NIST 800-53 REV 5 • PERSONALLY IDENTIFIABLE INFORMATION PROCESSING AND TRANSPARENCY
PT-4(2) — Just-in-time Consent
Present {{ insert: param, pt-04.02_odp.01 }} to individuals at {{ insert: param, pt-04.02_odp.02 }} and in conjunction with {{ insert: param, pt-04.02_odp.03 }}.
CMMC Practice Mapping
No direct CMMC mapping
NIST 800-171 Mapping
No direct NIST 800-171 mapping
Related Controls
Supplemental Guidance
Just-in-time consent enables individuals to participate in how their personally identifiable information is being processed at the time or in conjunction with specific types of data processing when such participation may be most useful to the individual. Individual assumptions about how personally identifiable information is being processed might not be accurate or reliable if time has passed since the individual last gave consent or the type of processing creates significant privacy risk. Organizations use discretion to determine when to use just-in-time consent and may use supporting information on demographics, focus groups, or surveys to learn more about individuals’ privacy interests and concerns.
Practitioner Notes
Just-in-time consent means asking for consent at the exact moment it is needed, rather than bundling all consent requests upfront. This gives people more control and better understanding of what they are agreeing to.
Example 1: Instead of asking for permission to access the camera, microphone, and location all at once during app signup, ask for camera access only when the user tries to take a photo, location access only when they search for nearby services, and so on.
Example 2: On a web application, the first time a user reaches a feature that requires additional data processing (like analytics on their usage patterns), present a contextual consent prompt explaining what data will be collected and why. Store the response and do not ask again unless the terms change.