Security and conformity

What you need to know about customer consent in 2023

Customer consent has become an increasingly important topic in the world of business and technology. With the growing awareness of privacy and data security, consumers are paying more attention to how their personal information is collected, stored and used by companies. Governments and regulators around the world have introduced stricter data protection laws and regulations. These laws place more emphasis on customer consent and require companies to obtain consent from customers for certain types of data processing activities. Today, every business must respect the consent and privacy preferences of all its contacts.


What is customer consent?

Customer consent refers to the agreement given by a customer or user to a company or organization, allowing them to collect, use and disclose their personal information. Obtaining customer consent is important for businesses to ensure they process personal information in a transparent and lawful manner, and to build trust with their customers. Failure to obtain proper consent can result in legal and financial consequences, as well as damage to the company’s reputation.

Data protection and privacy regulations give each individual the right to manage how a company uses their personal data. These regulations allow individuals to opt out of having their personal data collected, processed or shared with third parties. Key regulations include the General Data Protection Regulation (GDPR) in the European Union, Anti-Spam Law C-28 in Canada, Law 25 in Quebec, and the California Consumer Privacy Act (CCPA) in the United States.


What is valid consent?

In order to obtain valid consent, the customer must be fully informed of the purpose of the data processing, the types of data collected and any third parties who may have access to the data. Consent must be a clear act, which must be requested for each purpose. Each regulation defines very specific, but similar, validity criteria. To be valid, each of these criteria must be met.


Consent Validity Criteria

Law 25 and GDPR

Law 25 (Québec) 

GDPR (Europe) 


Must be obvious, certain and indisputable and must leave no doubt as to the will expressed therein. Also manifests after using a service and after being informed.


Must be given by a statement or other clear positive act.

Freely given

Must be given without constraint.


Freely given

Must not be coerced or influenced. The person must be offered a real choice, without having to suffer negative consequences in case of refusal.


Refers to a precise and rigorous request, which allows the person concerned to give his consent in full knowledge of the facts.


Must be accompanied by a certain amount of information communicated to the person before they consent.


Must be requested for specific purposes and therefore cannot be general.



Must correspond to a single processing operation, for a specific purpose.


Limited time

Should only be given for as long as necessary to fulfill the purposes for which it was requested.



Finally, the customer must also be able to withdraw their consent at any time. A person can, for example, choose to withdraw or refuse consent for certain forms of contact (email, sms, push, mail,) and/or specific uses (promotions, sales, special offers, etc.). It can also refuse the collection, storage, use or sale of its personal data.


Example of valid consent form

In this example, the consent request meets the validity criteria. She is:


The client must tick the desired boxes by himself to consent.

Freely given 

The customer can buy his tickets even if he does not wish to give his consent.


The purpose is clearly explained: Receive advertisements and use of data for a future reservation.


A different consent is required for each personal information collected: Customer can share their email AND/OR keep their payment information.



Data collection and consent management from a marketing perspective

Many professionals fear that they will no longer be able to collect customer data. However, these new regulations do not prevent the collection of data, they only frame it with the aim of moving from a quantitative collection model to a qualitative model, focusing on data that customers have chosen to communicate. in their own interest.

By asking your customers to choose how they want to interact with you and giving them control over their preferences, you can build a relationship of trust with each customer by implementing more effective personalized marketing strategies. According to a study by Ipsos, providing a positive privacy experience would increase brand preference by 43%.

To help you combine marketing strategy and consent management, the use of a consent management platform is often recommended.


What is a Consent management platform (CMP)?

A consent management platform, also known as a CMP, is a software solution designed to help businesses manage the collection, storage, and use of customer data. Consent management platforms allow website or mobile application publishers to easily set up an interface for collecting user consent (CNIL, 2023). The platform allows the company to easily collect user consent and then condition certain features (advertising, tracking, etc.) on user acceptance.


Implementation of a consent management platform

Who should set up such a platform?

According to IAB Canada, companies with the following activities should consider implementing a CMP:

  1. Use of personal data of website visitors for purposes such as targeting, analysis, personalization of content or advertisements, or any other type of remarketing.
  2. Use of behavioral data for automated decision making.
  3. Sharing/Transferring Your Website Visitor Data to Third Parties


What are the implementation steps?

Setting up a consent management platform involves several key steps.

  1. First, you’ll need to choose the right platform for your business and make sure it’s compatible with your existing systems. You will then need to integrate the platform into your website or app and customize consent banners and other features to meet your specific needs.
  2. Once the platform is live, you will need to ensure that your users are aware of the changes and that they understand how their data will be collected and used. This may involve sending notices or updating your privacy policy.
  3. Finally, you must regularly monitor the platform to ensure that it is functioning properly and that user data is collected and processed in a compliant manner. This may involve carrying out regular audits and carrying out risk assessments




In summary, customer consent has become an essential part of privacy and data security in 2023. Companies that prioritize transparency and user control over personal data are likely to be more successful in building trust. with their customers and to comply with regulatory requirements.