NIST 800-53 REV 5 • PERSONALLY IDENTIFIABLE INFORMATION PROCESSING AND TRANSPARENCY

PT-4(1)Tailored Consent

Provide {{ insert: param, pt-04.01_odp }} to allow individuals to tailor processing permissions to selected elements of personally identifiable information.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

While some processing may be necessary for the basic functionality of the product or service, other processing may not. In these circumstances, organizations allow individuals to select how specific personally identifiable information elements may be processed. More tailored consent may help reduce privacy risk, increase individual satisfaction, and avoid adverse behaviors, such as abandonment of the product or service.

Practitioner Notes

Tailored consent means adjusting the granularity and presentation of consent requests based on the sensitivity of the data and the specific processing activity. Not all consent requests should be the same.

Example 1: For less sensitive data (like a name for a newsletter signup), a simple checkbox consent may suffice. For more sensitive data (like health information or biometrics), present a more detailed consent form that explains the specific risks and protections in place.

Example 2: On your website, present layered consent — a brief summary with an 'I agree' button, plus an expandable section with full details for those who want them. This respects user time while still providing complete information for those who want it.

More Personally Identifiable Information Processing and Transparency Controls

PT-1 Policy and Procedures PT-2 Authority to Process Personally Identifiable Information PT-2(1) Data Tagging PT-2(2) Automation