Marla Hay, Director of Product, Salesforce

Just In Time Consent

Just-in-time consent is the concept of requesting permission for data use at the time that is most relevant in order to ensure the user understands the request, the exchange for value, and is able to most effectively exert control over their data.



Some website or applications mandate that the user agree to all data use terms in order to use the application, or presume agreement simply through application use. However, it’s not practical for an end user to read or understand lengthy policies, or to to expect they will not use the website or application if they don’t agree to the full scope of the terms. Instead, the user should understand how an application wishes to use their data, understand in practical terms the scope of use, and have the option to decide on a case by case basis whether they agree to the value exchange.


Just-in-time consent can help provide context and value exchange for the request as well as plain language and small feature agreements that allow the user to make a more informed choice when providing consent. Just-in-time consent should be used in conjunction with the below concepts:

  1. The information provided must always include an option to decline permission. This decision should not stop the user from using the site or service.

  2. It should be easy for the user to understand what they’ve agreed to and how it’s used.

Who is this for?

  • People who want to limit how applications and websites use their data

  • Tech savvy individuals who are more active in managing individual data on the internet


Just-In-Time Cookie Request

Just-in-time cookie requests that align with the functionality of the site. Here, the customer understands that if they wish to use the shopping cart functionality, they need to allow a cookie.

If the user selects “No” - they should see an option to purchase the shirt without using the shopping cart functionality in a way that doesn’t require new cookies.

If the user selects “More information on this cookie” they will see details on how the cookie is used. The cookie should never be used beyond the utility for the customer or it’s stated value exchange.

The user should always have an option to close the window without selecting any button or link (the “X” on the modal, in this case.)

The user should be able to revoke permission for this cookie via the website.

Just-In-Time Request to Share Data

A user should have the expectation that their data will not be shared with a third party unless it’s been explicitly granted by the user. When the user has consented to share data with a third party, that third party cannot use or share that data other than however consent has been explicitly granted by the user.

screenshotsPrivacyStudy (2).png

If the user clicks “Sure”, only their location data is shared. Hike USA may only use the data for the purposes of recommending expeditions and may not share or use that data in any other way. This permission must be revocable through the Northern Trail website.

If the user clicks “No, thanks,” they shouldn’t see this request again, except through their profile page.

If the user closes the window without responding, the effect is the same as if they’d selected “No, thanks.”

Salesforce platform objects that enable data privacy protection