Do you describe the choices available to the individual and obtain implicit or explicit consent with respect to the collection, use, and disclosure of personal information?
Explanation
Consent practices are under review here, specifically whether you explain the choices available to individuals and obtain implicit or explicit consent for collecting, using, and disclosing their personal information.
What this means:
- You need to inform users about what personal data you collect
- You need to explain how that data will be used
- You need to disclose who that data might be shared with
- You need to provide choices about this data collection/use/sharing
- You need to obtain either implicit consent (e.g., continued use after notification) or explicit consent (e.g., clicking 'I agree')
Why it's asked in security assessments:
This question addresses compliance with data privacy regulations like GDPR, CCPA, and others that require transparency and user control over personal data. Organizations evaluating your service want to ensure you follow privacy best practices and won't expose them to regulatory risks. Poor privacy practices could lead to legal issues, fines, and reputational damage.
How to best answer:
- Describe your privacy notice/policy and how it's presented to users
- Explain the specific choices users have regarding their data
- Detail how consent is obtained (opt-in checkboxes, click-through agreements, etc.)
- Mention how you handle consent for different types of data processing
- Include information about how users can change their preferences later
Be specific about your actual practices rather than making general statements. If you have different consent mechanisms for different types of data or user groups, explain those distinctions.
Example Responses
Example Response 1
Yes, our application provides comprehensive privacy choices and obtains appropriate consent During account creation, users are presented with our Privacy Policy in clear, accessible language This policy details what personal information we collect (name, email, usage data), how we use it (service provision, improvement, communication), and who we share it with (service providers, partners) Users must explicitly opt-in via checkboxes for non-essential data processing like marketing communications For essential processing, we obtain consent through a mandatory 'I agree' checkbox linked to our Terms of Service Our Privacy Center allows users to review and modify their consent choices at any time We maintain consent records in our compliance database, and our consent flows were reviewed by our legal team to ensure compliance with GDPR, CCPA, and other applicable regulations.
Example Response 2
Yes, we implement a layered consent approach Our application first presents users with a concise privacy notice during onboarding that explains our data practices in simple terms This notice includes links to our comprehensive Privacy Policy for those seeking more details Users can make granular choices about data collection through our Privacy Dashboard, including toggles for: analytics collection, personalization features, third-party data sharing, and marketing communications For sensitive data (health information, precise location), we implement just-in-time explicit consent prompts when the feature is first accessed All consent records are timestamped and stored securely We conduct quarterly reviews of our consent mechanisms and update them as regulations evolve Our approach has been validated through a third-party privacy assessment conducted in Q2 2023.
Example Response 3
No, we currently have a basic privacy policy accessible through our website footer, but we don't actively present privacy choices during user onboarding or obtain explicit consent for data collection Users are considered to have implicitly consented to our data practices by using our service While our privacy policy outlines what data we collect and how we use it, we don't provide granular controls for users to opt out of specific types of data processing beyond unsubscribing from marketing emails We recognize this is an area for improvement in our privacy program, and we're developing an enhanced consent management platform to be deployed next quarter that will provide users with more transparent choices and explicit consent options for different data processing activities.
Context
- Tab
- Privacy
- Category
- Data Privacy
Related questions
- Have you performed a Data Privacy Impact Assesssment for the solution/project?
- Do you provide an end-user privacy notice about privacy policies and procedures that identify the purpose(s) for which personal information is collected, used, retained, and disclosed?
- Do you collect personal information only for the purpose(s) identified in the agreement with an institution or, if there is none, the purpose(s) identified in the privacy notice?
- Do you have a documented list of personal data your service maintains?
- Do you retain personal information for only as long as necessary to fulfill the stated purpose(s) or as required by law or regulation and thereafter appropriately dispose of such information?
- Do you provide individuals with access to their personal information for review and update (i.e., data subject rights)?

