Consent and privacy in CIAM (GDPR, CCPA)

CIAM sits on top of the most regulated data a company holds: who its customers are. Consent and privacy handling is not a side feature, it is a reason CIAM is bought in the first place.

What the law expects

GDPR (EU), CCPA and CPRA (California), and a growing list of similar regimes share a few demands that land directly on the identity layer:

  • Lawful basis and explicit consent for processing, captured at the point of collection.
  • Proof of consent: what was agreed, to what text, and when. This is the consent receipt.
  • Withdrawal that is as easy as granting.
  • Data subject rights: access, portability, and deletion (“right to be forgotten”).
  • Purpose limitation: consent for marketing is not consent for everything.

A capable platform stores granular, versioned consent tied to the user record, surfaces it in registration and preference centers, and exposes it by API so downstream systems can check it before processing. When the consent text changes, it should track which version each user accepted. Weak platforms store a single boolean and call it consent, which fails the proof requirement.

Deletion is the hard one

Right-to-be-forgotten is where many setups break, because identity data is copied into analytics, support tools, and data warehouses. Ask how the platform propagates a deletion request and what it can and cannot reach.

Buyer checklist

  • Versioned consent receipts, not a single flag.
  • Preference center out of the box.
  • APIs for access, export, and deletion.
  • Data residency options (EU, US) if your customers require it.
  • A Data Processing Agreement the vendor will actually sign.

If you operate across regions, confirm residency and DPA terms before the technical evaluation, not after.