Module 2: PII Control Categories

Consent & Choice Controls

15 min
+50 XP

Consent & Choice Controls

ISO 27018 requires cloud service providers to implement specific controls around consent and choice for PII processing. These controls ensure individuals maintain control over their personal data.

Consent Requirements

What is Valid Consent?

Valid consent under ISO 27018 must be:

  • Freely given - No coercion or consequences for refusal
  • Specific - Clear about what data and what purpose
  • Informed - Individual understands what they're consenting to
  • Unambiguous - Clear affirmative action required
  • Documented - Record of consent maintained

Types of Consent

TypeDescriptionWhen to Use
Explicit ConsentDirect opt-in requiredSensitive PII (health, biometric)
Implied ConsentReasonable expectationBasic service operation
Parental ConsentGuardian approvalProcessing children's data
Withdrawal RightsAbility to revokeAll consent scenarios

Control CLD.6.3: Consent and Choice

ISO 27018 Requirement: "The organization shall not use PII for advertising or marketing purposes without the explicit consent of the PII principal (customer's customer)."

Key Provisions

  1. No Marketing Without Consent

    • CSP cannot use customer PII for own marketing
    • Cannot sell customer lists
    • Cannot use service data for advertising targeting

  2. Purpose Limitation

    • Process only for agreed purposes
    • New purposes require new consent
    • Document all processing purposes

  3. Transparency

    • Clear privacy notices
    • Easy-to-understand language
    • Accessible consent management tools

Implementation Guide

For Cloud Service Providers

Step 1: Identify PII Uses

  • Service provision (legitimate interest)
  • Service improvement (requires consent)
  • Marketing/analytics (requires explicit consent)
  • Third-party sharing (requires explicit consent)

Step 2: Create Consent Mechanism

Consent Form Elements:
□ Clear description of processing
□ Specific purposes listed
□ Data categories identified
□ Storage duration stated
□ Third-party sharing disclosed
□ Withdrawal instructions provided
□ Contact information included

Step 3: Implement Choice Architecture

  • Granular consent options (not all-or-nothing)
  • Easy withdrawal mechanism
  • Consent preference center
  • Audit trail of consent changes

Step 4: Technical Controls

  • Consent database with timestamps
  • API for consent status checking
  • Automatic processing halts on withdrawal
  • Regular consent refresh for long-term storage

Consent Management System

Essential Features

  1. Capture

    • Date and time of consent
    • What was consented to
    • How consent was obtained
    • Version of privacy policy

  2. Store

    • Secure, encrypted database
    • Immutable audit log
    • Linked to individual's PII
    • Retention aligned with data retention

  3. Enforce

    • Real-time consent checking
    • Processing gates based on consent
    • Automated withdrawal processing
    • Sub-processor consent propagation

  4. Report

    • Consent rates and trends
    • Withdrawal patterns
    • Compliance reporting
    • Audit evidence generation

Common Pitfalls

Pre-checked Boxes

Wrong: Consent box pre-checked by default ✓ Right: User must actively check box

Bundled Consent

Wrong: "I agree to Terms and Privacy Policy and Marketing" ✓ Right: Separate consent for each purpose

Buried Consent

Wrong: Consent hidden in lengthy terms ✓ Right: Clear, prominent consent mechanism

No Withdrawal

Wrong: No way to revoke consent ✓ Right: Easy withdrawal, same effort as giving consent

Practical Examples

SaaS Application Example

Scenario: Cloud-based HR software processing employee PII

Consent Architecture:

  1. Service Operation - Legitimate interest (no consent needed)

    • Employee records management
    • Payroll processing
    • Required by employment law

  2. Service Improvement - Consent required

    • Usage analytics
    • Product feedback surveys
    • Beta feature testing

  3. Marketing - Explicit consent required

    • Newsletter subscriptions
    • Product announcements
    • Third-party offers

Implementation:

  • During onboarding: clear disclosure of data uses
  • Separate checkboxes for optional uses
  • In-app consent preference center
  • Email-based consent management for employee data subjects

Audit Evidence

What Auditors Look For:

  • Documented consent management procedures
  • Technical implementation of consent controls
  • Consent database with complete audit trail
  • Evidence of withdrawal processing
  • Sub-processor consent agreements
  • Regular consent validity reviews

Next Lesson: Purpose legitimacy and specification controls.

Complete this lesson

Earn +50 XP and progress to the next lesson

Previous

Module Quiz

Next

Purpose Legitimacy