The Consent Service can be used as a data source for making access control decisions. If a particular data usage scenario requires consent, then the application or service needing to access or process that data must not be able to use the data unless the user has provided consent. The entity that performs this consent check may be the application itself or some other service.
To perform a consent check, the Consent API client must be able to correlate a data access request type with a consent definition. For example, if a web application needs to collect a user's browsing behavior, this data collection scenario might be represented by a consent definition called browsing-behavior. The application would check for an existing consent grant by searching the Consent API for a consent record that matches the user and the browsing-behavior consent definition. If a match is found, then the application can proceed. If a match is not found, the application must collect consent from the user.