Gestión del consentimiento en un mundo multicanal

Here's a sentence you'll never hear at a dinner party: "Let me tell you about our consent management architecture." And yet, the way you handle consent might be the single most important technical decision your company makes this decade.

That's not hyperbole. In a world where companies communicate across email, SMS, RCS, push notifications, WhatsApp, and whatever channel gets invented next Tuesday, consent isn't a compliance checkbox. It's the foundation of every customer relationship you have.

Consent as a Competitive Advantage

Most companies treat consent like a tax. Something you have to do, grudgingly, because regulators said so. This is a bit like treating "not punching your customers" as a legal obligation rather than basic decency.

The companies that get consent right don't just avoid fines. They build measurably stronger relationships. Cisco's 2023 Data Privacy Benchmark Study found that 94% of organisations said their customers wouldn't buy from them if data wasn't properly protected.^[1] And the average return on privacy investment was 1.8x, with 30% of organisations seeing returns exceeding 2x.

Think about it from the customer's perspective. When a company asks clearly what you'd like to hear about, through which channels, and then actually respects those preferences? That feels remarkably rare. It stands out. It builds trust in a way that no marketing campaign ever could.

The goal isn't to collect the maximum possible consent. It's to collect honest, informed consent, and then honour it impeccably.

The Consent Landscape: It's More Complicated Than You Think

If you operate in a single country, with a single channel, serving a single industry? Congratulations, consent is relatively straightforward. For everyone else, welcome to the maze.

The Key Regulations

GDPR (EU/EEA) requires a lawful basis for processing personal data, with consent being one of six options. When you do rely on consent, it must be freely given, specific, informed, and unambiguous. Pre-ticked boxes are out. Bundled consent is out. And you need to be able to prove you got it.

UK GDPR + PECR largely mirrors the EU framework but with its own enforcer (the ICO) and some nuances. PECR (the Privacy and Electronic Communications Regulations) specifically governs electronic marketing. For unsolicited marketing emails and texts to individuals, you generally need prior consent. The "soft opt-in" exception exists for existing customers, but it's narrower than many companies assume.

TCPA (US) takes a different approach entirely. The Telephone Consumer Protection Act requires prior express written consent before sending marketing texts or making autodialled calls. The FCC's 2024 update closed the "lead generator loophole," requiring one-to-one consent, meaning a consumer must consent to receive messages from a specific company, not a vague list of "marketing partners."^[6]

CAN-SPAM (US) is the odd one out for email: it's opt-out rather than opt-in. You can email someone unsolicited, but you must honour unsubscribe requests within 10 business days. It sounds permissive, but if your audience includes anyone in the EU or UK, CAN-SPAM's leniency is irrelevant. You'll need to meet the higher standard anyway.

And that's before we get to sector-specific rules. Financial services, healthcare, and government communications each layer on their own requirements. The FCA in the UK has its own views on how financial promotions should be communicated. HIPAA in the US has strict rules about health information.

"Just be compliant" turns out to be a bit like saying "just solve the equation" to someone staring at a whiteboard full of partial differential equations.

Channel-Specific Consent: The Trap Everyone Falls Into

This is where we see companies get burned most often, and it's surprisingly simple once you see it:

Consent to one channel does not equal consent to another.

If someone signs up for your email newsletter, that does not mean they've consented to receive SMS messages. It doesn't mean you can ping them on WhatsApp. It doesn't mean you can send push notifications. Each channel has its own consent requirements, and conflating them is one of the fastest ways to find yourself on the wrong end of an enforcement action.

The ICO fined We Buy Any Car £200,000 in 2023 for sending marketing messages to people without valid consent.^[2] The company had sent over 191 million direct marketing messages, many via SMS, and couldn't demonstrate that recipients had given specific consent for that channel. That's not a case of malicious intent; it's a case of sloppy consent architecture.

Similarly, the ICO fined Halfords £30,000 for sending half a million marketing emails to people who had explicitly opted out.^[3] Their systems simply weren't built to track and enforce consent at the granularity required.

The pattern is always the same: a company treats consent as a single boolean (yes or no, opted in or opted out) when it needs to be a matrix of channels, purposes, and legal bases.

The Consent Data Model

This is the part where engineering meets compliance, and where most systems fall short. A robust consent record needs to capture more than just "they said yes." At minimum, you need:

• Who: the identifiable individual (and how they're identified across your systems)
• What: what specific processing they consented to (marketing, service updates, third-party sharing, etc.)
• Which channel: email, SMS, phone, push, WhatsApp, RCS, post
• When: timestamp of the consent event, with timezone
• How: the mechanism (web form, paper form, verbal, API call) and the exact wording they agreed to
• Legal basis: consent, legitimate interest, contract performance, etc.
• Version: which version of your privacy notice or terms they saw at the time
• Source: where the consent was collected (which website, app, or touchpoint)

You also need a complete history. When someone changes their preferences, you don't overwrite the old record. You append a new one. Regulators don't want to see your current state; they want to see the full timeline. "They were opted in when we sent that message on March 15th" requires you to prove what their consent status was on March 15th.

If this sounds like an event-sourced system, that's because it basically is. Consent management and event sourcing are natural partners.

Preference Centres That Actually Work

You've seen the bad version. You click "manage preferences" in an email footer and get two options: receive everything, or unsubscribe from everything. That's not a preference centre. That's a hostage negotiation.

A genuine preference centre gives users meaningful control:

• Channel selection: "Send me product updates, but by email only, not SMS"
• Topic selection: "I care about engineering blog posts but not webinar invitations"
• Frequency control: "Weekly digest, not daily"
• Pause options: "Mute everything for 30 days" (because sometimes people just need a break, and the alternative is a permanent unsubscribe)
• Clear language: no dark patterns, no guilt-tripping ("Are you sure you want to miss out on exclusive deals?!")

The data backs this up. The DMA's (Data & Marketing Association) 2023 Consumer Email Tracker report found that consumers who feel in control of their marketing preferences are significantly more likely to engage with the messages they do receive.^[8] That makes intuitive sense: if you chose to hear about something, you're more likely to actually read it.

The preference centre also needs to be easy to find. Burying it three clicks deep in your account settings, behind a menu labelled "Communication," is not the move. A direct link in every message footer, ideally pre-authenticated so the user doesn't have to log in, is the baseline.

The Real Cost of Getting It Wrong

Let's talk about fines, because the numbers get people's attention. Under UK GDPR, the ICO can issue fines of up to £17.5 million or 4% of annual global turnover, whichever is higher. Under EU GDPR, it's €20 million or 4% of global turnover.

The ICO's enforcement history tells the story. British Airways was fined £20 million in 2020 for a data breach affecting 400,000 customers.^[4] Marriott International received a £18.4 million fine.^[5] And these are the headline cases. The ICO regularly issues fines in the tens and hundreds of thousands of pounds for marketing consent violations that never make the news.

On the TCPA side in the US, the numbers are staggering. The statute allows for $500 to $1,500 per unsolicited message. Do the maths on a marketing campaign to 100,000 people without proper consent. In 2024, a healthcare company agreed to a $7.5 million settlement over TCPA violations related to automated text messages. Class action lawyers actively monitor for TCPA violations because the statutory damages make these cases extremely lucrative.

But here's the thing: fines aren't even the biggest cost.

Trust destruction is. Salesforce's 2023 State of the Connected Customer report found that 65% of customers said they'd stopped buying from a company that did something they considered untrustworthy with their data.^[7] That's not "considered switching" or "thought about it." That's actually stopped buying. Once trust is broken, it's nearly impossible to rebuild.

Nobody likes feeling like their data was used without their knowledge. It's that simple, and that devastating.

Building Consent In From Day One

Retrofitting consent management onto an existing system is painful. We've seen it. The data is scattered across CRM fields, email platform settings, half-forgotten spreadsheets, and someone's memory of "I think they said it was fine on a phone call." Bolting on consent after the fact means reconciling all of that into a coherent model, and it's never clean.

The alternative is to design consent into your system from the start. Here's a practical approach:

1. Centralise consent as a first-class data entity. Not a field on a contact record. A separate, auditable store with its own API. Every system that needs to check consent status queries this single source of truth.
2. Make consent checks part of every send path. Before any message goes out on any channel, the system checks consent status. Not "the marketing team checks." The system checks, programmatically, with no bypass.
3. Version your consent language. When you update your privacy notice or the wording on a consent form, that's a new version. Old consent was given under old terms. You need to know which version each consent record references.
4. Build for withdrawal. Withdrawal of consent must be as easy as giving it. That means real-time propagation: if someone opts out, the system must stop messaging them immediately, not "within 24-48 hours." GDPR is explicit about this.
5. Audit everything. Every consent event, every status check, every decision to send or not send. When (not if) a regulator asks, you need to produce a clear timeline.
6. Test the unhappy paths. What happens when consent data is unavailable? The correct answer is "don't send," not "assume consent." Your system should fail closed, not open.

The Human Angle

It's easy to get lost in the technical and legal details and forget what consent management is actually about: respecting people.

Every data point in your system represents a real person who trusted you with something. Their phone number, their email address, their attention. That trust is a gift, and it comes with an implicit expectation: "I'm giving you this because I believe you'll use it the way you said you would."

When you send someone a message they didn't ask for, on a channel they didn't consent to, about something they don't care about, you're not just risking a fine. You're breaking a small promise. Do it enough times, to enough people, and you've defined your brand: the company that doesn't listen.

The companies that will thrive in the next decade are the ones that treat consent not as a constraint, but as a conversation. "What would you like to hear about? How would you like to hear about it? Has that changed?" It's not complicated. It's just respectful.

And if your consent management system makes that conversation possible (reliable, auditable, and consistent across every channel) then you've built something genuinely valuable. Not just for compliance. For trust.