Implementing effective consent withdrawal mechanisms is critical for legal compliance. Consent withdrawal allows users to revoke previously granted permissions for data processing, including cookie tracking, CRM data usage and marketing communications/emails.
This guide covers three critical areas when it comes to consent withdrawal: cookie consent banners, CRM systems, and email marketing platforms, with practical steps for implementing each.
Use our Cookie Consent all-in-one solution (Privacy Consent) for cookies management to comply with GDPR & CCPA/CPRA and other privacy laws:
- For GDPR, CCPA/CPRA and other privacy laws
- Apply privacy requirements based on user location
- Get consent prior to third-party scripts loading
- Works for desktop, tables and mobile devices
- Customize the appearance to match your brand style
Create your Cookie Consent banner today to comply with GDPR, CCPA/CPRA and other privacy laws:
-
Start the Privacy Consent wizard to create the Cookie Consent code by adding your website information.
-
At Step 2, add in information about your business.
-
At Step 3, select a plan for the Cookie Consent.
-
You're done! Your Cookie Consent Banner is ready. Install the Cookie Consent banner on your website:
Display the Cookie Consent banner on your website by copy-paste the installation code in the
<head></head>section of your website. Instructions how to add in the code for specific platforms (WordPress, Shopify, Wix and more) are available on the Install page.
- 1. What is Consent Withdrawal?
- 2. Are You Legally Required to Allow Consent Withdrawal?
- 3. What are Some Key Principles for Implementing Any Consent Withdrawal Method?
- 4. How Do You Implement Consent Withdrawal in Cookie Consent Banners?
- 4.1. Have a User-Friendly Cookie Consent Banner With "Accept," "Reject" and "Manage" Options
- 4.2. Enable Consent Withdrawal Outside of the Consent Banner
- 4.3. Provide an Up-to-Date Privacy and/or Cookies Policy With Consent Withdrawal Guidance
- 4.4. Process Withdrawal Requests as Quickly as Possible
- 4.5. Record and Audit Consent Withdrawals
- 5. How Do You Implement Consent Withdrawal in CRM Systems?
- 5.1. Implement a Consent Management Platform (CMP) With Your CRM
- 5.2. Set Up a Consent Withdrawal Flag Field
- 5.3. Ensure Withdrawal Requests are Processed as Quickly as Possible
- 6. How Do You Implement Consent Withdrawal in Email Marketing Systems?
- 6.1. Design and Implement Opt-Out Mechanisms Such as an Unsubscribe Link/Preference Center
- 6.2. Automate Consent Withdrawal Processing, or Manually Process it Swiftly
- 6.3. Communicate Consent Withdrawal Options in a Privacy Policy
- 6.4. Honor Withdrawal Requests Quickly
- 6.5. Keep Records of Email Consent Withdrawals
- 7. Summary
What is Consent Withdrawal?
Consent withdrawal is the act and process of a user revoking consent for something after consent has been given.
For example, someone may consent to receive SMS/text messages from a company by responding "yes" to an initial message received by the company. However, the consumer may later decide they no longer want to receive these messages.
The consumer would then withdraw consent (such as by responding with the word "STOP"), and the company would have to honor this request and stop sending the consumer messages via text.
Another example would be clicking the "unsubscribe" link located at the end of a marketing email. While the consumer did at one point consent to receive the emails, the consumer can withdraw consent at any time via the unsubscribe link.
Are You Legally Required to Allow Consent Withdrawal?
Yes, allowing the withdrawal of consent is a fundamental right under a number of data protection and privacy laws.
Privacy laws and regulations like the GDPR (in Article 7) and the CCPA/CPRA require that withdrawing consent must be as easy as giving it. This means that businesses are legally required to provide users with clear, easily-accessible, and user-friendly mechanisms for withdrawing their consent at any time.
Failure to do so can result in hefty fines and reputational damage.
What are Some Key Principles for Implementing Any Consent Withdrawal Method?
Regardless of whether you're implementing consent withdrawal methods for email newsletters, CRM systems or cookies, a few key principles remain the same across the board.
Some key principles for consent withdrawal include:
- Make it easy to access at any time: Consent withdrawal methods must be easy to locate and use at any time. Whenever a user decides he wants to withdraw consent, he must be able to do so, and with ease. Examples of this would be the inclusion of an Unsubscribe link in the bottom of every single marketing email you send out, or a statement at the end of every SMS marketing text that lets users know they can withdraw consent by responding with a certain word.
- Honor the consent withdrawal request as quickly as possible: As soon as a user withdraws consent, you are obligated to honor this withdrawal as quickly as possible. Sometimes it takes time for a system to update, so for example a user who withdraws consent to receive emails may receive one or two more before the consent withdrawal request takes effect. But don't sit on consent withdrawal requests and take weeks to honor them.
- Be transparent, such as with a Privacy Policy and Cookies Policy: Users should understand the implications of withdrawing consent, and also be informed that they do have the right to withdraw consent at any time. Your Privacy and/or Cookies Policy is the perfect place to include this information and then link it to your website's footer or somewhere equally accessible at any time.
- Maintain records of consents and consent withdrawals: For audit and compliance purposes, always maintain accurate and up-to-date records of all the consents you receive, as well as whenever consent is withdrawn.
Now we'll look at some practical steps for implementing consent withdrawal in specific scenarios.
How Do You Implement Consent Withdrawal in Cookie Consent Banners?
Cookie consent banners are often the first point of interaction for users who land on your website when it comes to them having to make a choice about granting or denying consent.
A cookie consent banner without the correct consent and withdrawal options can frustrate users and fail to meet legal requirements.
Here's how to implement consent withdrawal effectively and compliantly in cookie consent banners.
Have a User-Friendly Cookie Consent Banner With "Accept," "Reject" and "Manage" Options
To implement consent withdrawal in your cookie consent banner, make sure you include more than just an "Accept" option. You should include the following options: "Accept," "Reject," and "Manage Preferences" or a similar type of button or option.
The "Manage Preferences" option is where your users will be able to customize their consent and access withdrawal options as well. This is covered more in the following section.
Here's an example of a cookie consent banner from Next UK that includes options to reject and manually manage cookies:
Enable Consent Withdrawal Outside of the Consent Banner
When users click the "Manage Preferences" type of button on your cookie consent banner, they can be taken to an interactive interface or preferences center where they can adjust cookie consent settings, including withdrawal of consent.
By requesting granular consent, or individual consent for each different category of cookies, users are able to more easily grant, deny or withdraw consent. Users should be able to opt out of non-essential cookies easily.
Here's how Next UK presents granular consent and consent withdrawal options when a user clicks "Manually Manage Cookies" on its cookie consent banner. By clicking the toggle button highlighted, users can give or withdraw consent for specific types of cookies:
You can use this space to inform users of what cookies they cannot withdraw consent for, such as essential and functional cookies. Here's how Next UK does this:
To make sure users can withdraw consent/manage preferences at any time, you can include a floating icon or footer link (e.g., "Cookie Settings") on every page of your website.
Here's how Next UK includes a link in its website footer, next to important legal policy links, where users can manage cookies and consent withdrawal at any time:
Provide an Up-to-Date Privacy and/or Cookies Policy With Consent Withdrawal Guidance
Have a Privacy and/or Cookies Policy that explains to your users understand their right to withdraw cookie consent, and how they can do so. Make sure to link your policy to your cookie consent banner, as well as in your website footer so users can find it at any time.
Here's an excerpt from Next UK's Privacy and Cookie Policy. It lets users know that they are able to change cookie preferences at any time by clicking "Manually Manage Cookies" at the bottom of the page, adjusting the sliders, and clicking "Confirm my choices."
Users are also informed that if they don't consent to certain types of cookies, certain parts of the website and shopping experience may not work:
A link to the policy is included both in the cookie consent banner and the website's footer. Here's the link in the cookie consent banner:
And here's how it's linked in the site's footer, visible on every single page:
Process Withdrawal Requests as Quickly as Possible
If someone withdraws consent for a type of cookie, make sure that that vendor/third-party responsible for creating and using the cookie is disabled as quickly as possible, if not immediately. Otherwise, you will be violating privacy laws by processing personal information without consent.
If you use a Consent Management Platform (CMP), this will be automatically worked into the functionality.
Record and Audit Consent Withdrawals
Keep a timestamped log of all of your consents and consent withdrawals. If you use a CMP, this will be an automatic part of the program's functionality.
It's a good idea to conduct audits a few times a year to make sure that your consent withdrawal mechanism complies with any new or changed laws and regulations, and that it's functioning correctly.
How Do You Implement Consent Withdrawal in CRM Systems?
Customer Relationship Management (CRM) systems store and process personal information for purposes such as marketing, sales, and providing customer support. Because CRMs store this protected personal information, they must be used in a legally-compliant way.
If you have a CRM system, you must comply with data protection and privacy laws that require that user consent must be withdrawable at any time.
Some (but not all) CRMs have user-facing preference centers where users can easily withdraw consent. This is usually a feature you'll see with email marketing, SMS messages, etc. However, most CRMs work for internal purposes.
For example, take a look at Zoho CRM's dashboard. From the dashboard, you can see the status of consents including pending requests, waiting and obtained:
Here's an example of a different style of CRM dashboard that includes detailed data about consents:
Here are some steps for implementing and enabling consent withdrawal in CRMs.
Implement a Consent Management Platform (CMP) With Your CRM
Integrating a CMP into your CRM will help you obtain consent and allow for consent withdrawal for each individual's record. The CRM you're using may have this feature integrated already, but it isn't necessarily a feature of every CRM.
The CMP will record consent data through a customer portal or preference center and transmit it to the CRM system, making it a seamless and automatic process.
You can include a link to the customer portal or preference center log-in page within your emails as well as on your website. This lets users really customize and manage their consents and consent withdrawals.
Here's an example of a customer-facing consent portal, from Zoho, that you can create with a CMP, or with a CRM with this feature included:
Set Up a Consent Withdrawal Flag Field
In a CRM, a flag field is an easy way that you can "flag" a user's record with a status or a condition. This will allow you to flag users who have withdrawn consent, which helps make sure you don't accidentally process their information after consent has been withdrawn.
Flag fields can be in a yes/no format for simple consents. They can also be in a dropdown menu format with multiple options for more granular consents. For example, if someone consents to receive promotional emails, but opts out of being contacted by text messages.
Ensure Withdrawal Requests are Processed as Quickly as Possible
In a CRM, this will be automated after the initial setup. Make sure your CRM is functioning so that as soon as a user withdraws consent, their CRM record instantly reflects the change.
Track the consent status of a user and different consents by adding fields to the CRM that will store current consent statuses. For example, you can have a field for "Marketing Consent" and a Yes/No response in the associated field based on consent or withdrawal.
Here's an example of how a CRM backend (from Zoho) will let you adjust consent settings including waiting period and how the user's data is processed when consent isn't available:
Make sure you set this up to not process data without consent, or if consent is withdrawn.
How Do You Implement Consent Withdrawal in Email Marketing Systems?
Email marketing is one of the most common ways that businesses connect with users. But it has to be done in a compliant way and allow for the user to withdraw consent at any time to avoid spam complaints and legal fines.
Here are some steps for implementing consent withdrawal in email marketing systems.
Design and Implement Opt-Out Mechanisms Such as an Unsubscribe Link/Preference Center
Laws like the GDPR and CAN-SPAM require that marketing emails include a one-click unsubscribe link. This is an extremely easy and effective way to allow for consent withdrawal in your email marketing process.
Here's an example of a standard email footer unsubscribe link that you'll see at the bottom of commercial emails in your own inbox:
In addition to having unsubscribe links in all emails you send out, see if you can set up a Preference Center with granular consent options for users who have signed up for emails or an account with you.
From the preference center, users should be able to choose which types of emails they wish to stop receiving (such as weekly newsletters), while remaining subscribed to others (transactional or promotional emails).
It can be something as simple as the following image, where users can check or uncheck boxes for what types of emails they'd like to receive. By unchecking a box, a user is withdrawing consent:
Automate Consent Withdrawal Processing, or Manually Process it Swiftly
If you're using third-party tools for email automation, verify that the tool syncs all consent withdrawal requests with the primary email platform and CRM. For example, when a user unsubscribes via Mailchimp, their CRM record should reflect "Email Marketing: Opted Out."
Whether you have an automated process in place or a team member who manually processes these requests, make sure that they're done, and done quickly, to comply with regulations.
Communicate Consent Withdrawal Options in a Privacy Policy
Use your Privacy Policy to inform users that they are able to opt out of receiving emails, and let them know how to do this.
Here's how Next UK informs users that they can unsubscribe from marketing emails at any time through the "my account" page, or via the link included in every email:
Here's how Beekeeper's Naturals includes an "Opt-out of communications" clause that lets users know they can opt out of marketing-related emails by following instructions at the bottom of emails, or by contacting the company directly:
As always, link your Privacy Policy in your website's footer so it's always accessible to your users. You can also link it to the footer of every email you send, close to the unsubscribe link.
Honor Withdrawal Requests Quickly
After someone unsubscribes from one or all of your emails, make sure that at most they may only receive one or two more messages. If you're using a third-party email marketing system like Mailchimp, this will be part of the platform and will be done automatically.
Keep Records of Email Consent Withdrawals
Keep a timestamped log of all of your consents and consent withdrawals. If you use an email marketing system, this will be an automatic part of the program's functionality.
Summary
Users have the legal right to withdraw consent, even after they've given it. And you have a legal obligation to facilitate and honor their consent withdrawal.
Whether you're implementing consent withdrawal in a cookie consent banner, a CRM platform or as part of your email marketing process, you'll always want to:
- Let users know (via a Privacy or Cookies Policy) that they have the right to withdraw consent, and how they can do so
- Quickly honor any consent withdrawals
- Keep records of all consents granted and withdrawn
Design user-friendly cookie consent banners, use a robust CRM program, automate opt-out processes in your email marketing systems, and always have an informative Privacy/Cookies Policy available.
Doing these things will help ensure that you're complying with global privacy laws while making your end users feel more comfortable sharing consent with you, knowing that they are in control and can withdraw consent easily and at any time.
The first step to compliance: A Privacy Policy.
Stay compliant with our agreements, policies, and consent banners — everything you need, all in one place.
