Skip to content
AuditFront
P2.1 SOC 2

SOC 2 P2.1: Privacy - Choice and Consent

What This Control Requires

The entity communicates choices available regarding the collection, use, retention, disclosure, and disposal of personal information to the data subject and the consequences of each choice to meet the entity's objectives related to privacy. Explicit and implicit consent is obtained from data subjects as required.

In Plain Language

If you are collecting personal data, people need to have a genuine choice about it - and they need to understand what happens if they say no. Pre-checked boxes and buried opt-outs do not count.

In practice, this means building proper consent mechanisms: clear opt-in for sensitive data and marketing, easy opt-out where regulations allow implied consent, and honest explanations of what users lose by declining. Every consent decision needs to be recorded - who agreed, when, to what exactly, and how. Auditors will ask for these records.

The key word here is "meaningful." Auditors evaluate whether your choices are genuine (not dark patterns), whether consent matches the sensitivity of the processing, whether you actually honour the choices people make, and whether you can prove it all with records.

How to Implement

Map every data collection and processing activity to the appropriate consent mechanism. Consider GDPR lawful bases (consent, legitimate interest, contractual necessity), CCPA opt-out requirements for sale and sharing, and any industry-specific rules that apply to your business.

Build consent collection that is unambiguous. For explicit consent, use unchecked opt-in boxes with specific language describing what the person is agreeing to. For email marketing, implement double opt-in. For implied consent scenarios, make the implied terms clear in your privacy notice and provide straightforward opt-out.

Give users a preference centre where they can view and manage all their consent choices in one place. Make withdrawing consent as easy as granting it - if they clicked one button to opt in, they should be able to click one button to opt out. When preferences change, update your processing immediately.

Keep detailed consent records. For every consent event, log who consented, when, the exact version of the consent language they saw, the method (checkbox, form, written), and any subsequent withdrawal. These records are your primary audit evidence.

Write consent language that is specific and unbundled. Do not lump multiple consent requests into one checkbox. Use plain language. State clearly what happens if someone declines - for example, "You will not be able to use personalised recommendations." Link to the full privacy notice for detail.

Define a process for handling withdrawals. When someone revokes consent, stop the associated processing promptly. Decide in advance what happens to data already collected under prior consent. Confirm to the user what actions you have taken and any resulting limitations to their service.

Evidence Your Auditor Will Request

  • Consent mechanism designs and implementations for all data collection and use activities
  • Consent records showing who consented, when, to what, and by what method
  • Privacy preference center or consent management platform documentation
  • Consent withdrawal process documentation and records of consent withdrawals honored
  • Consent language versions with clear, specific descriptions of data processing activities

Common Mistakes

  • Consent checkboxes are pre-checked, undermining the validity of opt-in consent
  • Consent language is vague or bundled, not allowing granular choices for different processing activities
  • No records of consent are maintained, making it impossible to demonstrate valid consent
  • Consent withdrawal requests are not processed in a timely manner or are not honored completely
  • Consequences of declining consent are not communicated to data subjects

Related Controls Across Frameworks

Framework Control ID Relationship
ISO 27001 A.5.34 Partial overlap
nist-csf GV.PO-01 Partial overlap

Frequently Asked Questions

When is explicit consent required versus implied consent?
Explicit consent is needed for sensitive personal data (health, biometric, racial or ethnic data), marketing communications in most jurisdictions, sharing data with third parties for their own purposes, and any high-risk processing. Implied consent can work for processing that is necessary to deliver a service the user requested, as long as your privacy notice makes the terms clear. When in doubt, go explicit - it is harder to challenge.
Do we need a consent management platform?
If your data practices are simple, you can manage consent through your application logic and database. But as things get more complex - especially under GDPR - a dedicated platform like OneTrust, TrustArc, or Cookiebot pays for itself in saved engineering time. They handle cookie consent banners, preference centres, and consent record-keeping at scale. For most SaaS companies operating in the EU, it is worth the investment.
How do we handle consent for existing users when we change our data practices?
You generally need fresh consent. Notify existing users about the new practice, explain what is changing, and ask for their consent before you start the new processing. If someone does not consent, do not apply the new processing to their data. Under GDPR this is non-negotiable. Plan for a consent collection campaign and have a fallback for users who do not respond.

Track SOC 2 compliance in one place

AuditFront helps you manage every SOC 2 control, collect evidence, and stay audit-ready.

Start Free Assessment