Skip to content
Consent Management
Concepts
Consent Fundamentals
Consent Form

Consent Form

The Consent Form is a privacy experience built for US state privacy laws that grant a right to opt out of the sale or sharing of personal information. It lets a visitor opt out without identity verification. There's no email confirmation, one-time passcode, or login step standing between the visitor and their opt-out.

The problem it solves is friction. A traditional opt-out flow asks the visitor to identify themselves and then verify that identity before the opt-out takes effect. For a right that's meant to be honored quickly and with minimal burden, that verification step is often more than the law requires and more than the visitor wants to do. The Consent Form removes it: the opt-out applies immediately in the browser, and the visitor is invited (but never required) to provide a contact identifier if they want their opt-out propagated to back-end systems.

The two-tier opt-out model

The Consent Form implements opt-out as two tiers that build on each other. Every opt-out happens immediately without requiring identity; the full opt-out happens in addition when the visitor chooses to supply an identifier.

Consent Management - Consent Form two-tier opt-out

Immediate opt-out (no identity needed)

When a visitor submits the form without entering any identity details, the opt-out is recorded immediately, exactly as it would be for a standard opt-out experience: the choice is saved to Fides as a consent record (and written to the visitor's browser) and applied right away. Because no contactable identity was provided, the opt-out is associated with the visitor's device rather than a person, no identity verification is performed, and no Privacy Request is created.

Optional full opt-out with identity

If the visitor chooses to provide identity details, that identity rides along on the same submission. Fides then creates a Privacy Request so the opt-out can be propagated across your connected systems, rather than living only in the visitor's browser. The Privacy Request is created with the source Consent Form and is processed against your configured consent policy.

Crucially, identity verification (the usual one-time passcode step) is bypassed for this flow: the visitor's stated identifier is accepted as-is and the Privacy Request is created synchronously. This is what makes the Consent Form a "full opt-out without ID verification": the visitor gets the broader reach of a Privacy Request without the verification friction.

Both tiers travel through a single network call. They are not separate endpoints; the same opt-out submission is sent either with or without an identity in its body. A submission with no identity is the immediate opt-out only; a submission carrying identity details adds the full opt-out.

Identity is optional, not verified

The Consent Form's relationship to identities is the heart of the experience: an identity is optional and, when provided, not verified.

  • Optional. The form is valid with no identity entered at all. Required/format checks on the identity fields only kick in once the visitor starts filling them in.
  • Not verified. When an identifier is supplied, it's accepted at face value to create the Privacy Request; there's no confirmation email or passcode challenge.

The specific identity fields a Consent Form shows, and whether each is required, come from the associated property's Privacy Center form configuration, not from the experience itself. See the Consent Form configuration guide for how to set them up.

How it relates to consent records and GPC

Consent records. Every Consent Form opt-out, with or without identity, produces consent records just like any other privacy experience. The opt-out sets every applicable privacy notice to opt_out (notice-only notices, which can't be opted out of, are left acknowledged). Because the full opt-out additionally creates a Privacy Request, those opt-outs are labeled with the Consent Form request origin in consent reporting, so you can distinguish them from opt-outs made without identity.

Methods of consent. The Consent Form is an opt-out experience: it records opt_out against the notices it covers. For the broader picture of how Fides models opt-in versus opt-out consent, see Methods of Consent.

Global Privacy Control (GPC). When a visitor arrives with a GPC signal active, the opt-out is applied automatically on page load, with no interaction required. The Consent Form can then surface an optional GPC prompt inviting the visitor to provide an identifier for a full opt-out. GPC honoring and the prompt are covered in the GPC guide.

Next steps

Privacy ExperiencesConsent Records