DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 16 December 2025 has been entered.
Claims 1-20 are pending.
This Action is Non-Final.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1, 2, 4, 9, 10, 12, 17, 18, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Daftary et al. (US 11238169) in view of Raschke et al. (“Designing a GDPR-compliant and Usable Privacy Dashboard”).
As per claims 1, 9, and 17, Daftary et al. discloses a medium with instructions, a system with a processing device and memory (see column 3 line 32 through column 4 line 56), to perform a method comprising:
Identifying, by at least one hardware processor of a first party host system, a plurality third-party service providers that is authorized by a user to access user data (see column 6 lines 43-67);
continuously analyzing, by the at least one hardware processor of the first party host system, handling of user data by each of the plurality of third-party service providers (see column 9 lines 17-30);
determining, by at least one hardware processor of a first party host system, a data privacy score for each of the plurality of third-party service providers based on one or more privacy risk factors corresponding to handling of user data by a respective third-party service provider; associating the data privacy score with the respective third-party service provider, wherein the data privacy score is indicative of a level of protection and privacy the respective third-party service provider maintains with respect to the handling of the user data (see column 7 line 50 through column 8 line 67 showing the various inputs to calculate the privacy score including negative, i.e. risky, portions and Figs. 7 and 8 and column 9 lines 41-51 showing the scores for each respective service provider);
determining, by at least one hardware processor of a first party host system, whether the first data privacy score satisfies a threshold condition (see column 9 line 52-62 where the different grades have different thresholds); and
responsive to determining that the first data privacy score satisfies the threshold condition, providing, for presentation on a client device associated with the user, a user interface (UI) displaying at least the data privacy score associated with the respective third-party service provider which includes an indication for the user to continue sharing the data with the third- party service provider (see column 8 lines 46-67 and column 9 lines 52-62 where the displayed score of passing indicates it is safe to continue sharing while a failing grade indicates a greater risk in continuing to share).
While Daftary et al. teaches the use of a UI for displaying various privacy-based information, there lacks an explicit teaching of the UI further comprising a data flow man that illustrates at least one of: what user data is being shared with one or more of the plurality of service providers, with which of the plurality of service providers the user data is being shared, or with what other entities the plurality of service providers share the user data.
However, Raschke et al. teaches UI further comprising a data flow man that illustrates at least one of: what user data is being shared with one or more of the plurality of service providers, with which of the plurality of service providers the user data is being shared, or with what other entities the plurality of service providers share the user data (see pages 11-13 where the dashboard show which data is being shared to which processors, i.e. service providers, and whether the data is then shared to another processor).
At a time before the effective filing date of the invention, it would have been obvious to one of ordinary skill in the art to include the dashboard data of Raschke et al. in the Daftary et al. system.
Motivation to do so would have been to allow a user to manage all privacy rights with regard to all controllers a data subject is concerned with (see Raschke et al. page 8).
As per claims 2, 10, and 18, the modified Daftary et al. and Raschke et al. system discloses the one or more privacy risk factors comprise one or more of data protection analysis, legal document analysis, third-party service provider notices, an allowlist, a denylist, application programming interface (API) analysis, application log analysis, user privacy preferences, or threat intelligence analysis (see Daftary et al. column 8 lines 46-67).
As per claims 4, 12, and 20, the modified Daftary et al. and Raschke et al. system discloses combining data privacy scores of the plurality of third-party service providers to determine an overall data privacy score associated with the user (see Daftary et al. column 9 lines 41-51).
Claims 3, 7, 8, 11, 15, 16, and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Daftary et al. as applied to claims 1, 9, and 17 above, in view of Dunjic et al. (US 20200387624).
As per claims 3, 8, 11, 16, and 19, the modified Daftary et al. and Raschke et al. system discloses determining that the data privacy score associated with the third-party service provider is lower than a threshold data privacy score (see Daftary et al. column 9 lines 52-62) and while it is known to cease sharing for failing privacy scores, there lacks an explicit recitation of providing an indication for the user to cease sharing the data with the third-party service provider and the UI further displays information to request revocation of authorization of the plurality of third-party service providers to access the data associated with the user.
However, Dunjic et al. teaches a privacy scoring system that provides an indication for the user to cease sharing the data with the third-party service provider based on a threshold and the UI further displays information to request revocation of authorization of the plurality of third-party service providers to access the data associated with the user (see paragraphs [0145]-[0157]).
At a time before the effective filing date of the invention, it would have been obvious to one of ordinary skill in the art to include the indications of Dunjic et al. in the modified Daftary et al. and Raschke et al. system.
Motivation, as recognized by one of ordinary skill in the art, to do so would have been to highlight risky service providers and allow for easy revocation of access to the user’s data.
As per claims 7 and 15, the modified Daftary et al. and Raschke et al. system generally discloses the use of data related to breaches and different alerts (see Daftary et al. column 8 lines 46-67), but fails to explicitly disclose determining that the data associated with the user has been compromised in a privacy breach; and transmitting a notification to the client device associated with the user, wherein the notification indicates that the data associated with the user has been compromised.
However, Dunjic et al. teaches determining that the data associated with the user has been compromised in a privacy breach; and transmitting a notification to the client device associated with the user, wherein the notification indicates that the data associated with the user has been compromised (see paragraphs [0067] and [0149]).
At a time before the effective filing date of the invention, it would have been obvious to one of ordinary skill in the art to include the notification of a breach to the user in the modified Daftary et al. and Raschke et al. system.
Motivation, as recognized by one of ordinary skill in the art, to do so would have been to allow the user to know from which site and when their data has been compromised.
Claims 5 and 13 are rejected under 35 U.S.C. 103 as being unpatentable over the modified Daftary et al. and Raschke et al. system as applied to claims 1 and 9 above, in view of VanLoo et al. (US 20230067728).
As per claims 5 and 13, the modified Daftary et al. and Raschke et al. system teaches analyzing various pieces of data, but fails to explicitly disclose providing documentation associated with the respective third-party service provider as input to a machine learning model, wherein the machine learning model is trained to predict, based on a given textual input, data privacy policies associated with the given textual input; obtaining a plurality of outputs from the machine learning model, wherein the plurality of outputs indicate one or more passages within the documentation associated with the data privacy policies of the respective third-party service provider; and analyzing the one or more passages to determine the data privacy score.
However, VanLoo et al. teaches providing documentation associated with the third-party service provider as input to a machine learning model, wherein the machine learning model is trained to predict, based on a given textual input, data privacy policies associated with the given textual input; obtaining a plurality of outputs from the machine learning model, wherein the plurality of outputs indicate one or more passages within the documentation associated with the data privacy policies of the third-party service provider; and analyzing the one or more passages to determine the data privacy score (see paragraphs [0021] and [0034] where a machine learning model is trained to analyze privacy policies and portions are highlighted based on the risk).
At a time before the effective filing date of the invention, it would have been obvious to one of ordinary skill in the art to include the analysis of VanLoo et al. in the modified Daftary et al. and Raschke et al. system.
Motivation, as recognized by one of ordinary skill in the art, to do so would have been to allow the user to see the exact language of the policy that increases the risk thereby allowing the user to make a more informed decision.
Claims 6 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Daftary et al. as applied to claims 1 and 9 above, in view of Flowerday et al. (US 8925099).
As per claims 6 and 14, the modified Daftary et al. and Raschke et al. system discloses modifying the data privacy score based on changes in the system (see Daftary et al. column 9 lines 17-30), but fails to explicitly disclose determining that terms and conditions governing sharing of data between the user and the respective third-party service provider have expired.
However, Flowerday et al. teaches determining that terms and conditions governing sharing of data between the user and the third-party service provider have expired (see column 6 lines 39-56).
At a time before the effective filing date of the invention, it would have been obvious to one of ordinary skill in the art to check for expirations in the modified Daftary et al. and Raschke et al. system.
Motivation, as recognized by one of ordinary skill in the art, to do so would have been to re-evaluate the privacy score when the underlying privacy policy is updated thereby keeping the score current and up-to-date.
Response to Arguments
Applicant’s arguments with respect to claim(s) 1-20 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure: the remaining references put forth on the PTO-892 Form are directed towards assessing and/or managing data privacy.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL J PYZOCHA whose telephone number is (571)272-3875. The examiner can normally be reached Monday-Thursday 7:30am-5:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Hadi Armouche can be reached at (571) 270-3618. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/Michael Pyzocha/Primary Examiner, Art Unit 2409