technology in order to overcome a problem specifically arising in the realm of computer networks. Further, the Applicant submits that claim 1 recites elements that integrate the claim into a practical application. For example, claim 1 recites elements that involve obtaining user consent or updated user consent, and permitting user interaction at the online store responsive to obtaining the user consent. The transmission of a notification including information about a change to the privacy settings at the online store and including an option to provide updated user consent is not merely extra- solution activity, but rather is an integral part of the solution. That is, the transmission of the notification is the manner in which the required updated user consent is obtained, and the user interaction at the online store is permitted responsive to having obtained the updated user consent as a result of the notification. As such, claim 1 recites elements that limit the claim to a practical application and does not attempt to monopolize an abstract idea. Therefore, claim 1 is not directed to a judicial exception and should be patent eligible under at least Step 2A, Prong Two.”, because DDR has no applicability here. Unlike the claims in the instant application, the claims at issue here specify how interactions with the Internet are manipulated to recite a specific way to automate the creation of a composite web page by an “outsource provider” that incorporates elements from multiple sources in order to solve a problem faced by websites on the Internet. The claims in the instant Application describe generic functions being implemented by a generic computer including interactions comprising receiving data and transmitting data to a user related to his privacy , receiving permission to use his personal data of privacy or incorporating changes to his privacy conditions, which merely describes using a generic computer how to generally “apply” the generic functions amounting to non-significant activity  in a generic or general purpose vehicle control environment.  The computer component is recited at a high level of generality and is merely automates the interacting steps step.  Accordingly, even in combination, these additional elements do not integrate the abstract idea into a practical application because they do not impose any meaningful limits on practicing the abstract idea.  The claim is directed to the abstract idea.
	Examiner further respectfully disagrees with the Applicant’s arguments, “ Even if, arguendo, claim 1 were not found to be patent eligible under Step 2A of the patent eligibility analysis, the Applicant submits that claim 1 should be found patent eligible at least under Step 2B. The Office Action asserts that claims 1-19 do not include additional elements that are sufficient to amount to significantly more than the judicial exception. In particular, the Office Action asserts that “the transmitting step is well-understood, routine, conventional activity”. The Applicant respectfully disagrees. The subject matter of claim 1 provides improvements in the functioning of a computer, or other technology or technical field, over existing art; or adds a specific limitation other than what is well-understood, routine, conventional activity in the field, or adds unconventional steps that confine the claim to a particular useful application. The Applicant’s claim 1 includes elements that are inventive over existing technologies (e.g., as illustrated at least inventiveness over the art cited under 35 U.S.C. 102 and 103, discussed below). These unconventional features further apply the claimed subject matter to a particular useful application. MPEP 2106.05(a) provides the guidance: An indication that the claimed invention provides an improvement can include a discussion in the specification that identifies a technical problem and explains the details of an unconventional technical solution expressed in the claim, or identifies technical improvements realized by the claim over the prior art. For example, in McRO, the court relied on the specification’s explanation of how the particular rules recited in the claim enabled the automation of specific animation tasks that previously could only be performed subjectively by humans, when determining that the claims were directed to improvements in computer animation instead of an abstract idea. MPEP in the same section also offers the caution: “When performing this evaluation, examiners should be "careful to avoid oversimplifying the claims" by looking at them generally and failing to account for the specific requirements of the claims.” In view of the foregoing, the Applicant submits that the claim 1 is directed to patent eligible subject matter. For similar reasons, the Applicant submits that independent claims 11 and 20, and all the dependent claims, are also patent eligible. Therefore, the Applicant respectfully asks that the rejection under 35 U.S.C. 101 be withdrawn.”, because as per “2019 PEG Guidelines as discussed with respect to Step 2A Prong Two, the additional elements in the claim amount to no more than insignificant extra‐solution activity. Under the 2019 PEG, a conclusion that an additional element is insignificant extra‐solution activity in Step 2A should be re‐evaluated in Step 2B. Here, the transmitting steps were considered to be extra‐solution activity in Step 2A, and thus they are re‐evaluated in Step 2B to determine if they are more than what is well‐understood, routine, conventional activity in the field. The background recites that the processor device or a user’s device is anything other than a conventional computer within a vehicle.  MPEP 2106.05(d)(II), and the cases cited therein, including Intellectual Ventures I, LLC v. Symantec Corp., 838 F.3d 1307, 1321 (Fed. Cir. 2016), TLI Communications LLC v. AV Auto. LLC, 823 F.3d 607, 610 (Fed. Cir. 2016), and OIP Techs., Inc., v. Amazon.com, Inc., 788 F.3d 1359, 1363 (Fed. Cir. 2015), indicate that mere collection or receipt of data over a network is a well‐understood, routine, and conventional function when it is claimed in a merely generic manner (as it is here).  Further, the Federal Circuit in Trading Techs. Int’l v. IBG LLC, 921 F.3d 1084, 1093 (Fed. Cir. 2019), and Intellectual Ventures I LLC v. Erie Indemnity Co., 850 F.3d 1315, 1331 (Fed. Cir. 2017), for example, indicated that the mere transmitting, receiving, displaying, and processing data is a well understood, routine, and conventional function.  Accordingly, a conclusion that the transmitting step is well‐understood, routine, conventional activity is supported under Berkheimer.  Step 2B=NO. Pending current claims are patent ineligible and rejection of pending claims 1-8, 10-22 under 35 USC 101 is maintained.

2.2	Applicant's arguments filed 09/8/2022 with regards to rejection of claims 1-7, 9-17, and 19-20 under 35 USC 102 (a)(1) and rejection of claims 8 and 18 under 35 USC 103,  have been fully considered but are moot because the new ground of rejection is based on new limitations and amendments added to independent claims 1, 11, and 20 and other dependent claims 4-5, 8, 10, 14-15, 18-19.


Claim Rejections - 35 USC § 101
3.	35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

Claims 1-8, 10-22 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more, when analyzed per “2019 PEG”. 
	Step 1 analysis: 
Claims 11-19 are to a process comprising a series of steps, clams 1-8, 10 and 21-22 to a system /apparatus, and claim 20 to a manufacture, which are statutory (Step 1: Yes).
	Step 2A Analysis:
Currently Amended claim 1 recites:
1. (Currently amended) A system comprising: 
a processing device in communication with a storage, the processing device configured to execute instructions to cause the system to: 
	receive a first request to carry out a first user interaction associated with a user at a first online store; 
manage the first user interaction by: 
	obtaining user consent to privacy settings at the first online store; 
            storing, in a user profile associated with the user, a first timestamp associated 
with the user consent to the privacy settings at the first online store; and 
             permitting the first user interaction at the first online store; 
receive a second request to carry out a second user interaction associated with the user at the first online store; 
manage the second user interaction by: 
determining, from the user profile associated with the user, the first timestamp associated with the user consent to the privacy settings at the first online store; 
determining at least one change to the privacy settings at the first online store that lacks user consent by determining that the first timestamp is older than a second timestamp of a logged entry in a settings log, the logged entry indicating the at least one change to the privacy settings at the first online store; 
obtaining  updated user consent to the privacy settings at the first Page 2 of 20online store by:
 transmitting a notification to a device associated with the user indicating the at least one change, the notification including information about the at least one change to the privacy settings at the first online store and including an option to provide updated user consent to the at least one change; and 
receiving input providing updated user consent to the at least one change;
updating  the user profile to include a third timestamp associated with the updated user consent; and 
 responsive to obtaining the updated user consent, permitting the second user interaction at the first online store.  


Step 2A Prong 1 analysis: Claims 1-8, 10-22 recite abstract idea.
The highlighted limitations in claim 1 comprising “receive a first request to carry out a first user interaction associated with a user at a first online store; manage the first user interaction by: obtaining user consent to privacy settings at the first online store; permitting the first user interaction at the first online store; receive a second request to carry out a second user interaction associated with the user at the first online store; manage the second user interaction by: determining, from the user profile associated with the user, the first timestamp associated with the user consent to the privacy settings at the first online store; determining at least one change to the privacy settings at the first online store that lacks user consent by determining that the first timestamp is older than a second timestamp of a logged entry in a settings log, the logged entry indicating the at least one change to the privacy settings at the first online store; updating  the user profile to include a third timestamp associated with the updated user consent; and  responsive to obtaining the updated user consent, permitting the second user interaction at the first online store”, as drafted, relates to a process of a user accessing an online store for conducting  transactions subject to receiving the user’s privacy settings and to see when conducting later transactions that the timestamps and the user’s permission is still there which is related to commercial activity falling within, “Certain Methods of Organizing Human Activity” abstract idea. 
The limitations comprising “determining, from the user profile associated with the user, the first timestamp associated with the user consent to the privacy settings at the first online store; determining at least one change to the privacy settings at the first online store that lacks user consent by determining that the first timestamp is older than a second timestamp of a logged entry in a settings log, the logged entry indicating the at least one change to the privacy settings at the first online store; updating  the user profile to include a third timestamp associated with the updated user consent; and  responsive to obtaining the updated user consent, permitting the second user interaction at the first online store”, under their broadest reasonable interpretation, cover performance of the limitations in the mind but for the recitation of “by a processing device” and that the store is “an online store”.  That is, other than reciting “by a processing device” and that the store is “an online store”, nothing in the claim elements precludes the steps from practically being performed in the mind.   For example, but for the “by the processing device” and :an online store” language, the claim encompasses a person looking at collected and stored data related to a user’s privacy settings old and current and determine if any changes are there in the current and old privacy settings and if so inform the user for updating the privacy settings collected and including simple evaluation and forming a simple judgement.  The mere nominal recitation of by a processing device does not take the claim limitations out of the mental process grouping.    Thus, the claim recites a mental process.   
Thus, the claim 1 recites abstract ideas falling within “Certain Methods of Organizing Human Activity” and  “Mental Process”.  Since dependent claims 2-8, 10, 21-22 include all the limitations of base claim 1 discussed above, they recite “Certain Methods of Organizing Human Activity” and  “Mental Process”. .Limitations of claims 11-19 are similar to claims 1-8, 10.  Accordingly, claims 11-19 are analyzed based on the same rationale established for claims 1-8, 10, and they recite abstract idea. Limitations of claim 20 are similar to claim 1. Accordingly, claim 20 is analyzed based on the same rationale established for claim 1, and it recites abstract ideas.
Step 2A, prong one=Yes. Claims 1-8, 10-22 recite abstract idea.
Step 2A, prong two analysis:  Claims 1-8, 10-22: The judicial exception is not integrated into a practical application.
The claim 1 recites additional element of transmitting a notification to a device associated with the user indicating the at least one change, the notification including information about the at least one chance to the privacy settings at the first online store and including an option to provide user consent to the at least one change. The transmitting step is recited at a high level of generality (i.e. as a general means of communicating data related a change in the privacy settings/rules at an store to a user and including an option to provide his acceptance), and amounts to mere data communicating, which is a form of insignificant extra‐solution activity.  The receiving steps of a first and second requests and inputs for updated consent of the changes to privacy settings , obtaining steps of user consent and updated user consent are recited at a high level of generality (i.e. as a general means of collecting  data related to user’s requests and obtaining user’s permission to his privacy settings to allow him conduct interactions/transactions at an online store ) and amount to mere data gathering, which is a form of insignificant extra‐solution activity. The storing step is also recited at a high level of generality (i.e. as a general means of gathering and storing data related to the user’s consent for his privacy settings ), and amounts to mere post solution storing, which is a form of insignificant extra‐solution activity. The processing device in communication with an online store merely describes how to generally “apply” the determining and updating steps the otherwise mental process in a generic or general-purpose computer environment.  The processing device in communication with an online store is recited at a high level of generality and is merely automates the determining and updating data steps. The receiving, storing, obtaining, storing and communication with an online store are  a well-understood activity which do not reflect an improvement in the functioning of a computer, or an improvement to other technology or technical field; See MPEP 106.05(a). step.  Accordingly, even in combination, these additional elements do not integrate the abstract idea into a practical application because they do not impose any meaningful limits on practicing the abstract idea. The claim 1 is directed to the abstract idea. Since the other independent claims 11 and 20 recite similar limitations to those of claim 1, they are analyzed on the basis of same rationale as established for claim 1 and are directed to abstract idea.
Dependent claims 2-3, and 12-13 are directed to describing the type of change which is a non-functional descriptive subject matter, claims 3-8, 10, 21-22 and 13-18, 19 are mere extension of the limitations of claims 1 and 11 in a generic or general-purpose computer environment. Accordingly, even in combination, these additional elements of dependent claims 2-10 and 11-19 do not integrate the abstract idea into a practical application because they do not impose any meaningful limits on practicing the abstract idea. 
	Step 2A, prong two= Yes. Claims 1-8, 10-22 are directed to abstract idea.

Step 2B analysis:	The claims 1-8, 10-22 do not include additional elements that are sufficient to amount to significantly more than the judicial exception.
As discussed with respect to Step 2A Prong Two, the additional elements in the claim amount to no more than insignificant extra‐solution activity. Under the 2019 PEG, a conclusion that an additional element is insignificant extra‐solution activity in Step 2A should be re‐evaluated in Step 2B. The receiving, obtaining, storing, and the transmitting steps were considered to be extra‐solution activity in Step 2A, and thus they are re‐evaluated in Step 2B to determine if they are more than what is well‐understood, routine, conventional activity in the field. The background recites that the processor device or a user’s device is anything other than a conventional computer within a vehicle.  MPEP 2106.05(d)(II), and the cases cited therein, including Intellectual Ventures I, LLC v. Symantec Corp., 838 F.3d 1307, 1321 (Fed. Cir. 2016), TLI Communications LLC v. AV Auto. LLC, 823 F.3d 607, 610 (Fed. Cir. 2016), and OIP Techs., Inc., v. Amazon.com, Inc., 788 F.3d 1359, 1363 (Fed. Cir. 2015), indicate that mere collection or receipt of data over a network is a well‐understood, routine, and conventional function when it is claimed in a merely generic manner (as it is here).  Further, the Federal Circuit in Trading Techs. Int’l v. IBG LLC, 921 F.3d 1084, 1093 (Fed. Cir. 2019), and Intellectual Ventures I LLC v. Erie Indemnity Co., 850 F.3d 1315, 1331 (Fed. Cir. 2017), for example, indicated that the mere transmitting, receiving, displaying, storing and processing data is a well understood, routine, and conventional function.  Accordingly, a conclusion that the transmitting step is well‐understood, routine, conventional activity is supported under Berkheimer.  The claims 1-8, 10-22 are ineligible.
Step 2B=NO. Claims 1-8, 10-22 are patent ineligible.

Claim Rejections - 35 USC § 103
4.	In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


4.1.	Claims 1-8, 10--22 are rejected under 35 U.S.C. 103 as being unpatentable over Brannon et al. [US20200175206A1; hereinafter Brannon.

Regarding claim 1, Branon teaches a system comprising: 
a processing device in communication with a storage, the processing device configured to execute instructions to cause the system to: receive a first request to carry out a first user interaction associated with a user at a first online store; manage the first user interaction by: obtaining user consent to privacy settings at the first online store; storing, in a user profile associated with the user, a first timestamp associated with the user consent to the privacy settings at the first online store; and  permitting the first user interaction at the first online store [See para 0019. Brannon discloses a computer implemented method including a processor  receiving request from one or more data subjects [correspond to claimed user(s)] for conducting transaction [which will include interaction on the provided use interface]  with an entity which can be an online store where the data subject wants to interact for managing a shopping cart [see paras 0304 and para 0574] and in this process the processor generates “ a unique respective consent receipt key, the unique respective consent receipt key comprising an indication of consent by each of the one Figs 41-42 which display a consent receipt including the time stamp including the date and time when the consent receipt was accepted by the data subject and this content receipt as shown in Fig.42 is stored  showing number of consent receipts [number of consent receipts stored correspond to a profile of the data subject’s profile and also see paras 0512—0513” …… in FIG. 40, the system is configured to generate a consent receipt that memorializes the user's provision of the consent (e.g., by virtue of the user submitting the form). FIG. 41 depicts an exemplary consent receipt 4100 in the form of a message transmitted to the data subject (e.g., via e-mail). As shown in this figure, the consent receipt includes, for example: (1) a receipt number (e.g., a hash, key, or other unique identifier); (2) what information was processed as a result of the user's consent (e.g., first and last name, email, company, job title, phone number, etc.); (3) one or more purposes of the processing (e.g., marketing information); (4) information regarding withdrawal of consent; (5) a link to withdraw consent; and (6) a timestamp at which the system received the consent (e.g., a time at which the user submitted the form in FIG. 40). ……[0513] FIG. 42 depicts an exemplary log of consent receipts 4200 for a particular transaction (e.g., the free trial signup described above). As shown in this figure, the system is configured to maintain a database of consent receipts that includes, for example, a timestamp of each receipt, a unique key associated with each receipt, a customer ID associated with each receipt (e.g., the customer's e-mail address), etc. In particular embodiments, the centralized data repository system described above may be configured to cross-reference the database of consent receipts (e.g., or maintain the database) in response to receiving the indication that a first party system has received, stored, and/or processed personal data (e.g., via the free trial signup interface) in order to confirm that the data subject has provided valid consent prior to storing the indication of the personal data’] which can represent received new or modified or updated concept receipts with new timestamps for a transaction. See also paras 0014, 0022 and 0539—0542 and Fig.55 cover these limitations ];
Though Brannon teaches receiving a number of requests for transactions and every time a new consent receipt with a new timestamp is created and stored and hence reads on the claimed limitation to receive a second request to carry out a second user interaction associated with the user at the first online store, but fails to explicitly disclose to manage the second user interaction determining, from the user profile associated with the user, the first timestamp associated with the user consent to the privacy settings at the first online store. However, Brannon further teaches that the system [see Figs.50--51 and paras 0524--0525] that for every new  transaction the system checks if the consent receipt including the time stamp is valid or not “   FIG. 50 depicts a user interface that includes additional data prompts for the user to respond to regarding the new transaction. As shown in FIG. 50, the system may be further configured to prompt the user to provide data regarding, for example: (1) what the retention period is for the personal data (e.g., how long the personal data will be stored in identifiable form, a period before anonymization of the personal data, etc.); and/or (2) a life span of the consent (e.g., a period of time during which the consent is assumed to be valid……FIG. 51 shows an exemplary user interface for selecting a processing activity in response to the user indicating that the new transaction is based on an existing processing activity. The user may, for example, use a drop-down menu to select a suitable existing processing activity.). Therefore, in view of Brannon’s description in Paras 0524--0525 and Figs.50--051 it would be obvious to an ordinary skilled in the art to have determined a time stamp before managing the request for second transaction  because to check, as discussed in Brannon Fig.50 and para 0524,  if the consent for  earlier timestamp is valid.
Brannon further teaches determining at least one change to the privacy settings at the first online store that lacks user consent by determining that the first timestamp is older than a second timestamp of a logged entry in a settings log, the logged entry indicating the at least one change to the privacy settings at the first online store; obtaining  updated user consent to the privacy settings at the first Page 2 of 20online store by:  transmitting a notification to a device associated with the user indicating the at least one change, the notification including information about the at least one change to the privacy settings at the first online store and including an option to provide updated user consent to the at least one change; and receiving input providing updated user consent to the at least one change; [See Brannon paras 0549—0552, Fig.57 and para 0667. Paras 0549--0552, “ …….. In particular embodiments, the system may, for example, be configured to cause a prior, validly received consent to expire in response to one or more triggering events such as: (1) a passage of a particular amount of time since the system received the valid consent (e.g., a particular number of days, weeks, months, etc.); (2) one or more changes to a purpose of the data collection for which consent was received (e.g., or one or more other changes to one or more conditions under which the consent was received; (3) one or more changes to a privacy policy associated with the consent; (3) one or more changes to one or more rules (e.g., laws, regulations, etc.) that govern the collection or demonstration of validly received consent; and/or (4) any other suitable triggering event or combination of events. In particular embodiments, such as any embodiment described herein, the system may be configured to link a particular consent received from a data subject to a particular version of a privacy policy, to a particular version of a web form through which the data subject provided the consent, etc. The system may then be configured to detect one or more changes to the underlying privacy policy, consent receipt methodology, etc., and, in response, automatically expire one or more consents provided by one or more data subjects under a previous version of the privacy policy or consent capture form.[0550] In various embodiments, the system may be configured to substantially automatically expire a particular data subject's prior provided consent in response to a change in location of the data subject. The system may, for example, determine that a data subject is currently located in a jurisdiction, country, or other geographic location other than the location in which the data subject provided consent for the collection and/or processing of their personal data. ……. the system may be configured to trigger a recapture of consent based on one or more differences between one or more rules or regulations in the new location and the original location from which the data subject provided consent. In some embodiments, the system may substantially automatically compare the one or more rules and/or regulations of the new and original locations to determine whether a recapture of consent is necessary…….[0551] ……. in response to the automatic expiration of consent, the system may be configured to automatically trigger a recapture of consent (e.g., based on the triggering event). The system may, for example, prompt the data subject to re-provide consent using, for example: (1) an updated version of the relevant privacy policy; (2) an updated web form that provides one or more new purposes for the collection of particular personal data; (3) one or more web forms or other consent capture methodologies that comply with one or more changes to one or more legal, industry, or other regulations……[0552] FIG. 57 depicts an exemplary Consent Expiration and Re-Triggering Module 5700 …… executing the Consent Expiration and Re-Triggering Module 5700, the system is configured to, beginning at Step S710, by determining that a triggering event has occurred…… the triggering event may include nay suitable triggering event such as, for example: (1) passage of a particular amount of time since a valid consent was received; (2) determination that a data subject for which the system has previously received consent is now located in a new jurisdiction, country, geographic location, etc.; (3) a change to one or more uses of data for which the data subject provided consent for the collection and/or processing; (4) a change to one or more privacy policies; and/or (5) any other suitable triggering event related to one or more consents received by the system.”, and Fig.42 and associated paragraph 0667 , “ FIG. 42 depicts an exemplary log of consent receipts 4200 for a particular transaction (e.g., the free trial signup described above). As shown in this figure, the system is configured to maintain a database of consent receipts that includes, for example, a timestamp of each receipt, a unique key associated with each receipt, a customer ID associated with each receipt (e.g., the customer's e-mail address), etc. In particular embodiments, the centralized data repository system described above may be configured to cross-reference the database of consent receipts (e.g., or maintain the database) in response to receiving the indication that a first party system has received, stored, and/or processed personal data (e.g., via the free trial signup interface) in order to confirm that the data subject has provided valid consent prior to storing the indication of the personal data. “. These disclosures of Brannon describe any change in the privacy settings of the data subject [user] and in determining so it prompts the data subject to provide a new consent receipt with new time stamp every time and thus reads on the claimed limitations.

Regarding claim 2, the limitations, “ The system of claim 1, wherein the at least one change is one or more of: a change to type of user data collected, a change to how collected data is shared, a change to how long collected data is stored, a change to which service provider is sharing collected data, or a change to how a service provider is sharing collected data”, are already covered in the analysis of claim 1 in describing what changes can trigger an updating of the consent receipt [see Brannon paras 0549 –0552].

Regarding claim 3, the limitations, “The system of claim 2, wherein the at least one change is a result of: an installation of an application associated with the first online store, an uninstallation of an application associated with the first online store, a change in privacy settings associated with an installed application associated with the first online store, or a change in configuration settings associated with the first online store. “are covered in the analysis of claim 1 [See Brannon para 0549] , specifically the limitations a change in data sharing of the privacy policy associated with the consent [the private policy is associated with an entity as an online store [see para 0374 and 0574 which describe that a data subject /visitor visits an entity such as online store.

Regarding claim 4, the limitations, “The system of claim 1, wherein the processing device is configured to execute instructions to further cause the system to: determine, from the user profile, whether the at least one change is indicated as acceptable within a set of predefined settings stored in the user profile, the set of predefined settings indicating acceptable privacy settings for one or more online stores; and wherein obtaining updated user consent and updating the user profile are performed after determining that the at least one change is excluded from the set of predefined settings ”, are already covered in the analysis of claim 1 above wherein it was discussed and analyzed that a user’s consent/approval is secured for a change in the user’s privacy settings for sharing data  by an entity which can be an online store [see Brannon paras 0549 -0552 and 0667] and paras 0549 -0552 do teach leaving out or excluding a change from the privacy settings such as .

Regarding claim 5, the limitations, “The system of claim 4, wherein the processing device is configured to execute instructions to further cause the system to: in response to receipt of the input providing the updated user consent to the at least one change , further update the user profile to include the at least one change in the set of predefined settings”, are already covered in the discussions for claims 1 [See paras 0549--0552]..

Regarding claim 6, the limitations, “The system of claim 5, wherein the privacy profile is updated to include the at least one change in the set of predefined settings in association with the first online store”, are already covered in the discussions for claim 1 [See Brannon paras 0549—0552 and para 0667].

Regarding claim 7, the limitations, “The system of claim 5, wherein the user profile is updated to include the at least one change in the set of predefined settings in association with a plurality of online stores including the first online store” are already covered in the discussions for claims 1 and 4 above [See Brannon paras 0549—0552 and 0667].

Regarding claim 8, The limitations, “The system of claim 1, wherein the processing device is configured to execute instructions to further cause the system to: in response to an update to a privacy policy associated with the first online store, determine at least a second change to the set of privacy settings at the first online store;  transmit a second notification to the device associated with the user indicating at least the second change; the second notification including information about at least the second change to the privacy settings at the first online store and including an option to provide further updated user consent to at least the second change; and in response to receipt of input providing further updated user consent to at least the second change, update the user profile to include a fourth timestamp to reflect a time associated with the further updated user consent to the updated privacy policy at the first online store”,  represent a repetition of the limitations already covered in claim 1 related to receiving a consent for any change in the privacy settings of a user and creating a new timestamp for such a change. Brannon does not specifically teach the repetitions being carried out as claimed. However, it would be obvious to an ordinary skilled in the art  at the time of the Applicant’s invention in view of Brannon’s teachings as discussed for claim 1 with reference to Brannon’s paras 0549—0552 and 0667 which teach that every time a change is done a new consent receipt with updated timestamp is generated and stored.
 
Regarding claim 9, the limitations, “The system of claim 1, wherein the notification is transmitted when the at least one change is an increase in data collection or an increase in data sharing” are already covered in the discussions for claims 1 and 4 above [See Brannon paras 0549—0552 and 0667

Regarding claim 10, the limitations, “  The system of claim 1, wherein the processing device is configured to execute instructions to further cause the system to: prior to receipt of the input providing updated user consent to the at least one change, block the second user at the online store”, are covered in the analysis of claim 1 and see paras 0019--0020, “receiving an indication that a data system associated with the entity has processed a new piece of personal data associated with a particular data subject of the one or more data subjects as part of a particular transaction of the plurality of transactions; (6) in response to receiving the indication that the data system has processed the new piece of personal data, determining, based on the plurality of consent receipts, whether the particular data subject has provided the indication of consent for the processing of the new piece of personal data as part of the particular transaction; (7) in response to determining that the particular data subject has provided the indication of the consent, automatically processing the new piece of personal data; and (8) in response to determining that the particular data subject has not provided the indication of the consent, automatically taking an action selected from the group consisting of: (a) automatically ceasing processing of the new piece of personal data……….computer-implemented data processing method for blocking one or more processes based on consent data, in any embodiment described herein, may comprise: (1) receiving an indication that one or more entity systems are processing one or more pieces of personal data associated with a particular data subject; (2) in response to receiving the indication, identifying at least one process for which the one or more pieces of personal data are being processed; (3) determining, using a consent receipt management system, whether the data subject has provided valid consent for the processing of the one or more pieces of personal data for the at least one process; and (4) at least partially in response to determining that the data subject has not provided valid consent for the processing of the one or more pieces of personal data for the at least one process, automatically blocking the processing.”, which disclose blocking the processing of the request for any subsequent transaction which can include interactions/activities of second user or third user and so on if the consent is not received.

Regarding claim 21, the limitations, “ The system of claim 1, wherein the processing device is configured to execute instructions to further cause the system to: receive a third request to carry out a third user interaction associated with the user at the first online store; manage the third user interaction by: determining, from the user profile associated with the user, the third timestamp associated with the updated user consent to the privacy settings at the first online store; determining a second change to the privacy settings associated with the first online store that lacks user consent by determining that the third timestamp is older than a fourth timestamp of a logged entry in the settings log indicating the second change to the privacy settings at the first online store; transmitting a second notification to the device associated with the user indicating the second change, the second notification including Page 9 of 20information about the second change to the privacy settings at the first online store and including an option to provide further updated user consent to the second change; and in absence of input providing further updated user consent to the second change, blocking the third user interaction at the first online store”, are a mere extension of the limitations discussed in claim 1 of receiving third and further requests which require the same steps as discussed for claim1 and are rendered obvious in view of the teachings of Brannon [see Figs 40-42, 50-51, 55, 57, paras 0019, 0304, 0512-0513, 0524-0525, 0539-0542, 0549—0552, 0574 and 0667 as discussed.  

Regarding claim 22, the limitations, “ The system of claim 1, wherein the processing device is configured to execute instructions to further cause the system to: receive a third request to carry out a third user interaction associated with the user at the first online store; manage the third user interaction by: determining, from the user profile associated with the user, the third timestamp associated with the updated user consent to the privacy settings at the first online store; determining, from the settings log, that a most recent change to the privacy settings at the first online store is older than the third timestamp; and in absence of obtaining further updated user consent, permitting the third user interaction at the first online store”, are discussed and covered in the analysis of claim 1 above..

Regarding claims 11-19, their limitations are similar to the limitations for claims 1-8 and 10. Accordingly, claims 11-19 are analyzed as being unpatentable over Brannon based on same rational as established for claims 1-7 and 9-10 above.
Regarding claim 20, its limitations are similar to the limitations for claim 10. Accordingly, claim 20 is analyzed as being unpatentable over Brannon based on same rational as established for claim 1 above.
Conclusion
5.	The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 


6.	Final Rejection:
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to YOGESH C GARG whose telephone number is (571)272-6756. The examiner can normally be reached Max-Flex.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey A Smith can be reached on 571-272-6763. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/YOGESH C GARG/Primary Examiner, Art Unit 3625