Consent and Preference Management Policy

The Consent and Preference Management Policy defines mandatory requirements for determining when consent is required, requesting consent, capturing consent evidence, managing preferences, processing withdrawals, maintaining consent records, and reviewing consent mechanisms. It applies to PII processing where consent is selected or required as a lawful basis, where explicit consent is required, where consent preferences are captured, or where the organization manages consent records on behalf of a controller. The policy covers controller, joint controller, processor, and subprocessor contexts, while making clear that processor and subprocessor obligations apply only where consent records, preference states, or withdrawal instructions are managed under documented controller or customer instructions. A central principle of the policy is that consent is not the default lawful basis for PII processing. Before a new or materially changed processing activity relies on consent, the Process Owner or Business Owner must record whether consent is required or selected in REG02, and the Privacy Lead or PIMS Manager must verify in REG02 and REG05 that consent has not been selected by default. Where processing involves special categories of PII, child-facing services, high-risk processing, or an imbalance between the organization and the PII principal, the Data Protection Officer or Privacy Advisor must review the consent basis in REG04 before launch. For joint controller activities, responsibility for obtaining, recording, refreshing, and honoring consent must be documented before processing begins. The policy sets detailed operational requirements for consent request and capture. Consent requests must be purpose-specific and linked to the applicable REG07 privacy notice version before presentation to a PII principal. Systems must require affirmative action where explicit or opt-in consent is required and must prevent processing that relies on consent from proceeding unless REG05 shows an active consent status for the relevant purpose. REG05 must capture the PII principal reference, purpose, PII category, consent wording or version, privacy notice version, capture channel, timestamp, method, status, and applicable validity period. Where child-facing consent or explicit consent applies, additional logic, marking, and review requirements are triggered. Preference and withdrawal management are also governed through REG05 and, where applicable, REG08. A withdrawal or preference-change mechanism must be available no later than the point at which consent is requested. Withdrawals and preference changes must be recorded within five business days of receipt or within a shorter timeframe defined for the processing activity. Affected systems, suppression states, or preference flags must be updated before further processing continues for a withdrawn or restricted purpose. Processors must forward or implement customer instructions within the customer-defined timeframe, and subprocessors must be verified through REG08 against contractual or instructed timeframes. The policy also addresses change control, record protection, governance, implementation, metrics, exceptions, enforcement, and maintenance. Consent must be reassessed before processing continues where the purpose, PII categories, controller identity, notice wording, retention, recipient category, or processing method materially changes. Consent wording, mechanism configuration, notice references, and consent-record schemas must be versioned. REG05 records must be protected against unauthorized alteration, and audit-trail evidence must be maintained. Metrics include quarterly linkage checks between REG05, REG02, and REG07; monthly withdrawal completion measurement where consent-based processing is active; and audit reporting in REG12. Exceptions must be approved before implementation, and nonconformities involving missing, invalid, unlinked, or unreliable consent evidence must be recorded within five business days.