DETAILED ACTION
This Final Office Action is in response to the application filed on 06/12/2024 and the Amendment & Remark filed on 03/02/2026.
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.
Claims 21-40 are rejected under 35 U.S.C. 101 because the claimed invention is directed to a judicial exception (i.e., a law of nature, a natural phenomenon, or an abstract idea) without significantly more.
As an initial matter, the claims as a whole are to ***, which falls within one or more statutory categories. (Step 1: YES) The recitation of the claimed invention is then further analyzed as follow, in which the abstract elements are boldfaced.
Claim 21 recites:
A computer readable non-transitory medium comprising instructions that, when executed by a processor of a server, cause the server to perform procedures comprising:
generating one or more notifications based on one or more outcomes of an identity verification process, wherein the one or more notifications include:
an option to accept or decline access to shareable information about a user, and
a personally identifiable information restriction, wherein the access to the shareable information is revocable if a request for access includes personally identifiable information; and
transmitting, to an application comprising instructions for execution on a client device, the one or more notifications.
Claim 22 recites:
the procedures further comprising: performing the identity verification process, wherein the identity verification process comprises comparing identity data received by the server to reference data.
Claim 23 recites:
wherein the reference data is retrieved by the server from a database.
Claim 24 recites:
wherein the identity data comprises at least one selected from the group of a name, an address, an account number, a credit card number, a social security number, a password, a one-time passcode, and biometric information.
Claim 25 recites:
wherein: the identity data comprises a password and a one-time passcode, and the reference data comprises a reference password and a reference one-time passcode.
Claim 26 recites:
wherein: the identity verification processes comprises an unsuccessful comparison, and the procedures further comprise: requesting, from the application, additional identity data, and comparing the additional identity data to the reference data.
Claim 27 recites:
wherein: the identity data comprises biometric information, and the reference data comprises reference biometric information.
Claim 28 recites:
wherein the application performs the identity verification process.
Claim 29 recites:
wherein the personally identifiable information restriction does not revoke the requested access to the shareable information if the personally identifiable information is at least partially redacted.
Claim 30 recites:
wherein the personally identifiable information comprises at least one selected from the group of a first name, a last name, an email, an age, a gender, a birthdate, a location, insurance information.
Claim 31 recites:
wherein the personally identifiable information restriction does not revoke the requested access to the shareable information if the personally identifiable information is previously authorized.
Claim 32 recites:
A server, comprising:
a processor; and a memory,
wherein the server:
generates one or more notifications based on one or more outcomes of an identity verification process, wherein the one or more notifications include:
an option to accept or decline access to shareable information about a user, and
a personally identifiable information restriction, wherein the access to the shareable information is revocable if a request for access includes personally identifiable information; and
transmits, to an application comprising instructions for execution on a client device, the one or more notifications.
Claim 33 recites:
wherein the requested access to the shareable information is revocable based on one or more permissions.
Claim 34 recites:
wherein: the one or more permissions comprise a geographic restriction, and the geographic restriction comprises a requirement for proximity between the server and the application.
Claim 35 recites:
wherein the one or more permissions comprise a pre- authorized verification to permit the identity data to include personally identifiable information.
Claim 36 recites:
wherein: the request is associated with a type of merchant, and the requested access to the shareable information is revocable if the type of merchant does not match an approved type of merchant.
Claim 37 recites:
wherein the server revokes the requested access if the request is performed at at least one selected from the group of an abnormal day and an abnormal time.
Claim 38 recites:
wherein: the abnormal day comprises a day that does not match with a history of previous requests, and the abnormal time comprises a time that does not match with a history of previous requests.
Claim 39 recites:
A method, comprising:
generating, by a server comprising a processor and a memory, one or more notifications based on one or more outcomes of an identity verification process, wherein the one or more notifications include:
an option to accept or decline access to shareable information about a user, and
a personally identifiable information restriction, wherein the access to the shareable information is revocable if a request for access includes personally identifiable information; and
transmitting, by the server to an application comprising instructions for execution on a client device, the one or more notifications.
Claim 40 recites:
revoking the requested access based on exceeding a predetermined threshold of requests for access over a predetermined time.
Based on the limitations above, the claims describe a process that covers facilitating personally identifiable information access request. Facilitating personally identifiable information access request is considered to be a commercial interaction (between at least a user having PII, a PII storage entity possessing the user’s PII and a requester requesting the PII), which falls within the “Certain Methods of Organizing Human Activity” grouping of abstract ideas. As such, the claim(s) recite(s) a Judicial Exception. (Step 2A prong one: Yes)
This analysis then evaluates whether the claims as a whole integrates the recited Judicial Exception into a practical application of the exception. In particular, the claims recite the additional element(s) of “a computer readable non-transitory medium comprising instructions that, when executed by a processor, cause the processor to”, “an application” and “a server comprising: a processor; and a memory” as a mere tool to perform the steps of the Judicial Exception, which encompasses no more than Mere Instruction to Apply.
For example, the limitation “generating one or more notifications based on one or more outcomes of an identity verification process, wherein the one or more notifications include: an option to accept or decline access to shareable information about a user, and a personally identifiable information restriction, wherein the access to the shareable information is revocable if a request for access includes personally identifiable information” in claims 21, 32 and 39 encompasses no more than generically invoking a server to apply the Judicial Exception step of generating the one or more notification having the option and the PII restriction;
the limitation “transmitting, to an application comprising instructions for execution on a client device, the one or more notifications” in claims 21, 32 and 39 encompasses no more than generically invoking a server to apply the Judicial Exception step of transmitting the notification to the user;
the limitation “performing the identity verification process, wherein the identity verification process comprises comparing identity data received by the server to reference data” in claim 22 encompasses no more than generically invoking a server to apply the Judicial Exception step of comparing identity data with reference data;
the limitation “wherein the reference data is retrieved by the server from a database” in claim 23 encompasses no more than generically invoking a server to apply the Judicial Exception step of retrieving reference data from database;
the limitation “wherein: the identity verification processes comprises an unsuccessful comparison, and the procedures further comprise: requesting, from the application, additional identity data, and comparing the additional identity data to the reference data” in claim 26 encompasses no more than generically invoking a server to apply the Judicial Exception step of request additional identity data and comparing additional identity data upon unsuccessful comparison;
the limitation “wherein the application performs the identity verification process” in claim 28* encompasses no more than generically invoking an application to apply the Judicial Exception step of performing identity verification process;
the limitation “wherein the server revokes the requested access if the request is performed at least one selected from the group of an abnormal day and an abnormal time” in claim 37 encompasses no more than generically invoking a server to apply the Judicial Exception step of revoking request access if the request is performed at abnormal day or abnormal time;
the limitation “revoking the requested access based on exceeding a predetermined threshold of requests for access over a predetermined time” in claim 40 encompasses no more than generically invoking a server to apply the Judicial Exception step of revoking the requested access based on the predetermined threshold of request or predetermined time.
Other than being generally linked to the steps of the Judicial Exception, the additional elements in the above step(s) is/are recited at a high-level of generality, without technological detail of how the particular steps are performed technologically.
The additional element(s) of “memory” and/or “non-transitory storage medium” are generically recited to store data and/or instructions of the Judicial Exception.
The additional element(s) of “to an application comprising instructions for execution on a client device” are generically recited to perform communication steps with insufficient detail for how the application accomplishes it.
The additional element(s) of “application” are generically recited to perform identity verification steps described only by a result-oriented solution with insufficient technological detail for how the application accomplishes it.
The examiner noted that the above generic computer language are mere instructions to implement the Judicial Exception idea on a computing environment.
Indeed, the instant claims (1) attempted to cover a solution to an identified problem with no restriction on how the result is accomplished and no description of the mechanism for accomplishing the result; (2) used of a computer or other machinery in its ordinary capacity for economic or other tasks or simply added a general purpose computer or computer components after the fact to the Judicial Exception and (3) generally applied the Judicial Exception to a generic computing environment without limitation indicative of practical application (See MPEP 2106.04(d)I). Thus, the claims are no more than Mere Instruction to Apply the Judicial Exception (See MPEP 2106.05(f)) or adding insignificant extra-solution activity to the judicial exception (See MPEP 2106.05(g)), which do not integrate the cited Judicial Exception into practical application (Step 2A prong two: No) The claims are directed to a Judicial Exception.
The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, the additional element of using a server and an application on a client device to facilitate PII request communication amounts to no more than mere instructions to apply the exception using generic computer components. The recited ordered combination of additional elements includes a generically recited server representing a PII keeping entity and a generically recited application representing the interaction with a user having the PII. Mere instructions to apply an exception using a generic computer component cannot provide an inventive concept. Dependent claim 24-25, 27, 29-31, 33-36 and 38 merely limit the abstract idea but do not recite any additional element beyond the cited abstract idea, thus, do not amount to significantly more. No additional element currently recited in the claims amount the claims to be significantly more than the cited abstract idea. (Step 2B: No)
Therefore, claims 21-40 are rejected under 35 U.S.C. 101 as being directed to non-statutory subject matter.
Response to Arguments
Applicant's arguments filed on 03/02/2026 have been fully considered but they are not persuasive.
Regarding the applicant’s argument that the claims do not recite a Judicial Exception, the examiner respectfully disagrees. The claims explicitly recite “generating one or more notification … including: an option to accept or decline access to sharable information … a personally identifiable information restriction …”, which directly cover the interaction between a recordkeeper and its client regarding whether access to the client’s sharable information should be accepted or declined. Such interaction manages the personal behavior or relationships or interactions between people (including social activities, teaching, and following rules or instructions). Thus, the argument is not persuasive.
Regarding the applicant’s argument that the claims integrate the Judicial Exception into practical application, the examiner respectfully disagrees. The applicant asserted that the claims provide a technological improvement beyond the Judicial Exception “by providing greater and more consistent security with controlled permission handling and application integration without requiring additional factor input for identity verification … user experience is improved and identification can be performed more efficiently and effectively … identity can be confirmed with only a minimal amount of data revealed (i.e., handing a card to another person) and this can be additionally reduced by the card user maintain control of their card and tapping card themselves on the other user’s device”. However, the examiner noted that 1) the claimed invention does not any technological interaction other than generating and sending a notification with options that does not support anything about “without requiring additional factor input for identity verification” or “handing a card to another person” and 2) the alleged improvement of greater and more consistent security with controlled permission handling are improvement to the Judicial Exception, not to another technology. For example, requiring permission before allowing access to information, while improve the security of the information, has nothing to do with the technology. As such, the argument is not persuasive.
Regarding the applicant’s argument that the claims amount to significantly more, the examiner respectfully disagrees. The applicant asserted that claims provide a technological improvement beyond the Judicial Exception. As responded above, the alleged improvements are either improvement to the Judicial Exception or unsubstantiated by the claims. As such, the argument is not persuasive.
Conclusion
THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHO KWONG whose telephone number is (571)270-7955. The examiner can normally be reached 9am - 5pm EST M-F.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, MICHAEL W ANDERSON can be reached at 571-270-0508. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/CHO YIU KWONG/Primary Examiner, Art Unit 3693
Prosecution Insights