Home · Synthesis · cl-pims-consent-management

Consent management — capture, modify, withdraw across jurisdictions

CCPA DPDPA GDPR ISO 27701 MeitY AI MHMDA MODPA TDPSA NIST 800-53

Primary statement

Consent management operates per multi-jurisdiction requirements: (1) ISO 27701 — determine when/how consent obtained, obtain and record consent, provide mechanisms to modify or withdraw (A.1.2.3 / A.1.2.4 / A.1.3.3); (2) GDPR Article 7 — freely given, specific, informed, unambiguous + demonstrable + withdrawable as easily as given; (3) DPDPA Section 6 + storage limitation — erasure on consent withdrawal (DPDP.6); (4) CCPA 1798.120 opt-out (sale/sharing); (5) records retained for the duration of processing plus retention period.

Audit-fatigue payoff

A unified consent management platform — capture + record + modify + withdraw + retention — satisfies consent requirements across all 9 contributing frameworks. The GDPR Article 7 four-condition test + ISO 27701 record retention is the audit-defensible specification.

Strictness matrix

Scope

Scope: consent records retained for the duration of processing AND any retention period after withdrawal. The post-withdrawal retention captures the historical lawful-basis evidence. Ceiling source: iso27701:A.1.2.4 Rationale: ISO 27701 A.1.2.4 record retention scope captures historical evidence requirements.

Threshold

Threshold: consent shall be (1) freely given, (2) specific, (3) informed, (4) unambiguous + clear affirmative action + demonstrable + withdrawable as easily as given. Four-plus operational conditions. Pre-ticked boxes, silence, or bundled consent fail. Ceiling source: gdpr:Art.7 Rationale: GDPR Article 7 four-condition threshold is the strictest consent threshold globally.

Method

Method: (1) determine when and how consent is obtained (A.1.2.3); (2) obtain consent prior to processing (A.1.2.4); (3) record consent with metadata (timestamp, version of notice, scope); (4) retain records for duration of processing + retention period; (5) provide mechanisms to modify or withdraw (A.1.3.3); (6) withdrawal as easy as given (GDPR Art. 7(3)); (7) DPDPA erasure on withdrawal (DPDP.6); (8) CCPA opt-out for sale/sharing (1798.120). Ceiling source: iso27701:A.1.2.3 Rationale: ISO 27701 A.1.2.3 + GDPR Art. 7 + DPDPA DPDP.6 combine to the most prescriptive method.

Frequency

Consent capture: per processing activity, prior to processing. Modify/withdraw: per request, real-time. Consent records review: annual. Re-consent: on material change to purposes or processing. Ceiling source: iso27701:A.1.2.4 Rationale: Real-time modify/withdraw is the operational floor.

Evidence

Required evidence: (1) consent management procedure (A.1.2.3); (2) consent records per processing activity with metadata; (3) modify/withdraw mechanism evidence; (4) sample withdrawal traced to erasure (DPDPA DPDP.6) / opt-out (CCPA 1798.120) / processing cessation (GDPR Art. 7); (5) record retention configuration; (6) re-consent evidence on material change. Ceiling source: iso27701:A.1.2.4 Rationale: ISO 27701 A.1.2.4 evidence with record-retention is the audit-defensible specification.

Auditor test pattern

Step 1: Inspect the consent management procedure. Step 2: Sample 3 consent records; verify metadata (timestamp, notice version, scope). Step 3: Verify the modify/withdraw mechanism is as easy as the original consent capture. Step 4: Sample one withdrawal; trace to erasure (DPDPA) or processing cessation (GDPR). Step 5: For CA consumers, verify opt-out for sale/sharing. Step 6: Inspect re-consent evidence on material change.

Common findings

Common 2024–26 findings: (1) Bundled consent (one tick for multiple purposes) — fails specificity; (2) Withdraw mechanism harder than capture — fails GDPR Art. 7(3); (3) Records lack metadata (notice version, scope); (4) Withdrawal does not trigger DPDPA erasure; (5) CCPA opt-out for sale/sharing absent — UOOM not honoured.