AUTOMATED CONSENT MANAGEMENT SYSTEMS AND METHODS FOR USING SAME

§101 §103 §DP

Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Claims 20-23, 26-30, 33-36 and 39-45 are pending. Claims 20, 27, 43 and 43-45 are amended. Claims 1-19 were cancelled prior to the first action. Claims 24, 25, 31, 32, 37, and 38 were previously cancelled. Response to Arguments Applicant's amendments and arguments filed February 16, 2026, with respect to Section 101 have been fully considered but they are not persuasive. In view of the many amendments to the claims, the rejection has been updated as necessary. The claims remain directed to a consent gathering activities that could be conducted entirely by humans (e.g., at the reception desk of a doctor's office) and recorded entirely on pen and paper. While the claims, as presently amended, recite operations such as filtering user records into different subgroups and automatically communicating with users in the subgroup to obtain the first type of consent for the campaign, such processes are still regularly performed by humans in order to comply with laws such as the TCPA and HIPAA. While the arguments refer to a common set of user records in a physical memory of a consent management system, the claims do not recite any particular memory. As such, the claims cannot be directed to improvement to computer functionality. Accordingly, the arguments are not persuasive. Applicant’s arguments with respect to Section 103 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument. Double Patenting The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969). A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). The filing of a terminal disclaimer by itself is not a complete reply to a nonstatutory double patenting (NSDP) rejection. A complete reply requires that the terminal disclaimer be accompanied by a reply requesting reconsideration of the prior Office action. Even where the NSDP rejection is provisional the reply must be complete. See MPEP § 804, subsection I.B.1. For a reply to a non-final Office action, see 37 CFR 1.111(a). For a reply to final Office action, see 37 CFR 1.113(c). A request for reconsideration while not provided for in 37 CFR 1.113(c) may be filed after final for consideration. See MPEP §§ 706.07(e) and 714.13. The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The actual filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/apply/applying-online/eterminal-disclaimer. Claims 20-23, 26-30, 33-36 and 39-45 are rejected on the ground of nonstatutory double patenting as being unpatentable over at least claims 1-3, 9, 10, 13, 14, and 19 of U.S. Patent No. 11587098 and over at least claims 1, 3, 7, 14, 15, and 18 of U.S. Patent No. 12265973. A mapping of the claims is provided in the table below. Instant application 11587098 12265973 20, 27, 34 1, 10, 19 1, 3, 14 21, 28, 35 2, 13 22, 29, 36 2, 13 23, 30 3, 14 15 26, 33, 39 7, 18 43, 44, 45 9 Although the claims at issue are not identical, they are not patentably distinct from each other because the use of synonymous words (for example “update the first consent value field” in the instant claims and “changing, by the consent manager, the first value assigned to the first type of user consent” in U.S. Patent No. 11587098) are largely overlapping in scope and amount to patentably indistinct inventions. Claim Rejections - 35 USC § 101 35 U.S.C. 101 reads as follows: Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title. Claims 20-39 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. Representative claim 27 recites “(a) executing a first campaign configured to send a first type of message to a first group of one or more users, wherein a first type of consent is required to send the first type of message to the first group of users; (b) accessing the set of user records …, wherein each user record in the set of user records is associated with a different user and comprises a plurality of consent value fields associated with different types of consent, and further wherein each consent value field is assigned one of a first value indicating that its associated type of consent has not been granted or denied by the user associated with the user record, a second value indicating that its associated type of consent has been granted by the user associated with the user record, or a third value indicating that its associated type of consent has been denied by the user associated with the user record; (c) filtering the set of user records to identify a first subset of user records based on which user records comprise a first consent value field that is associated with the first type of consent and is assigned to the first value; (d) automatically sending to each user associated with the first subset of user records a consent-request message requesting the first type of consent; (e) receiving at least one response from the users associated with the subset of user records, in response to the first consent-request message, indicating an updated value for the first type of consent, wherein the updated value corresponds to one of the second value or the third value; (f) for each updated value received from users associated with the first subset of user records, updating the consent value field associated with the first type of consent within that user's associated user record using the received updated value; and (g) after performing steps (c) through (f), for each user in the first group of users, (i) sending the first type of message to the user during the campaign if the first consent value field associated with the first type of consent is assigned to the second value in that user's associated user record; (ii) determining if the user's associated user record further comprises an identification of a connected party and a second consent value field associated with the connected party, wherein the second consent value field comprises a first connected-party consent assigned to the second value; (iii) using the identification of the connected party in the user's associated user record to access a user record associated with the connected party in the set of user records stored …; (iv) determining whether the user record associated with the connected party comprises a second connected-party consent associated with the first type of message and assigned to the second value; and (v) sending the first type of message to the connected party during the campaign when both the first connected-party consent and the second connected-party consent are assigned to the second value”. In view of the steps set forth in the claims, the claim as a whole is directed to “Consent management processes”, which are an abstract idea because it is a method of organizing human activity, including commercial or legal interactions (including agreements in the form of contracts; legal obligations; advertising, marketing or sales activities or behaviors; business relations) as well as managing personal behavior or relationships or interactions between people (including social activities, teaching, and following rules or instructions). “Consent management processes” are considered to be is a method of organizing human activity because the claims are directed to processes ordinarily performed in the course of businesses requiring consent including, for example, obtaining consent to disclose private medical information in compliance with laws such as HIPAA. See “Obtaining and Documenting Informed Consent” by University of California San Francisco (retrieved from https://web.archive.org/web/20190429095449/https:/ /irb-ucsf.edu/obtaining-and- documenting-informed-consent, as cited in IDS). Such claims are directed to an abstract idea because "[t]he advance they purport to make is a process of gathering and analyzing information of a specified content, then displaying the results, and not any particular assertedly inventive technology for performing those functions." Elec. Power Grp., LLC v. Alstom S.A., 830 F.3d 1350, 1354 (Fed. Cir. 2016). The Board has found similar claims to be directed to the abstract idea “of a method of organizing human activities”. See, for example, Appeal 2016-005758, Application 12/982,668, Decision on Appeal, page 6. In view of the foregoing, the claimed record keeping of consent forms and associated types of consent are methods of organizing human activity, including commercial or legal interactions required to comply with the law as discussed in the background of the application and “Obtaining and Documenting Informed Consent”. Claims 20 and 34 recite substantially similar features. This judicial exception is not integrated into a practical application. In particular, claim 27 recites the following additional element(s): the user records are stored in a physical memory of the consent management system. Claim 20 recites consent management system comprising one or more physical processors; and a physical memory configured to store the plurality of user records. Claim 34 recites a non-transitory computer-readable medium, comprising one or more computer program instructions that, when executed by one or more physical processors, configure a consent management system to manage user consent values stored in individual user records of a plurality of user records and convert one or more of the user consent values stored in the plurality of user records into graphical representations for display on a graphical user interface. These additional elements individually or in combination do not integrate the exception into a practical application. The additional elements amount to merely recites the words ‘‘apply it’’ (or an equivalent) with the judicial exception, or merely includes instructions to implement an abstract idea on a computer, or merely uses a computer as a tool to perform an abstract idea (see MPEP 2106.05(f)). Merely selecting information, by content or source, for collection, analysis, and display does nothing significant to differentiate a process from ordinary mental processes, whose implicit exclusion from § 101 undergirds the information-based category of abstract ideas. Elec. Power Grp., LLC v. Alstom S.A., 830 F.3d 1350, 1355 (Fed. Cir. 2016). The generally recited computer elements do no more than generally link the use of a judicial exception to a particular technological environment or field of use (see MPEP 2106.05(h)). As decided in court cases with similar claim elements, “claims directed to the collection, storage, and recognition of data are directed to an abstract idea." See Smart Sys. Innovations, LLC v. Chi. Transit Auth., 873 F.3d 1364, 1372 (Fed. Cir. 2017). Accordingly, these additional elements do not integrate the abstract idea into a practical application because they do not impose any meaningful limits on practicing the abstract idea. Claims 20, 27, and 34 are directed to an abstract idea. Claims 20, 27, and 34 do not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, the additional elements are merely being used to apply the abstract idea to a technological environment. That is, the additional elements do not solve any technological problem or address a problem with a technological solution. Rather, the computer elements recited amount to off the shelf software and hardware that is used to provide a technological environment for the application of the abstract idea. Similar uses of such technology are known in the art, such as the examples provided in U.S. Pat. App. Pub. No. 2019/0005210 to Wiederspohn et al. Such technology, individually or in combination, are no more than “a general purpose server with appropriate programming” which is “not significantly more than the abstract idea itself.” See, for example, Appeal 2016-005758, Application 12/982,668, Decision on Appeal, page 10. Such “generic computer components [are] insufficient to add an inventive concept to an otherwise abstract idea.” In re TLI Comm. LLC Patent Litig., 823 F.3d 607, 614 (Fed. Cir. 2016). Accordingly, claims 20, 27, and 34 are ineligible. Dependent claims 21-26, 28-33, and 35-39 merely further limit the abstract idea and are thereby considered to be ineligible. Dependent claims 21, 28, and 35 further limits the abstract idea of “Consent management processes” by introducing the element of each of the first value, second value, and third value corresponds to a different graphical representation configured to be displayed …, and each of the first graphical representation, second graphical representation, and third graphical representation comprise different colored icons in the graphical user interface displayed on the consent management server, which does not include an improvement to another technology or technical field, an improvement to the functioning of the computer itself, or meaningfully limitations beyond generally linking the use of the abstract idea to a particular technological environment. Therefore, dependent claims 21, 28, and 35 are also non-statutory subject matter. Dependent claims 22, 29, and 36 further limits the abstract idea of “Consent management processes” by introducing the element of the first graphical representation comprises a yellow icon, the second graphical representation comprises a green icon, and the third graphical representation comprises a red icon, which does not include an improvement to another technology or technical field, an improvement to the functioning of the computer itself, or meaningfully limitations beyond generally linking the use of the abstract idea to a particular technological environment. Therefore, dependent claims 22, 29, and 36 are also non-statutory subject matter. Dependent claims 23 and 30 further limits the abstract idea of “Consent management processes” by introducing the element of the first type of consent corresponds to a user consent required to comply with at least one of the Telephone Consumer Protection Act (TCPA), Health Insurance Portability and Accountability Act (HIPAA), or General Data Protection Regulation (GDPR) , which does not include an improvement to another technology or technical field, an improvement to the functioning of the computer itself, or meaningfully limitations beyond generally linking the use of the abstract idea to a particular technological environment. Therefore, dependent claims 23 and 30 are also non-statutory subject matter. Dependent claims 26, 33, and 39 further limit the abstract idea of “Consent management processes” by introducing the element of the consent management system manages user consents for patients of a health care provider, which does not include an improvement to another technology or technical field, an improvement to the functioning of the computer itself, or meaningfully limitations beyond generally linking the use of the abstract idea to a particular technological environment. Therefore, dependent claims 26, 33, and 39 are also non-statutory subject matter. Dependent claims 40-42 further limit the abstract idea of “Consent management processes” by introducing the element of at least one user is included in both the first group of users and the second group of users, which does not include an improvement to another technology or technical field, an improvement to the functioning of the computer itself, or meaningfully limitations beyond generally linking the use of the abstract idea to a particular technological environment. Therefore, dependent claims 40-42 are also non-statutory subject matter. Dependent claims 43-45 further limit the abstract idea of “Consent management processes” by introducing the element of steps are performed periodically, at predetermined times, upon occurrence of one or more predetermined events, or at the start of the first campaign., which does not include an improvement to another technology or technical field, an improvement to the functioning of the computer itself, or meaningfully limitations beyond generally linking the use of the abstract idea to a particular technological environment. Therefore, dependent claims 40-42 are also non-statutory subject matter. Dependent claims 21-23, 26, 28-30, 33, 35, 36 and 39-45 do not recite any other additional elements. As discussed above with respect to the independent claims, the previously recited additional elements do not amount to an integration of the abstract idea into a practical application. As the dependent claims do not recite any new additional elements, the analysis from the independent claims does not change. In view of the foregoing, the claims do not integrate the abstract idea into a practical application and do not provide significantly more than the abstract idea. Accordingly, dependent claims 21-23, 26, 28-30, 33, 35, 36 and 39-45 are also ineligible. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 20, 23, 26, 27, 30, 33, 34, and 39-45 are rejected under 35 U.S.C. 103 as being unpatentable over U.S. Pat. App. Pub. No. 2019/0005210 to Wiederspohn et al. in view of U.S. Pat. App. Pub. No. 20200272764 to Brannon et al. With regards to claims 20, 27, and 34, Wiederspohn et al. teaches one or more physical processors; and a physical memory configured to store (paragraph [0081]): the plurality of user records (paragraph [0019], “Typically, personal data (e.g. customer-related data), including consent data records, is collected by computer-implemented application systems configured to collect, store, manage, and interpret data associated with activities related to a data subject associated with the personal data”), wherein each user record in the plurality of user records is associated with a different user and the accessed user record comprises one or more user consent values associated with a first user (paragraph [0021], “At least some of the technologies described herein address these problems by providing a centralized consent management system (CMS) that may run on on-premise and cloud computing platforms to exchange individual consent data records of data subjects between on-premise computing platforms and cloud computing platforms, and by providing a personal consent repository (PCR) for management of individual consent data records associated with the data subject operating the PCR.”), and wherein each user consent value in the accessed user record is assigned one of a first value indicating that the first user has not granted or denied consent, a second value indicating that the first user has granted consent, or a third value indicating that the first user has denied consent (paragraph [0044], “Similarly, withdrawal records 328 specify time, data subject, and channel of withdrawing the consent 302. Consent status 330 specifies status of the consent 302 from data subject perspective (e.g., initial, agreed, disagreed, withdrawn).”); and one or more computer program instructions that, when executed by the one or more physical processors (paragraph [0081]), configure the consent management system to: (a) executing a campaign configured to send a first type of message to a first group of users, wherein a first type of consent is required to send the first type of message to the first group of users (paragraph [0062], “The specialist 716 configures one or more consent templates to be instantiated by the application system 704 when creating the individual consent data records for the user 702. Further, the specialist 716 may schedule and run mass-processes such selecting expiring individual consent data records and sending a notification including a renewal option.”); (b) accessing the set of user records stored in a physical memory of the consent management system, wherein each user record in the set of user records is associated with a different user and comprises a plurality of consent value fields associated with different types of consent (paragraph [00047], “The consent status “initial” 410 is maintained until the data subject decides to agree or disagree to provide consent. When the data subject agrees to give consent, the consent status is set to “agreed” 420. Further, when expiration date of the consent approaches, the data subject may opt to renew the consent to maintain the consent status “agreed” 420. In one embodiment, the data subject opts to let the consent expire. In this case, the individual consent data record may be deleted.”), and further wherein each consent value field is assigned one of a first value indicating that its associated type of consent has not been granted or denied by the user associated with the user record, a second value indicating that its associated type of consent has been granted by the user associated with the user record, or a third value indicating that its associated type of consent has been denied by the user associated with the user record (paragraph [0046], “FIG. 4 illustrates consent statuses from a data subject perspective, according to one embodiment. State diagram 400 includes consent status “initial” 410, consent status “agreed” 420, consent status “withdrawn” 430, and consent status “disagreed” 440. When a consent template such as consent template 132 of FIG. 1 is instantiated to create an individual consent data record for the data subject (e.g., the individual consent data record 137 for the user 102 of FIG. 1), the data subject is asked to give consent.”); (c) filtering the set of user records to identify a first subset of user records based on which user records comprise a first consent value field that is associated with the first type of consent and is assigned to the first value (paragraph [0050], “Consequentially, when the individual consent data record is created and stored, the lifecycle state is set to “active” 520. Upon setting the lifecycle state to “active” 520, a check 525 is performed to determine whether the lifecycle state should be changed.”); (d) automatically sending to each user associated with the first subset of user records a first consent-request message requesting the type of consent (paragraph [0062], “The specialist 716 configures one or more consent templates to be instantiated by the application system 704 when creating the individual consent data records for the user 702. Further, the specialist 716 may schedule and run mass-processes such selecting expiring individual consent data records and sending a notification including a renewal option.”; paragraph [0064], “In one embodiment, upon creation of the individual consent data record 137, a copy of the individual consent data record 137 is sent to the system of the 3rd party recipient 718.”); (e) receiving at least one response from the users associated with the first subset of user records, in response to the consent-request message, indicating an updated value for the first type of consent, wherein the updated value corresponds to one of the second value or the third value (paragraph [0044], “System administrative attributes 324 represent a set of attributes included in CMS entities such as the consent 302. Such administrative attributes include creation user, creation date and time, change user, change data and time, etc. …Consent status 330 specifies status of the consent 302 from data subject perspective (e.g., initial, agreed, disagreed, withdrawn).”; paragraph [0070], “Further, the CMS 925 operates as a consent client. That is, the CMS 925 receives and stores copies of individual consent data records created at the CMS 920”); (f) for each updated value received from users associated with the first subset of user records, updating the first consent value field associated with the first type of consent within that user's associated user record using the received updated value (paragraph [0027], “The consent management core component 115 may provide the functionality to create, read, update, and delete individual consent data records to other components of the CMS 105 as a service local to CMS 105 via a local/internal API.”); and … While Wiederspohn et al. teaches a system that provide capabilities to create, check, renew or withdraw consent (paragraph [0021]), but fails to explicitly teach that this consent application relates to connected parties. However, Brannon et al. teaches g) after performing steps (c) through (f), for each user in the first group of users (i)sending the first type of message to the user during the campaign if the first consent value field associated with the first type of consent is assigned to the second value in that user's associated user record (paragraph [0822], “Using an interaction interface, a data subject may initiate a transaction with the entity that requires the data subject to provide valid consent (e.g., because the transaction includes the processing of personal data by the entity). The transaction may include, for example: … (3) signing up for a mailing list with the entity; (4) a free trial sign up; (5) product registration; and/or (6) any other suitable transaction that may result in collection and/or processing of personal data, by the entity, about the data subject.”); (ii) determining if the user's associated user record further comprises an identification of a connected party and a second consent value field associated with the connected party (paragraph [0242], “accessing an electronic guardian registry for one or more data subjects;”; paragraph [0243]. “determining, based at least in part on the one or more contact details for the guardian of the data subject using the electronic guardian registry, that the data subject has an identified registered guardian;”), wherein the second consent value field comprises a first connected-party consent assigned to the second value (paragraph [0243], “determining, based at least in part on the one or more contact details for the guardian of the data subject using the electronic guardian registry, that the data subject has an identified registered guardian;” paragraph [0244], “communicating with the identified guardian, via the one or more contact details, to receive valid consent to fulfill the transaction on behalf of the data subject by:”; paragraph [0245], “transmitting an electronic message to the identified guardian;” paragraph [0246], “prompting the identified guardian to provide the valid consent via the electronic message.”); (iii) using the identification of the connected party in the user's associated user record to access a user record associated with the connected party in the set of user records stored within the physical memory of the consent management system (paragraph [0973], “In various implementations, the system may include an electronic registry of guardians for data subjects that may not be of age for valid consent for particular types of personal data to be collected as part of the particular transaction. For example, guardians may access the electronic registry to identify one or more data subjects for which they are a guardian. Additionally, the guardian may identify one or more types of personal data and transactions for which the guardian will provide guardian consent. Further, in some implementations, the system may use previous authorizations of guardian consent between a guardian and particular data subject to identify the guardian of the particular data subject, and the guardian—data subject link may be created in the electronic registry of the system.”); (iv) determining whether the user record associated with the connected party comprises a second connected-party consent associated with the first type of message and assigned to the second value (paragraph [0971], “In various embodiments, the system may require guardian consent (e.g., parental consent) for a data subject. The system may prompt the data subject to initiate a request for guardian consent or the system may initiate a request for guardian consent without initiation from the data subject (e.g., in the background of a transaction). In some embodiments, the system may require guardian consent when a data subject is under the age for valid consent for the particular type of personal data that will be collected as part of the particular transaction.”; paragraph [0972], “. The guardian may then provide the received unique code to the data subject, and the system may enable the data subject to input the unique code to the system to confirm guardian consent. In some embodiments, the system may use blockchain between an electronic device of the guardian and the system and/or an electronic device of the data subject to confirm guardian consent.”); and (v) sending the first type of message to the connected party during the campaign when both the first connected-party consent and the second connected-party consent are assigned to the second value (paragraph [0822], “Using an interaction interface, a data subject may initiate a transaction with the entity that requires the data subject to provide valid consent (e.g., because the transaction includes the processing of personal data by the entity). The transaction may include, for example: … (3) signing up for a mailing list with the entity; (4) a free trial sign up; (5) product registration; and/or (6) any other suitable transaction that may result in collection and/or processing of personal data, by the entity, about the data subject.”). This part of Brannon et al. is applicable to the system of Wiederspohn et al. as they both share characteristics and capabilities, namely, they are directed to obtaining and documenting consent in a clear manner. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system of Wiederspohn et al. to include the connected-party consent value for the connected party as taught by Brannon et al. One of ordinary skill in the art before the effective filing date of the claimed invention would have been motivated to modify Wiederspohn et al. in order to provide a clear basis for consent for parties not legally capable of doing so on their own (see paragraphs [0060]-[0068] of Brannon et al.). With regards to claims 23 and 30, Wiederspohn et al. teaches the first type of consent corresponds to a user consent required to comply with at least one of the Telephone Consumer Protection Act (TCPA), Health Insurance Portability and Accountability Act (HIPAA), or General Data Protection Regulation (GDPR) (paragraphs [0001]-[0002], including at least HIPPA and GDPR). With regards to claims 26, 33, and 39, Wiederspohn et al. teaches the consent management system manages user consents for patients of a health care provider (paragraph [0001], “Processing of personal data is regulated by law. For example, a panoply of federal privacy-related laws including, among others, …. The Health Insurance Portability and Accountability Act (HIPAA) (42 U.S.C. § 1301 et seq.), …”; paragraph [0002], “In accordance with law regulations, personal data of a data subject (e.g., a customer) may be collected by a data controller (e.g., a company) based on criteria of lawful processing of personal data.”). With regards to claims 43-45, Wiederspohn et al. teaches steps (b/c) through (e/f) are performed periodically, at predetermined times, upon occurrence of one or more predetermined events, or at the start of the campaign (paragraph [0075], “At 1030, one or more individual consent data records with expiring validation periods are selected from the number of individual consent data records. At 1035, one or more notification messages are sent to one or more data subjects associated with the one or more individual consent data records. The one or more notification messages include an option to renew the one or more individual consent data records. At 1040, one or more requests to renew/view/withdraw the one or more individual consent data records are received.”). Claims 21, 22, 28, 29, 35 and 36 are rejected under 35 U.S.C. 103 as being unpatentable over U.S. Pat. App. Pub. No. 2019/0005210 to Wiederspohn et al. and U.S. Pat. App. Pub. No. 20200272764 to Brannon et al. as applied to claims 20, 23, 26, 27, 30, 33, 34, and 39-45, further in view of U.S. Pat. App. Pub. No. 2014/0365937 to Brusilovsky With regards to claims 21, 28 and 35, Wiederspohn et al. fails to explicitly teach different graphical representations being specific colors, but Brusilovsky teaches each of the first value, second value, and third value corresponds to a different graphical representation configured to be displayed on a graphical user interface displayed on the consent management system (paragraph [0017], “The disclosed embodiments employ one or more graphical representations of rights (e.g., user privileges, security levels, access rights such as viewing rights and/or execution rights, modification rights, or any combination thereof) relating to various hardware and/or software components. As discussed in detail below, the graphical representations may include a plurality of color-based representations of the rights, a plurality of image-based representations of the rights, or a combination thereof. For example, the plurality of color-based representations of the rights may include any number of color-based representations, such as 2 to 1000 colors (e.g., red, green, blue, orange, yellow, purple, black, white, etc.), each having a single color or multiple colors in combination.”; paragraph [0018], “These image-based representations may employ common colors or different colors, e.g., a combination of the color-based and image-based representations of rights. Thus, the graphical representations (e.g., color and/or image based) may visually indicate rights on a user interface, and may also facilitate user authorization to interact with the various hardware and/or software.”; paragraph [0036], “For example, a user entity that logs in under a Yellow access level may not be able to see operations that have been designated as Red.”; paragraph [0041], “Once the correct identification is communicated, the user entity may activate the change access level button 106, which causes the user entity to be logged-in under a new color access level.”); and each of the first graphical representation, second graphical representation, and third graphical representation comprise different colored icons in the graphical user interface displayed on the consent management server (paragraph [0017], “For example, the plurality of color-based representations of the rights may include any number of color-based representations, such as 2 to 1000 colors (e.g., red, green, blue, orange, yellow, purple, black, white, etc.), each having a single color or multiple colors in combination.”; paragraph [0018], “The color-based representations may be displayed in a common size and a common shape, e.g., a rectangular shape with a certain pixel size, or the color-based representations may include different sizes and/or different shapes, e.g., square, rectangular, circular, oval, triangular, hexagonal, pentagonal, polygonal, or any combination thereof.”). This part of Brusilovsky applicable to the system of modified Wiederspohn et al. as they both share characteristics and capabilities, namely, they are directed to obtaining and documenting rights in a clear manner. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system of modified Wiederspohn et al. to include the value display color selection options as taught by Brusilovsky. One of ordinary skill in the art before the effective filing date of the claimed invention would have been motivated to modify modified Wiederspohn et al. in order to clear visual indications of rights to a user (see paragraphs [0018]-[0020] of Brusilovsky). With regards to claims 22, 29 and 36, Wiederspohn et al. fails to explicitly teach, but Brusilovsky teaches the first graphical representation comprises a yellow icon, the second graphical representation comprises a green icon, and the third graphical representation comprises a red icon (paragraph [0017], “For example, the plurality of color-based representations of the rights may include any number of color-based representations, such as 2 to 1000 colors (e.g., red, green, blue, orange, yellow, purple, black, white, etc.), each having a single color or multiple colors in combination.”; paragraph [0018], “The color-based representations may be displayed in a common size and a common shape, e.g., a rectangular shape with a certain pixel size, or the color-based representations may include different sizes and/or different shapes, e.g., square, rectangular, circular, oval, triangular, hexagonal, pentagonal, polygonal, or any combination thereof.”). This part of Brusilovsky applicable to the system of modified Wiederspohn et al. as they both share characteristics and capabilities, namely, they are directed to obtaining and documenting rights in a clear manner. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system of modified Wiederspohn et al. to include the value display color selection options as taught by Brusilovsky. One of ordinary skill in the art before the effective filing date of the claimed invention would have been motivated to modify modified Wiederspohn et al. in order to clear visual indications of rights to a user (see paragraphs [0018]-[0020] of Brusilovsky). Conclusion The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. U.S. Pat. App. Pub. No. 20230197214 to Arkoff discusses medical data governance system records, secures, and provides appropriate access to all patient data. by concentrating all available relevant medical data into a single source, and providing a subset of data to each receiving subsystem with the correct source and time reference, the medical data governance system becomes the true source of data and guarantees the data consistency through the use of block chain signatures. U.S. Pat. App. Pub. No. 20140100875 to Davis et al. discusses a health information exchange system including a respective communication manager sub-process for each of the one or more or responding exchange partners; an outbound request module that has a multi-level consent determination process, and a sub-process to create, by the one or more computers, a global identifier comprising a link between the respective responding exchange partner and the requesting exchange partner for an initial transfer of the data. Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to Joshua D Schneider whose telephone number is (571)270-7120. The examiner can normally be reached Monday - Friday, 9am-5pm. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jessica Lemieux can be reached on (571)270-3445. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /Joshua D Schneider/Examiner, Art Unit 3626 /JESSICA LEMIEUX/Supervisory Patent Examiner, Art Unit 3626