myctrl.tools
Compare

PT-4Consent

PRIVACY

>Control Description

Implement organization-defined tools or mechanisms for individuals to consent to the processing of their personally identifiable information prior to its collection that facilitate individuals' informed decision-making.

>Control Enhancements(3)

PT-4(1)
PT-4(2)
PT-4(3)

>Cross-Framework Mappings

SOC 2 TSC

P2.1
Compare
P3.1
Compare
P3.2
Compare

SCF

PRI-03
Compare

>Supplemental Guidance

Consent allows individuals to participate in making decisions about the processing of their information and transfers some of the risk that arises from the processing of personally identifiable information from the organization to an individual. Consent may be required by applicable laws, executive orders, directives, regulations, policies, standards, or guidelines. Otherwise, when selecting consent as a control, organizations consider whether individuals can be reasonably expected to understand and accept the privacy risks that arise from their authorization.

Organizations consider whether other controls may more effectively mitigate privacy risk either alone or in conjunction with consent. Organizations also consider any demographic or contextual factors that may influence the understanding or behavior of individuals with respect to the processing carried out by the system or organization. When soliciting consent from individuals, organizations consider the appropriate mechanism for obtaining consent, including the type of consent (e.g., opt-in, opt-out), how to properly authenticate and identity proof individuals and how to obtain consent through electronic means.

In addition, organizations consider providing a mechanism for individuals to revoke consent once it has been provided, as appropriate. Finally, organizations consider usability factors to help individuals understand the risks being accepted when providing consent, including the use of plain language and avoiding technical jargon.

>Related Controls

AC-16
PT-2
PT-5

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What is the process for obtaining and documenting individual consent for PII processing?
  • How does the organization ensure consent is informed, specific, and freely given?
  • Who is responsible for managing consent mechanisms and documentation?
  • What process allows individuals to withdraw consent, and how is this handled?
  • What governance exists for maintaining records of individual consent?

Technical Implementation:

  • What consent management systems capture and maintain individual consent?
  • How is consent status technically enforced in PII processing systems?
  • What mechanisms allow individuals to provide, modify, or withdraw consent?
  • How are consent preferences propagated across multiple systems?
  • What audit trails exist for consent activities and changes?

Evidence & Documentation:

  • Provide consent management procedures and mechanisms.
  • Provide evidence of individual consent obtained for PII processing.
  • Provide consent forms or electronic consent records.
  • Provide documentation of consent withdrawal requests and processing.
  • Provide audit trails of consent activities and changes.

Ask AI

Configure your API key to use AI features.