Consent Management
What it is
Consent Management in BotBat CDP tracks and enforces customer communication preferences across every channel your organization uses. Each customer profile maintains a per-channel, per-type consent record that indicates whether the customer has opted in or opted out of specific categories of communication. The three default consent types are Marketing, Transactional, and Data Processing, and you can define additional custom types as needed for your regulatory environment.
Every consent change is recorded in a full audit trail that captures the timestamp, the previous status, the new status, the source of the change (web form, WhatsApp reply, API call, manual entry, workflow), and the identity of the user or system that initiated it. This audit trail is essential for demonstrating compliance with GDPR, CCPA, LGPD, and other privacy regulations. When regulators, legal teams, or customers themselves request proof of consent, you can produce a complete, timestamped history for any profile.
The Consent settings page is where you configure consent types, map them to channels, and set default statuses for new profiles. This is the foundation of your consent enforcement strategy and should be configured before launching any campaigns.
Consent types and channels
The following table describes the default consent types and how they map to communication channels. You can add custom consent types from the Consent settings page to match your organization's specific regulatory requirements.
| Consent Type | Purpose | Typical Channels | Legal Context |
|---|---|---|---|
| Marketing | Promotional messages, offers, newsletters, and advertising content. | Email, SMS, WhatsApp, Push | Requires explicit opt-in under GDPR, CCPA, and most privacy laws. |
| Transactional | Order confirmations, shipping updates, password resets, and account notifications. | Email, SMS, WhatsApp | Generally permitted without explicit marketing consent, but subject to channel rules. |
| Data Processing | Consent for the organization to store and process the customer's personal data. | N/A (applies to the profile itself) | Required under GDPR Article 6; must be documented with a lawful basis. |
| Custom types | Organization-specific consent categories beyond the defaults. | Configurable per type | Depends on the specific regulation or internal policy being addressed. |
When to use
Consent management touches nearly every part of the customer communication lifecycle. The following table outlines the key scenarios where consent configuration, collection, or enforcement comes into play.
| Scenario | Description | Example |
|---|---|---|
| Pre-campaign verification | Confirm that every contact in your audience has given explicit consent for the communication type and channel before sending. | Verify marketing opt-in for WhatsApp before sending a promotional blast. |
| Consent collection via workflows | Build opt-in confirmation flows that automatically record consent when a customer responds positively. | A WhatsApp flow asks "Would you like to receive promotions?" and records the response. |
| Opt-out processing | Immediately record and enforce opt-out requests from keywords, unsubscribe links, or manual requests. | A customer replies "STOP" to an SMS; the system revokes SMS marketing consent instantly. |
| Compliance auditing | Demonstrate to regulators or legal teams exactly when and how consent was granted or revoked for any profile. | Export the consent history for a specific customer as part of a GDPR data subject access request. |
| Bulk consent updates | Import consent status for a batch of customers who consented at an event or through a third-party form. | Upload a CSV of event attendees with marketing opt-in consent collected at registration. |
| Campaign delivery enforcement | Automatically skip non-consented contacts during campaign delivery without relying on manual audience filtering. | The campaign engine excludes 1,200 profiles that have not opted in for email marketing. |
Viewing and editing profile consent
Each customer profile contains a Consent section that displays a matrix of consent types by channel. For example, you might see that a profile has opted in for Marketing via WhatsApp but opted out of Marketing via Email, while Transactional consent is granted across all channels. This matrix gives you an at-a-glance view of what communications you are permitted to send to that customer.
To manually update a profile's consent, click "Edit Consent" in the Consent section. This opens a form where you can toggle consent on or off for each type and channel combination. You must provide a reason for the change, such as "Customer called support to opt out of SMS marketing" or "Consent collected via in-store registration form." This reason is recorded in the audit trail and is critical for compliance documentation.
Collecting consent through workflows
The most scalable way to collect consent is through automated workflows. In the Workflow builder, add a "Collect Consent" action node and configure the channel, consent type, and the message or form that requests consent. When the customer responds with an affirmative answer, the workflow automatically updates their consent status on the profile. This approach ensures that consent is captured consistently, with a clear audit trail linking the consent to the specific workflow and message that collected it.
For opt-out handling, configure channel-specific keywords and triggers. For SMS, the standard keyword is "STOP." For email, an unsubscribe link is automatically included in marketing messages. For WhatsApp, you can configure custom opt-out keywords. When a customer sends or clicks the opt-out trigger, consent is revoked immediately and the profile is updated in real time. It is essential to test these flows before going live, as a broken opt-out mechanism is both a compliance violation and a poor customer experience.
Enforcing consent in campaigns
When creating a campaign, the "Enforce Consent" toggle is enabled by default. With this toggle active, the campaign delivery engine automatically excludes any profile that has not explicitly opted in for the selected channel and communication type. The campaign summary shows the number of profiles excluded due to missing consent, giving you visibility into the impact of consent enforcement on your audience reach.
This enforcement layer acts as a safety net. Even if your audience segment or list contains profiles without proper consent, the delivery engine will not send messages to them. This protects your organization from accidental compliance violations and ensures that only consented contacts receive your communications. Disabling consent enforcement is possible but strongly discouraged; doing so bypasses all consent checks and places the full compliance burden on the campaign creator.
Reviewing the consent audit trail
The consent audit trail is accessible from the profile detail page by clicking "Consent History." This log displays every consent change in chronological order, including the timestamp, the old status, the new status, the source of the change, the reason provided, and the user or system that made the change. The audit trail is immutable; entries cannot be edited or deleted, ensuring the integrity of your compliance records.
You can filter the audit trail by consent type, channel, or date range to quickly locate specific changes. For GDPR data subject access requests, you can export the full consent history for a profile as part of the data package provided to the requesting customer. This export includes every field captured in the audit log, formatted for regulatory submission.
Common pitfalls
Consent management is a legally sensitive area where mistakes can have regulatory consequences. The table below highlights the most frequent issues and how to prevent them.
| Pitfall | Risk | Prevention |
|---|---|---|
| Assuming opt-in by default | In most jurisdictions, consent must be explicitly granted. Assuming consent leads to compliance violations. | Set the default consent status for new profiles to "Not Set" or "Opted Out." |
| Conflating marketing and transactional | Marketing and transactional communications have different legal requirements. Blocking transactional messages (e.g., order confirmations) due to a marketing opt-out harms the customer experience. | Configure consent types separately and ensure transactional consent is independent of marketing consent. |
| Incomplete audit trail entries | Updating consent without providing a reason or source makes the audit trail unreliable for compliance purposes. | Require a reason field for every manual or API-driven consent change. |
| Ignoring channel-level granularity | A customer may consent to email marketing but not WhatsApp marketing. Checking only the consent type without the channel leads to unauthorized messages. | Always enforce consent at the intersection of type and channel, not just the type alone. |
| Untested opt-out flows | If the "STOP" keyword or unsubscribe link does not work, customers cannot opt out, creating a serious compliance risk. | Test all opt-out mechanisms across every channel before launching campaigns. |
Set up a consent preference center, a web page or workflow where customers can manage their own communication preferences across all channels and types. This reduces manual consent management overhead, improves customer trust, and strengthens your compliance posture significantly.
- Consent Settings
- Profile Consent Status
- Edit Consent
- Consent Audit Trail
- Collect Consent via Workflow
- Campaign Consent Enforcement