Designing Auditable and Version-Aware Consent Management Systems for Regulatory Compliance

Claudio Henrique Pereira de Castro; Geovana Ramos Sousa Silva; Stefano Luppi Spósito; Edna Dias Canedo

Claudio Henrique Pereira de Castro UnB
Geovana Ramos Sousa Silva UnB https://orcid.org/0000-0002-0304-0804
Stefano Luppi Spósito UnB https://orcid.org/0009-0003-1938-1923
Edna Dias Canedo UnB https://orcid.org/0000-0002-2159-339X

Resumo

Context: Data protection regulations such as the GDPR and the Brazilian LGPD impose strict requirements on consent management, including demonstrability, revocation support, accountability, and traceability. In practice, however, many existing consent management solutions fail to preserve a reliable historical linkage between user consent decisions and the specific versions of privacy policies in force at the time of collection, which undermines auditability and regulatory compliance. Goal: This paper aims to design a modular, scalable, and interoperable software architecture that supports the registration, explicit versioning, and auditing of user consent, ensuring traceability, integrity, and compliance with privacy regulations while preserving the historical binding between consent records and evolving privacy policies. Method: We follow a Design Science Research approach to derive architectural requirements from GDPR, LGPD, and relevant ISO/IEC standards, and to design a microservice-based consent management architecture. The proposed solution is instantiated as a proof of concept composed of independent services for policy management and consent recording, exposed through RESTful APIs. The architecture is demonstrated in a controlled environment through end-to-end consent lifecycle scenarios, including policy versioning, consent granting and refusal, revocation, and audit querying. Results: The proof of concept shows that explicit policy versioning, cryptographic integrity mechanisms, and event-based consent recording can be combined to preserve immutable historical records of consent decisions. Each consent, refusal, and revocation event is deterministically bound to a specific policy version, enabling consistent audit queries by user, policy, and time. Conclusion: The study indicates that a version-aware, microservice-oriented design provides a feasible foundation for auditable and regulation-compliant consent management. By treating privacy policies as versioned artifacts and consent as a persistent event history, the proposed architecture bridges regulatory requirements and implementable software mechanisms.

Referências

Carneiro, C., Kudo, T., and Neto, R. B. (2024). Um método para transformação de requisitos legais em padrões de requisitos de software: Um estudo com a lgpd. In Anais do XXVII Congresso Ibero-Americano em Engenharia de Software, pages 348–355, Porto Alegre, RS, Brasil. SBC.

da Silva Junior, D. P., de Souza, P. C., and de Jesus Gonçalves, T. A. (2018). Early privacy: Approximating mental models in the definition of privacy requirements in systems design. In Mota, M., Meiguins, B. S., Prates, R. O., and Candello, H., editors, Proceedings of the 17th Brazilian Symposium on Human Factors in Computing Systems, IHC 2018, Belém, Brazil, October 22-26, 2018, pages 19:1–19:10. ACM.

for Standardization, I. O. (2020). Iso/iec 29184:2020 information technology — online privacy notices and consent.

for Standardization, I. O. (2023). Iso/iec ts 27560:2023 privacy technologies — consent record information structure.

for Standardization, I. O. (2024). ISO/IEC 29100:2024 — information technology — security techniques — privacy framework.

Gharib, M., Giorgini, P., and Mylopoulos, J. (2017). Towards an ontology for privacy requirements via a systematic literature review. In Mayr, H. C., Guizzardi, G., Ma, H., and Pastor, O., editors, Conceptual Modeling - 36th International Conference, ER 2017, Valencia, Spain, November 6-9, 2017, Proceedings, volume 10650 of Lecture Notes in Computer Science, pages 193–208. Springer.

Guerra, G. (2024). Dark patterns and the scraping consumer consent. Privacy, Data Protection and Data-driven Technologies.

Jha, N., Trevisan, M., Mellia, M., Fernandez, D., and Irarrazaval, R. (2025). Privacy policies and consent management platforms: Growth and users’ interactions over time. ACM Trans. Web, 19(3):30:1–30:25.

Kalaoja, P. (2022). A consent and privacy management framework.

Kalloniatis, C., Kavakli, E., and Gritzalis, S. (2005). Dealing with privacy issues during the system design process. In Proceedings of the Fifth IEEE International Symposium on Signal Processing and Information Technology, 2005., pages 546–551. IEEE.

Lu, Y., Zhang, C., Yang, Y., Yao, Y., and Li, T. J.-J. (2024). From awareness to action: Exploring end-user empowerment interventions for dark patterns in ux. Proceedings of the ACM on Human-Computer Interaction, 8(CSCW1):1–41.

Macedo, P. N. (2018). Brazilian general data protection law (lgpd). Nartional Congress, accessed in October 18, 2019.

Marillonnet, P., Ates, M., Laurent, M., and Kaaniche, N. (2021). An efficient user-centric consent management design for multiservices platforms. Secur. Commun. Networks, 2021:5512075:1–5512075:19.

Matos, A., Patrício, M., Nicolau, M. I., Canedo, E. D., Pereira, J. A., and Uchôa, A. G. (2025). Data privacy in software practice: Brazilian developers’ perspectives. J. Internet Serv. Appl., 16(1):299–319.

Merlec, M. M., Lee, Y. K., Hong, S.-P., and In, H. P. (2021). A smart contract-based dynamic consent management system for personal data usage under gdpr. Sensors, 21(23).

Novikova, E., Doynikova, E., and Kotenko, I. V. (2025). What are your privacy risks? privacy risk assessment based on privacy policies analysis. Expert Syst. Appl., 280:127270.

Parliament, T. E. and Council, T. (2018). General Data Protection Regulation (GDPR). Intersoft Consulting.

Peyrone, N. (2022). Formal models for consent management in healthcare software system development. Chulalongkorn University Theses and Dissertations (Chula ETD), pages 1–200.

Samuel, J., Kanakia, J., Kashyap, R., Raju, R. S., Chidipothu, S., Patel, K., and Khan, Z. (2025). Societal impacts and public perception of chatbots: Implications for individuals and organizations. Proceedings of the 52nd Annual Northeast Business & Economics Association (NBEA) Conference, Seaview Hotel, Galloway, NJ, USA.

Seiling, L., Gsenger, R., Mulugeta, F., Henningsen, M., Mischau, L., and Schirmbeck, M. (2024). Beware: Processing of personal data - informed consent through risk communication. IEEE Trans. Prof. Commun., 67(1):4–25.

Silva, G. R. S. and Canedo, E. D. (2024). Towards user-centric guidelines for chatbot conversational design. Int. J. Hum. Comput. Interact., 40(2):98–120.

Silva, G. R. S. and Canedo, E. D. (2025). Privacy in chatbot conversation-driven development: A comprehensive review and requirements proposal. ACM Trans. Softw. Eng. Methodol., 34(7).

Spósito, S. L., Targino, J. F. G., Silva, G. R. S., Peotta, L., Porto, D. d. P., Mendonça, F. L. L., and Canedo, E. D. (2025). A comprehensive review of techniques, methods, processes, frameworks, and tools for privacy requirements. Journal of Internet Services and Applications, 16(1):508–529.

Vaishnavi, V. K. (2007). Design science research methods and patterns: innovating information and communication technology. Auerbach Publications, [link].

Veseli, F., Serna-Olvera, J., Pulls, T., and Rannenberg, K. (2019). Engineering privacy by design: lessons from the design and implementation of an identity wallet platform. In Hung, C. and Papadopoulos, G. A., editors, Proceedings of the 34th ACM/SIGAPP Symposium on Applied Computing, SAC 2019, Limassol, Cyprus, April 8-12, 2019, pages 1475–1483. ACM.