Consent Fundamentals: Methods of Consent

In this page, we'll review the various methods of consent and their requirements.

Methods of Consent

There are several methods for gathering consent, based on the location of the visitor and the applied regulations. Below are the most common:

• Explicit, informed consent is when a user is properly informed about the use of their data in order to give consent.

  • Opt-In: the user must opt-in to the processing of data before any of their data can be processed.
  • Opt-Out: the user may opt-out at any time in the future, at which point their data must stop being processed.
  

  The image above showcases two different approaches. In the first, the user has to explicitly opt-in to Marketing activities for their data to be processed for that purpose. In the second, the user has to specifically opt-out of their data being used for Data Sales, which they can do at any time.

• Implicit consent is when a user has provided their information for a business purpose but has not explicitly agreed to the use of their data for something like marketing. With implicit consent, you assume the user's consent.

Opt-In Consent

Opt-In consent is more common in Europe (EEA) and is sometimes known as "cookie consent" or a "cookie banner." However, this can be misleading as it implies the requirement is to manage cookies or that it requires a banner.

The goal, instead, is to ensure personal data is only proessed for the express uses that are agreed upon by the visitor and is not about cookies, or about banners! Examples of opt-in consent can include:

• Email marketing: opting in to receive a newsletter or other marketing materials.
• Healthcare: opting in to processing of personal medical data for healthcare purposes.

Opt-Out Consent

Opt-Out consent is more common in the United States, particularly in response to new data privacy regulations such as CCPA and VCDPA. Read about US Privacy Regulations here.

Opt-Out consent provides the visitor the ability to opt-out at any time, now or in the future, of a data processing activity such as advertising if they no longer wish to be included. Examples of opt-out consent include:

• Data Sales: opting out of the processing of personal data for purposes that constitute a "sale" under the CCPA.
• Targeted Advertising: opting out of the processing of personal data for the purpose of targeted advertising.

Opt-out with and without identity verification

The opt-out described above assumes an identified flow: a visitor supplies identity details, and that identity is what the opt-out is recorded against and propagated with.

The Consent Form privacy experience adds a way for a US-state visitor to opt out of data sales and sharing without identity verification. It exposes two tiers:

• Opt-out without identity. The visitor opts out without entering any identity details. The preference is still recorded, scoped to the visitor's device (the Fides user device ID and/or external ID) rather than to a contactable person, and it does not create a privacy request.
• Optional full opt-out (identity-based). The visitor additionally provides identity details. That identity is submitted alongside the opt-out, and the backend creates a privacy request so the opt-out can be propagated across connected systems. Identity verification (OTP) is bypassed for this flow.

For a full description of the two-tier model and how to configure it, see the Consent Form concept page and the Consent Form configuration guide. The Consent Form is also listed alongside the other experience types in Privacy Experiences.