AI Summarize

Share

Consent lifecycle management is an increasingly important aspect of doing business online. As data protection and privacy laws continue to expand across the globe and get more strict, businesses must be mindful of every step of the consent lifecycle management process, from how consent is collected, to when collected personal information must be deleted.

This article will explain what consent lifecycle management is, why it's important, and what you can do at every step of the lifecycle to make sure consent and personal information are managed in a compliant way.



Consent lifecycle management is the process of compliantly and transparently:

  • Obtaining consent from end users to collect and use their personal information, and
  • Storing, managing and updating records of consent, including opt-outs after consent has been granted

A brief overview of the process:

Consent lifecycle management starts with appropriately obtaining permission (consent) from individuals to use their personal information. Businesses must be transparent about exactly what personal information they will collect and how they will use it, such as by creating and displaying a Privacy Policy.

Once consent has been granted, a business must securely store the personal information and comply with data retention policies and any relevant laws.

The personal information must be managed appropriately through its entire lifecycle, from collection to destruction. For example, if a user revokes consent or a business no longer uses personal information it has collected, the personal information must be appropriately deleted.

For detailed information and compliance guidance on each step of this process, see our Consent Lifecycle Management Checklist chapter later in this article.

Consent lifecycle management is crucially important because it helps you comply with global data protection and privacy laws, while providing transparency in a trustworthy way to your user base.

If you don't manage the consent lifecycle appropriately, you can be faced with huge legal fines and a tarnished reputation among consumers.

Yes, all aspects of consent lifecycle management are required by a number of data protection and privacy laws around the world.

Here are just a few of the laws that have requirements around consent, transparency, data retention, data security and user rights regarding opt-out/withdrawal of consent:

  • General Data Protection Regulation (GDPR): This EU law requires that consent be freely given, withdrawable, specific and explicit.
  • California Consumer Privacy Act (CCPA) and its amendment, the California Privacy Rights Act (CPRA): This United States law requires that businesses obtain explicit consent before collecting or using sensitive personal data. The CPRA requires that businesses have clear and conspicuous methods in place for users to opt out of the selling or sharing of their personal information, such as a “Do Not Sell or Share My Personal Information” link.
  • Personal Information Protection and Electronic Documents Act (PIPEDA): This Canadian law requires that businesses obtain “meaningful consent” from individuals before they can collect, use or disclose (sell/share) personal information.
  • Brazilian Lei Geral de Proteção de Dados (LGPD): This law requires that consent be “free, informed and unambiguous” - or, given voluntarily through a clear action after receiving transparent relevant information.

Yes, a Privacy Policy is an important part of consent lifecycle management.

Having a Privacy Policy helps meet the "informed consent" requirement of many privacy laws because it's where you are transparent with users about the following key points related to consent:

  • That you are collecting their personal information
  • What personal information you collect, and how
  • What the collected personal information will be used for
  • How long you will store the personal information for (data retention)
  • That you secure the personal information
  • How users can revoke consent or manage what personal information you have about them
  • What rights users have and how they can be exercised

You will almost always see a Privacy Policy linked very close to any consent-request mechanism because it is an important aspect of obtaining consent.

Here's an example:

Vudu Create Account form with Agree to Terms and Privacy checkbox highlighted

Here are some examples of Privacy Policy clauses that relate to consent and the management of its lifecycle.

Here's how Adobe lets users know what information is collected from them (what they are consenting to have collected). Note that this is only an excerpt of a long and very transparent clause:

Adobe Privacy Policy - What information does Adobe collect clause - excerpt

These next two clauses transparently address data security and storage:

Adobe Privacy Policy - Personal information security and storage clauses

Here, Adobe explains how long personal information is retained both generally, and after a user has given consent. A clause like this helps users make an informed decision about whether to grant consent:

Adobe Privacy Policy - Data retention clause

Importantly, here's how Adobe explains that users can withdraw consent, and how to do so:

Adobe Privacy Policy - Withdrawing consent clause

You can see how important having a Privacy Policy is to consent lifecycle management as it helps inform your users on your data practices so they can make an informed decision on whether or not to give consent and share their personal information.

These are the key steps in the consent lifecycle management process.

Remember to be transparent and take each step in line with relevant data protection laws.

When you request consent from users, make sure the consent request involves the following:

  • Clear and transparent information about why you’re collecting personal information from them, how you plan to use it, and other important related information. This can be done by linking your Privacy Policy close to where you request consent.
  • An active consent mechanism for users to grant (or deny) explicit consent, such as individual checkboxes they can tick next to statements that clearly explain that ticking the boxes gives consent for different things.

Here's an example. The form below links to a Privacy Policy. It has checkboxes next to statements that explain the user accepts the Privacy Policy, and agrees to receive emails by checking the relevant boxes. A user must actively check each box to give the relevant consent:

Adobe ID sign-up consent form

Make sure that you only collect and process personal information that users have actually consented to, and stop doing so when required.

Limit the personal information you collect/process to whatever you disclose as such in your Privacy Policy.

Make sure you honor granular consents as given. For example, in the screenshot above from Adobe's sign-up form, if a user doesn't check the second checkbox, they should not be sent product and services emails since they did not consent to this.

If a user revokes consent, have a process in place to honor this as quickly as possible.

Always keep and securely store detailed records of exactly when and how you obtained consent for each user, as well as any consent updates such as a revocation or additional consents granted. This should include timestamps.

Make sure your records are accessible and accurate at any moment for compliance audit purposes.

Provide users with easy methods to manage their consent at any time. This includes allowing them to see what they've given consent to, and modify or withdraw their consent.

Here's an example of an easy-to-use button mechanism that lets users opt out easily:

Simple consent management form with opt-out button highlighted

The same interface can be used for managing data deletion requests and other activities:

Simple consent management form with delete data button highlighted

Include a way for users to contact you directly with requests or questions as well. This is usually done through a Privacy Policy or web page about user rights.

Here's an example of a Privacy Policy clause that lists out some user rights regarding management of personal information, information about those rights, and links to how the user can exercise their rights and manage their personal information and what's done with it:

Misfits Market Privacy Policy - General Rights clause excerpt

When you obtain consent, it isn't forever. There are times when consent will need to be obtained again, or personal information deleted if new consent cannot be obtained.

For example, say you have already obtained consent from users to collect one type of personal information. However, you start collecting new types of personal information and wish to collect this from existing users. You will need to obtain new consent for this.

Some laws require that businesses periodically refresh or re-obtain consent for it to remain valid as well.

Note: Don't forget to update your Privacy Policy whenever you start to collect new types of personal information or change your terms.

Delete Data When You Should

Part of consent lifecycle management is managing the lifecycle of personal information you obtain. You cannot keep collected personal information indefinitely. Users might also request that you delete their personal information at any time.

Have processes in place to delete (or in some cases anonymize) personal information when:

  • You have kept it for as long as you said you would in your Privacy Policy's data retention clause or policy
  • You no longer use the personal information
  • A user has requested you stop using their personal information/opted out of processing

Disclose in your Privacy Policy how long you will retain personal information. This can be a specific timeframe, as seen here with cookie storage expirations:

Zemanta Cookie Table - Third party advertising cookies clause with expiration column highlighted

You can also be more general and let users know that you only keep personal information for as long as necessary, or as required by law, as seen here from Misfits Market:

Misfits Market Privacy Policy - Data retention clause

Here are some of the most common mistakes seen with consent lifecycle management:

  1. Having unclear consent request forms: Using language at the point you request consent that's either too vague or too complex. Your users must understand exactly what they're consenting to at that time. Being too vague or writing in legalese can mean their consent isn't truly "informed."
  2. Inadequately communicating with users/having a lack of transparency: Failing to inform users about their rights, such as their right to withdraw consent at any time. It is also usually a failure to disclose what personal information you collect, and how it will be used. This mistake usually starts with having an outdated or non-compliant Privacy Policy and/or Cookies Policy.
  3. Using pre-ticking checkboxes or setting toggle buttons to "on" by default: The GDPR explicitly forbids the use of such things when it comes to obtaining valid consent. You cannot assume consent is given and then make the user take an action to revoke consent (like uncheck a box or click a toggle button to "off"). It must be the opposite: Consent is not given until a user takes an action.
  4. Not offering granular consent choices: By not offering specific, granular consent options (e.g., separate consents for email marketing, allowing data sharing, and collecting data for analytics), you are forcing users into all-or-nothing consent. This isn't fair to them, and it isn't smart for you since most people will likely choose to give no consent versus full consent.
  5. Keeping poor or incomplete records: Not maintaining accurate records of when, how, and what consent was given, which can lead to compliance issues during audits.
  6. Not honoring consent withdrawal requests quickly enough: When someone withdraws consent to have their personal data collected or processed, it must be honored and as quickly as possible.
  7. Assuming consent lasts forever: Treating consent as a one-time event instead of an ongoing process, ignoring the need for periodic re-confirmation.
  8. Assuming consent covers more than it does: For example, if you want to start using customer phone numbers that you have in your database for a new SMS marketing campaign, you cannot do so without new consent if you have never requested it for such a use.
  9. Not complying with laws and regulations: Not aligning your consent processes with all the data protection and privacy laws that apply to you. For example, if you have users in the EU, you must comply with the GDPR. If you have users in California, the CCPA/CPRA applies to you and must be complied with.

A Consent Management Platform (CMP) is a software tool that helps a business seamlessly, easily and compliantly collect, store and manage user consents. It's usually offered by a third party as a software solution.

Some popular CMPs are:

Some of the benefits of having a Consent Management Platform (CMP) include the following:

  • High levels of legal compliance achieved easily
  • Seamless integration into any existing website/app
  • Pleasant and intuitive experience for end users

A Consent Management Platform (CMP) works by integrating the software into your website/app. It will have a user-facing component that compliantly collects consent from your users and allows your users to easily manage, change and revoke consent at any time through the CMP.

For example, a CMP will create attractive consent forms for you such as this one and integrate them on your website:

CookieHub Cookie Consent - Settings opened banner options exmple

CMPs make it easy to customize the look, style and content of your consent forms, all while maintaining compliance. For example, you can have different styles and sizes of banners, different color options, and layout styles:

Cookie consent notice banner example with multiple features highlighted

A CMP will have a business-facing backend that allows for customization of consent forms, and tracking of consent lifecycle for audits.

Here's an example of a standard style of CMP business-facing interface, where the business can fully customize its consent form content and style:

Example of the Privacy Consent with open Preference Center from TermsFeed

A CMP is extremely helpful for easily managing changes users make to their preferences.

Summary

Consent lifecycle management is an important compliance process that must be implemented if your business collects legally-protected personal information with consent.

The main steps to a robust consent lifecycle management plan are as follows:

  • Get appropriate consent - Well-informed, freely given, and revocable at any time
  • Always respect your users' consent wishes
  • Keep thorough records of all consents granted, revoked or adjusted
  • Provide a way for users to manage consents granted as well as their personal information you have on file
  • Update consent and relevant legal policies (such as a Privacy Policy) as needed, usually as privacy laws or your own personal business practices change
  • Always delete or stop processing personal information as quickly as possible after a user has revoked consent

Consider adding a Consent Management Platform (CMP) to your website or app to ensure your consent lifecycle is managed in a compliant way. This will ensure you'll pass any compliance audit related to consent and the processing of personal information related to that consent.

Privacy Policy Generator
The first step to compliance: A Privacy Policy.

Stay compliant with our agreements, policies, and consent banners — everything you need, all in one place.

Generate Privacy Policy