Consent Management
What is Consent Management?
Consent ManagementThe processes and tooling used to collect, record, refresh, and honor user permissions for processing personal data and setting cookies, in line with privacy law.
Consent management implements the GDPR Article 7 conditions for valid consent (freely given, specific, informed, unambiguous, and withdrawable) and equivalents under the ePrivacy Directive, CCPA/CPRA, LGPD, China's PIPL, and India's DPDP Act. It typically uses a Consent Management Platform (CMP) for cookies and trackers, plus internal services that capture purpose-specific consents at signup, in product settings, and at runtime. Implementations record proof (timestamp, version, UI text, IP, identifier), gate downstream systems via signals such as IAB TCF, Google Consent Mode v2, or custom flags, and support withdrawal, child consent, and re-consent when purposes change. Robust governance ties consent to data flows, vendor lists, and DPIA outcomes.
● Examples
- 01
A CMP banner that lets users accept, reject, or fine-tune marketing, analytics, and personalization cookies.
- 02
An app that requests a separate, granular consent for sharing health data with a research partner.
● Frequently asked questions
What is Consent Management?
The processes and tooling used to collect, record, refresh, and honor user permissions for processing personal data and setting cookies, in line with privacy law. It belongs to the Privacy & Data Protection category of cybersecurity.
What does Consent Management mean?
The processes and tooling used to collect, record, refresh, and honor user permissions for processing personal data and setting cookies, in line with privacy law.
How does Consent Management work?
Consent management implements the GDPR Article 7 conditions for valid consent (freely given, specific, informed, unambiguous, and withdrawable) and equivalents under the ePrivacy Directive, CCPA/CPRA, LGPD, China's PIPL, and India's DPDP Act. It typically uses a Consent Management Platform (CMP) for cookies and trackers, plus internal services that capture purpose-specific consents at signup, in product settings, and at runtime. Implementations record proof (timestamp, version, UI text, IP, identifier), gate downstream systems via signals such as IAB TCF, Google Consent Mode v2, or custom flags, and support withdrawal, child consent, and re-consent when purposes change. Robust governance ties consent to data flows, vendor lists, and DPIA outcomes.
How do you defend against Consent Management?
Defences for Consent Management typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Consent Management?
Common alternative names include: Cookie Consent, Consent Lifecycle Management.
● Related terms
- privacy№ 856
Privacy by Design
An engineering and governance approach that embeds privacy considerations into systems, processes, and defaults from the earliest design stages rather than bolting them on later.
- privacy№ 286
Data Subject Access Request (DSAR)
A formal request from an individual to a controller asking which of their personal data is being processed and obtaining a copy of it, as guaranteed by GDPR Article 15 and similar laws.
- privacy№ 932
Right to Be Forgotten
The right of an individual to obtain the erasure of personal data concerning them when there is no overriding legal reason to keep processing it, under GDPR Article 17.
- privacy№ 280
Data Minimization
A privacy principle requiring organizations to collect, process, and retain only the personal data that is strictly necessary for a defined, lawful purpose.
- compliance№ 440
GDPR
The European Union's General Data Protection Regulation governing the processing of personal data of individuals in the EU and EEA.
- privacy№ 276
Data Classification
The process of labeling data by sensitivity and value so that the right protection, handling, and retention controls can be applied consistently.