Building Customer Trust Through Data Privacy Preference Management

LevelUP Consulting Partners guides clients through the murky waters of data privacy compliance and risk management into the clear seas of information governance. In this journey, an area that is growing in importance is consumer consent management.

The combination of new privacy regulations emerging in the U.S. and abroad with often conflicting obligations and record keeping requirements, make it seem like properly gathering consumer consent is functionally impossible. Nationally and globally, privacy regulations requiring compliance via consumer consent vary from vague to overly detailed. This adds tough administrative efforts to your already heavy workload. But not to fear. LevelUP has developed methodologies, tools, and techniques to steer our clients through these challenges into operational solutions that satisfy legal demands.

Consent by Jurisdiction

One of the key questions organizations ask when sifting through consent requirements is, do the relevant jurisdictions require opt-in or opt-out consent?  It’s an important question. One technique assumes a default of consent, while the other explicitly requires active assent. The opt-out versus opt-in question is also the central differentiator between U.S. state privacy law requirements and international regulations like the GDPR.

Data Privacy: Consent in the United States

Five states across the U.S. either have new data privacy laws in force or have passed laws that will come into effect in 2023. These states are California, Virginia, Colorado, Utah, and Connecticut. With the economic behemoth, California, first entering the privacy regulation ring, other states have quickly followed suit and largely followed its lead in writing their laws, with a few nuances of note.

In general, Americans tend to lean toward the opt-out framework when dealing with consent, assuming consent unless the consumer explicitly states otherwise.

For example, California’s CCPA Section 1798.120(a-b) reads: “A consumer shall have the right, at any time, to direct a business that sells personal information about the consumer to third parties not to sell the consumer’s personal information. This right may be referred to as the right to opt-out,” and, “A business that sells consumers’ personal information to third parties shall provide notice to consumers, pursuant to subdivision (a) of Section 1798.135, that this information may be sold and that consumers have the “right to opt-out” of the sale of their personal information.”  Although California appears to remain the strictest of the five state policies currently passed into law, the other four also follow an opt-out framework for consent.

GDPR and Other Global Policies

In stark contrast, as the widely considered world leader on data privacy management, the European Union applies an opt-in framework when it comes to consent. 

The GDPR specifically states: “Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement.” 

Following suit, many other countries and jurisdictions have utilized the opt-in framework for collecting consent. Argentina, Brazil, China, and India being good examples, all having also implemented an opt-in strategy for gathering consent to collect user data.

Preference Management Functionality

To the untrained eye, opt-in jurisdictions may look like an overwhelming design and maintenance burden on already overtaxed business admin resources. And that the ubiquitous pop-up banners and questionnaires are the only solution. But that is not always the case.

First, remember that opt-in jurisdictions do not require consent for strictly necessary data collection, which exempts mandatory business information from processing procedures. Additionally, most consent can be gathered in a straightforward way online through the right legal language crafted with counsel.

Record keeping and legal language are intertwined and must be consistent when gathering and documenting consent. With proper design of your organization’s policies and procedures to show due diligence, good record keeping practices, thoughtful risk management, and understanding of jurisdiction requirements you will be on the right side of defensible information governance standards.


Over the years LevelUP has leveraged our compliance expertise to provide clients steady navigation through uncertain waters and arrive to safe compliance shores. We help clients create and implement customized, comprehensive, yet straightforward consumer consent programs which demonstrate compliance and build consumer trust.

For more information on this topic or how LevelUP Consulting partners can assist with your privacy and data security compliance needs, contact Dave Cohen, Senior Manager at:

Google Maps
Sound Cloud