P3.2 SOC 2

SOC 2 P3.2: Privacy - Consent for New Purposes or Uses

What This Control Requires

For information requiring explicit consent, the entity communicates the need for such consent, as well as the consequences of a failure to provide consent to the data subject, and obtains the consent prior to the collection, use, or disclosure of the information. When consent is required for secondary uses, the entity obtains such consent prior to those secondary uses.

In Plain Language

You collected customer data for one purpose. Now you want to use it for something else - maybe feed it into an ML model, share it with a new partner, or run marketing campaigns. You need fresh consent before you do any of that.

This is where many fast-moving companies get caught. A product team builds a new feature that repurposes existing user data, and nobody stops to ask whether the original consent covers it. It usually does not. Using service delivery data for marketing, sharing with new third-party categories, or applying AI to personal data all typically require explicit authorisation.

Auditors check that you have a process for flagging when new or secondary uses require additional consent, that you actually obtain that consent before the processing starts (not after), that users understand what happens if they decline, and that you keep records of every supplemental consent collected.

How to Implement

Build a privacy assessment step into your product development process. Whenever a team proposes a new feature, analytics initiative, or third-party integration involving personal data, evaluate whether the proposed use falls within existing consent or needs new authorisation.

Define clear criteria for what triggers a consent requirement. You generally need new consent when data is used for purposes not in the original privacy notice, shared with new categories of third parties, processed with new technology like AI profiling, used across different products within your organisation, or processed in ways that could have unexpected consequences for individuals.

Design straightforward consent flows for secondary uses. Tell users exactly what the new use involves, what data is affected, what they gain (if anything), what happens if they decline, and how to withdraw consent later. Always use opt-in, never assume consent for secondary purposes.

Implement technical guardrails. If a user has not consented to a secondary use, their data must be excluded from that processing. This means consent flags in your database, conditional processing logic, or access controls that enforce consent boundaries. Do not rely on process alone - auditors want to see technical enforcement.

Track secondary use consents separately or linked to original consent records. Record who consented to what, when, and the exact consent language they saw. Give users visibility into their secondary use consents through a preference centre.

Plan for the reality that not everyone will consent. When rolling out a new data use to an existing user base, prepare a communication plan, give adequate notice, and have a clear approach for non-responders. Non-response is not consent.

Evidence Your Auditor Will Request

Privacy assessment records for proposed new data uses evaluating consent requirements
Secondary use consent collection mechanisms with clear disclosure of new processing purposes
Consent records for secondary uses showing individual authorization before processing began
Technical controls preventing processing of data without required secondary use consent
Communication records notifying individuals of new data uses and requesting consent

Common Mistakes

New data uses are implemented without evaluating whether additional consent is required
Consent for secondary uses is assumed based on original consent without specific authorization
Data is repurposed for marketing or analytics without informing or obtaining consent from data subjects
No technical controls prevent processing of data for secondary uses when consent has not been obtained
Individuals are not clearly informed of the consequences of declining consent for secondary uses

Related Controls Across Frameworks

Framework	Control ID	Relationship
ISO 27001	A.5.34	Partial overlap
nist-csf	GV.PO-01	Partial overlap

Frequently Asked Questions

Can we use personal data for AI/ML model training without additional consent?

It depends on what your original privacy notice says and which regulations apply. If your notice explicitly covers AI/ML purposes or product improvement broad enough to include model training, you might be fine. But under GDPR, automated decision-making has specific consent requirements. Best practice: disclose AI/ML use in your privacy notice, conduct a privacy impact assessment before training on personal data, and when in doubt, get explicit consent. This is an area where regulators are paying close attention.

What if users do not respond to our consent request?

Silence is not consent - full stop. Send reasonable reminders through multiple channels, but if someone does not affirmatively opt in, you cannot process their data for the secondary use. Keep their data under the original consent terms only. This feels painful when you have a large user base and low response rates, but it is the only defensible position.

Can legitimate interest replace consent for secondary uses under GDPR?

Sometimes, yes. GDPR allows processing under legitimate interest if you can show the interest is justified, necessary, and balanced against the individual's rights. But it is not a free pass. You need a documented legitimate interest assessment, you must honour the right to object, and it generally does not work for processing that would surprise the individual. Think of legitimate interest as a narrower door than consent, not a shortcut around it.

Track SOC 2 compliance in one place

AuditFront helps you manage every SOC 2 control, collect evidence, and stay audit-ready.

Start Free Assessment