HighFile-scope

Persist consent per purpose with immutable history

Consent must be stored per user and per purpose with lawful_basis, version, granted_at, source, and optional revoked_at. Do not overwrite or store a single boolean flag. (GDPR Art. 7, purpose limitation)

Add to Mesrai Open workspace

Why this matters

Granular, auditable consent enables purpose limitation and proof of consent/revocation.

Bad vs. good

Side-by-side examples engineers can pattern-match during review.

Avoid

CREATE TABLE users (
 id UUID PRIMARY KEY,
 email TEXT,
 consent BOOLEAN -- single flag, no purpose/version
);

Prefer

CREATE TABLE consents (
 id UUID PRIMARY KEY,
 user_id UUID NOT NULL,
 purpose TEXT NOT NULL, -- e.g., analytics, marketing
 lawful_basis TEXT NOT NULL, -- consent, contract, legitimate_interest
 version TEXT NOT NULL, -- policy version
 granted_at TIMESTAMPTZ NOT NULL,
 source TEXT NOT NULL, -- ui, api, import
 revoked_at TIMESTAMPTZ
);
CREATE UNIQUE INDEX consents_latest ON consents(user_id, purpose, version, granted_at DESC);

More snippets

Good

INSERT INTO consents(user_id,purpose,lawful_basis,version,granted_at,source)
VALUES($1,'analytics','consent','v3',NOW(),'ui');

Bad

UPDATE users SET consent=true WHERE id=$1;

Related rules

From the same buckets as this rule.

Critical
Idempotent Right to Erasure across all stores
Provide a single idempotency-keyed erasure workflow that scrubs PII in primary DB, caches, search indices, and object storage; emit an audit event with erasure_request_id. (GDPR Art. 17)
compliance-gdprprivacy-pii+2
High
Encrypt PII at rest using application-layer crypto
Encrypt sensitive columns (e.g., email, phone) with managed keys; ensure DB connection enforces TLS. Store only ciphertext; compare via deterministic token/hashes when needed. (GDPR Art. 32)
compliance-gdprsecurity-hardening+1
High
Enforce retention with explicit TTL per data category
PII tables must include an expires_at (or retention_policy) column and a scheduled deletion/archival job aligned to data category. No indefinite retention. (GDPR Art. 5(1)(e))
compliance-gdprprivacy-pii+2

Bad vs. good

Side-by-side examples engineers can pattern-match during review.

Avoid

CREATE TABLE users (
 id UUID PRIMARY KEY,
 email TEXT,
 consent BOOLEAN -- single flag, no purpose/version
);

Prefer

CREATE TABLE consents (
 id UUID PRIMARY KEY,
 user_id UUID NOT NULL,
 purpose TEXT NOT NULL, -- e.g., analytics, marketing
 lawful_basis TEXT NOT NULL, -- consent, contract, legitimate_interest
 version TEXT NOT NULL, -- policy version
 granted_at TIMESTAMPTZ NOT NULL,
 source TEXT NOT NULL, -- ui, api, import
 revoked_at TIMESTAMPTZ
);
CREATE UNIQUE INDEX consents_latest ON consents(user_id, purpose, version, granted_at DESC);

More snippets

Good

INSERT INTO consents(user_id,purpose,lawful_basis,version,granted_at,source)
VALUES($1,'analytics','consent','v3',NOW(),'ui');

Bad

UPDATE users SET consent=true WHERE id=$1;

Related rules

From the same buckets as this rule.

Critical

Idempotent Right to Erasure across all stores

Provide a single idempotency-keyed erasure workflow that scrubs PII in primary DB, caches, search indices, and object storage; emit an audit event with erasure_request_id. (GDPR Art. 17)

compliance-gdprprivacy-pii+2

High

Encrypt PII at rest using application-layer crypto

Encrypt sensitive columns (e.g., email, phone) with managed keys; ensure DB connection enforces TLS. Store only ciphertext; compare via deterministic token/hashes when needed. (GDPR Art. 32)

compliance-gdprsecurity-hardening+1

High

Enforce retention with explicit TTL per data category

PII tables must include an expires_at (or retention_policy) column and a scheduled deletion/archival job aligned to data category. No indefinite retention. (GDPR Art. 5(1)(e))

compliance-gdprprivacy-pii+2