Consent Status
https://publicschema.org/vocab/consent-status
The current lifecycle state of a consent record. Values are ordered roughly along the record lifecycle from initial request through active use to termination. Programs that perform bulk intake should initialise records at given rather than requested.
Values
| Code | Label | Standard code | Definition |
|---|---|---|---|
requested | Requested | The record has been created and the consent request has been communicated to the data subject, but no indication of agreement or refusal has been received yet. Used primarily in digital workflows where a notice is sent and a response is awaited. Bulk and in-person intake programs typically skip this state and go directly to given or refused. | |
given | Given | The data subject has indicated agreement to the stated terms for the first time. This is the active state for a record that has never been withdrawn, revoked, or expired. Terms-fields (purposes, recipients, legal basis, etc.) are immutable from this point forward. Distinct from renewed, which applies when a previously withdrawn or expired consent is re-activated. | |
renewed | Renewed | The data subject has re-indicated agreement after a prior consent was withdrawn, revoked, or expired. Renewal typically occurs because the underlying notice was updated in a substantive way (new purposes or new recipients) and a fresh agreement was sought. Distinct from given, which marks the first-time agreement. A new consent record is created for the renewal; the prior record retains its terminal status. | |
refused | Refused | The data subject was asked and explicitly declined to give consent or to accept the stated terms. The record documents the fact of refusal for audit and lifecycle purposes. A refused record is closed; processing on the refused basis must not proceed. If the data subject later changes their mind, a new record is created with status given. | |
withdrawn | Withdrawn | The data subject has exercised their right to withdraw consent previously given. Withdrawal is subject-initiated and must be as easy as giving consent. The record transitions to this state and withdrawal_channel is populated. Withdrawal is not retroactive (processing performed under the prior given or renewed record was lawful at the time), but must stop from the moment of withdrawal. Distinct from revoked, which is controller-initiated. | |
revoked | Revoked | The controller has administratively invalidated the consent record, for example because the data subject is deceased, a court order has been issued, or program eligibility has changed in a way that makes continuation unlawful. Revocation is controller-initiated, in contrast to withdrawn which is subject-initiated. Records are moved to this status only when there is a controller-side cause; it should not be used as a synonym for withdrawn. | |
expired | Expired | The record has reached its expiry_date and is no longer valid for authorising processing. Expiry is time-based and automatic; no action by subject or controller is required. Programs must not process data under an expired consent record. If continued processing is needed and the legal basis remains valid, a renewal record must be created. Common for parental consents set to expire at the child's age of majority. | |
invalidated | Invalidated | The record has been determined to be legally or technically invalid after the fact, for example because the notice shown was defective, the delegation claimed was not legally authorised, or a court ruling has voided the consent. Distinct from revoked (which is an administrative controller decision) and withdrawn (which is a subject right). Records in this state must not be used as the basis for processing; remediation (obtaining a fresh valid record or relying on an alternative legal basis) is required. | |
unknown | Unknown | The consent state cannot be determined, typically because the record was migrated from a legacy system that did not track status explicitly. Use this value only for imported historical records where the original status is genuinely unrecoverable. Do not use it for new records. Programs should treat unknown-status records as unauthorised until status can be confirmed. |
Referenced by this vocabulary
- ISO/IEC TS 27560:2023 International Organization for Standardization, 2023
Other references
- W3C Data Privacy Vocabulary (DPV) v2 - Consent Status classes structural pattern DPV v2 defines a two-tier consent status hierarchy under dpv:ConsentStatus. This vocabulary aligns with DPV's distinction between active states (given, renewed), withdrawn, refused, revoked, expired, and unknown.