Managing Consent – What, Why, and Use Cases for Salesforce

Why should you read this?


Data Privacy laws such as GDPR and CCPA bring in a new set of requirements around Consent for the processing of Personal Data. If your company actively processes private data of EU residents or California residents, especially in Salesforce…Read on.

Related Article…Managing Consent – Should you do it on Salesforce…and How?


What is Consent Management

Consent is basically getting permission from a person(data subject) in an “informed, unambiguous, and specific” manner. GDPR has specific guidelines for having people “opt-in” to whatever it is that you are doing with their data.

"Consent is one of the easiest to satisfy because it allows you to do just about anything with the data — provided you clearly explain what you’re going to do and obtain explicit permission from the data subject." Ref.

However, consent is only one of the 6 lawful basis for data processing under GDPR’s Article 6. That means we may not have to get consent if the data processing has some other lawful basis.


The interpretation of what is acceptable is dependent on your business. Typically, it takes into consideration the following aspects:


Residency status of the Data Subjects: Remember that Data Privacy laws have a cross border enforcement. i.e. It does NOT depend on where your business is based, as much as it does on whose Personal Data your organization is actively processing.

Legal and DPO’s perspective: Compliance efforts are an exercise in risk management and have to find a pragmatic balance between investing in robust Data Privacy Management and managing risks.

Customer Trust: Forward-thinking companies understand that Personal Data Privacy is about doing what is right for their customers, and other stakeholders.

It makes good business sense to do this and can bring immense dividends in terms of customer loyalty and trust.

Personal Data Privacy projects are customer trust initiatives because customers care more about how their information is handled than how much corporate tax the company paid last quarter.

When to build Consent Management on Salesforce?

A couple of reasons:

Your Salesforce Org is chock-full of personal information and for processing that Personal Data, consent is required.

Salesforce + Marketing Technology integration for outbound communication via emails, SMS, Social Media, etc., requires consent.

An ideal Enterprise Architecture “Hub and Spoke” model can leverage all the Salesforce investments to serve as the Consent Management Platform.

Salesforce for Consent benefits from a modern Cloud architecture, Automation, APIs and Marketing integration. However, like everything else, it depends!

When NOT to build Consent Management on Salesforce?
A separate full-blown Consent Management Platform (CMPs) exists – common in Mega customers with a large number of disparate systems.

A separate Master Data Management initiative is in place, and a Consent solution will be extended/integrated off it.
Small Salesforce footprint that is not strategic to the overall landscape, and possibly no direct Marketing Technology (Mar-tech) integration.

Technology choice for Consent Management needs to consider how the compliance will work for the full consent lifecycle (renewal, expiration, self-service, etc.)

Discuss your specific GDPR/CCPA use cases with the author of this article.

A detailed analysis should be conducted before a choice is made, and a holistic perspective is essential to determine where Consent is mastered in the Enterprise.

Read more about Cloud Compliance

Saurabh Gupta

Saurabh Gupta

Saurabh is an Enterprise Architect and seasoned entrepreneur spearheading a Salesforce security and AI startup with inventive contributions recognized by a patent.

Related Articles