Control: Implement [ Assignment: organization-defined tools or mechanisms ] for individuals to consent to the processing of their personally identifiable information prior to its collection that facilitate individuals’ informed decision-making.

Discussion: Consent allows individuals to participate in making decisions about the processing of their information and transfers some of the risk that arises from the processing of personally identifiable information from the organization to an individual. Consent may be required by applicable laws, executive orders, directives, regulations, policies, standards, or guidelines. Otherwise, when selecting consent as a control, organizations consider whether individuals can be reasonably expected to understand and accept the privacy risks that arise from their authorization. Organizations consider whether other controls may more effectively mitigate privacy risk either alone or in conjunction with consent. Organizations also consider any demographic or contextual factors that may influence the understanding or behavior of individuals with respect to the processing carried out by the system or organization. When soliciting consent from individuals, organizations consider the appropriate mechanism for obtaining consent, including the type of consent (e.g., opt-in, opt-out), how to properly authenticate and identity proof individuals and how to obtain consent through electronic means. In addition, organizations consider providing a mechanism for individuals to revoke consent once it has been provided, as appropriate. Finally, organizations consider usability factors to help individuals understand the risks being accepted when providing consent, including the use of plain language and avoiding technical jargon.

Related Controls: AC-16, PT-2, PT-5.

Control Enhancements:

• (1) CONSENT / TAILORED CONSENT
  Provide [ Assignment: organization-defined mechanisms ] to allow individuals to tailor processing permissions to selected elements of personally identifiable information.

  Discussion: While some processing may be necessary for the basic functionality of the product or service, other processing may not. In these circumstances, organizations allow individuals to select how specific personally identifiable information elements may be processed. More tailored consent may help reduce privacy risk, increase individual satisfaction, and avoid adverse behaviors, such as abandonment of the product or service.

  Related Controls: PT- 2.

• (2) CONSENT / JUST-IN-TIME CONSENT
  Present [ Assignment: organization-defined consent mechanisms ] to individuals at [ Assignment: organization-defined frequency ] and in conjunction with [ Assignment: organization-defined personally identifiable information processing ].

  Discussion: Just-in-time consent enables individuals to participate in how their personally identifiable information is being processed at the time or in conjunction with specific types of data processing when such participation may be most useful to the individual. Individual assumptions about how personally identifiable information is being processed might not be accurate or reliable if time has passed since the individual last gave consent or the type of processing creates significant privacy risk. Organizations use discretion to determine when to use just-in-time consent and may use supporting information on demographics, focus groups, or surveys to learn more about individuals’ privacy interests and concerns.

  Related Controls: PT-2.

• (3) CONSENT / REVOCATION
  Implement [ Assignment: organization-defined tools or mechanisms ] for individuals to revoke consent to the processing of their personally identifiable information.

  Discussion: Revocation of consent enables individuals to exercise control over their initial consent decision when circumstances change. Organizations consider usability factors in enabling easy-to-use revocation capabilities.

  Related Controls: PT-2.

References: [PRIVACT], [OMB A-130], [SP 800-63-3].