Consent Management Overview
The need to gather and log consent events arises from different regulatory acts worldwide. As an example, the EU’s General Data Protection Regulation (GDPR) requires an affirmative consent for the collection of visitor data in Article 7 (”Conditions for consent”):
“7.1 Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.”
Which means that site owners are required to provide consent controls and document that European Union users have given consent to the collection, storage, and processing of their data.
Similar laws in multiple US states, such as the CCPA/CPRA in California, also require consent to be provided, although with less strict requirements in some areas. For example, the CCPA/CPRA requires affirmative consent be obtained at the point of or prior to data collection for minors under the age of 16. Consent is also required for users over the age of 16, but implied consent is acceptable.
Most regulations also require website owners’ to support specific “data subject” rights. Generally, these include:
- The right to be informed of what data is being collected and how it is used.
- The right to access a subject’s data.
- The right to correct or change a subject’s data.
- The right to delete a subject’s data.
- The right to restrict processing of a subject’s data.
- The right to object.
How does Concord help?
Concord’s consent management solution enables robust and flexible consent management configuration settings in order to properly comply with existing and future regulations, establish visitor trust, and differentiate your business.
Concord provides both consent logs and privacy request handling (often referred to as Data Subject Access Requests, or DSARs) in order to store and access subjects’ consent records and record and execute on subjects’ data subject rights requests. These are necessary to prove compliance with privacy and consent regulations, and may need to be produced upon request if audited by the relevant authorities.
How does consent capture and storage work?
When a user first arrives at your site after deploying Concord, Concord will create a consent token containing an alpha-numerical identifier for the visitor in local storage. Local storage is a browser feature used to store data locally in the form of key-value pairs. This Concord ID is then used to associate consent with that specific browser.
What consent data does Concord capture and store?
Concord’s data store will contain the users Concord ID as well as multiple attributes to describe each consent event. These will include:
- Consent type, sub-type, version, and label of each consent event.
- Date of each consent event, including updated dates.
- Consent action
- What action did the user take when it comes to the consent event. Can be user_click, implied, or import (for consent data that is imported from other systems).
- Consent state
- The user’s new state of consent after a consent event is captured. Can be accepted, declined, viewed, or implied.
- Anonymized IP address.
- Expiration date of the consent event.
- The domain and project the event originated from as configured in your Concord account.
How do I access consent and request logs?
The Consent Log report within the Consent → Consent Log section of Concord shows extended detail on individual consent events that occurred during the selected date range. More information on that report can be found here.
The Request Log report within the Privacy Requests → Request Log section of Concord shows extended detail on individual Privacy Requests received during the selected date range. More information on that report can be found here.