Customer Consent: The Trust Currency of the Digital Age
Customer Consent: The Trust Currency of the Digital Age
Cybersecurity Insights

By Patricia A. Pramono • Studio 1080, Published on August 08, 2025

TABLE OF CONTENTS

SHARE THIS ARTICLE

“Do you agree to our terms and conditions?”

Most people click “yes” without a second thought. But behind that simple click lies one of the most crucial aspects of digital trust today, and that is customer consent.

In cybersecurity and digital business, consent is no longer just a legal formality. It's a signal of trust, a marker of responsibility, and in Indonesia, a legal requirement under the country’s Personal Data Protection Law (UU PDP). But why is it such a big deal, and what does it really mean for your business and your customers?

Consent in Indonesia’s PDP Law: What Businesses Must Know

UU PDP (Undang-Undang Perlindungan Data Pribadi), officially passed in October 2022, is Indonesia’s first comprehensive data protection law. It’s modeled after the EU’s GDPR (General Data Protection Regulation) and was created in response to rising data breaches and privacy concerns across the country. This law regulates how personal data should be collected, processed, stored, and shared (and one of its key pillars is explicit, informed consent).

Indonesian businesses (and any company that serves Indonesian users) have been given a two-year transition period, meaning by October 2024, they must begin complying, and by October 2025, enforcement will be in full effect with possible fines, sanctions, or even imprisonment for violations (Didomi, 2022).

Whether you’re an e-commerce brand, a SaaS platform, or a digital publisher, if you collect personal data in Indonesia, UU PDP applies to you.

Also read: #Cybertalks: Managing Data Privacy — Principles and Practice

This regulation defines personal data broadly and mandates specific practices to ensure consumer privacy. Here are some key takeaways about consent in UU PDP:

  • It must be explicit, informed, and purpose-specific
  • Consumers must be able to withdraw their consent
  • Businesses must keep records of consent given
  • Consent is one of the 7 legal bases for processing personal data, but it’s the most commonly used
  • You have 72 hours to respond to a consumer’s request to withdraw or update consent

If you're running an app, website, or marketing campaign targeting Indonesian users, you must ensure every data capture (whether it's via a form, cookie, or signup) is consent-based and well-documented.

What is Customer Consent in Data Privacy?

Customer consent refers to a user’s clear, informed, and voluntary agreement to allow a business to collect, use, or share their personal data. This data can range from something basic like a name or email address, to more sensitive information such as location, financial records, or behavioral profiles.

At its core, consent is about control. It gives individuals the power to decide what happens to their personal information in the digital space.

But, not all forms of consent are valid. Just because a user clicks “I agree” doesn’t automatically mean the business is in the clear. Under most global data privacy laws, there are standards that define what legitimate consent looks like.

To be considered valid, customer consent must be (Stripe, 2024):

  • Informed 

Customers need to fully understand what data is being collected, for what purpose, and who it might be shared with. There should not be room for vague or hidden policies.

  • Voluntary 

There can’t be any pressure, manipulation, or forced opt-ins. Users must be free to say no.

  • Specific 

Blanket agreements that try to cover everything aren’t valid. Consent must be tied to a clearly defined purpose.

  • Revocable 

Customers must be able to change their mind. If they withdraw consent later, the company must respect that decision.

These are now the legal expectations. And in today’s digital economy, where personal data has become a core asset, earning customer consent is a continuous process of transparency, communication, and respect for user rights.

Why Should Businesses Care About Customer Consent?

As aforementioned, if you’re running a digital business in Indonesia (or simply serving Indonesian users) you are legally required to obtain proper consent before processing their data. The Personal Data Protection Law (UU No. 27 of 2022) makes this crystal clear.

Failure to do so could lead to hefty penalties, including imprisonment and fines up to 2% of annual revenue (Didomi, 2022).

But this isn’t just about avoiding fines. Consent is also good for business:

  • It builds trust and transparency
  • It enhances your reputation
  • It ensures you’re collecting accurate, high-quality data
  • It differentiates you from less ethical competitors

In fact, a report  found that 71% of consumers would stop doing business with a company that shared their data without permission (Ping Identity, 2023).

Simply put, customers don’t do business with brands they don’t trust.

Why Should Consumers Care About Consent?

As a consumer, your data is a digital version of yourself. It’s your preferences, your identity, your behavior, and it’s valuable. When you give your consent, you’re essentially giving someone access to a part of your life. Knowing when and how to give that consent gives you control.

Without understanding consent:

  • Your personal data could be sold to third parties without you realizing
  • You might get spammed with targeted ads or scam calls
  • You risk being a victim of identity theft or phishing

Phishing cases have increased by over 60% compared to 2021, and many attacks use data leaked through unethical data sharing to craft more convincing scams (BBC, 2025).

Also read: Phishing: New Methods and How to Stay Safe

Consent, then, becomes your digital shield.

Also read: Protect Your Personal Data with Privacy Policy


What Happens If You Ignore Consent?

Companies that mishandle customer data (or skip the consent process) don’t just risk fines. They risk their reputation, customer trust, and long-term growth. Let’s take a look at some recent, real-world consequences:

  • Instagram was fined €405 million for exposing children’s personal data without proper consent, after many were unknowingly upgraded to public business accounts (Channel News Asia, 2024)
  • Enel Energia, an Italian energy provider, was slapped with a €26 million fine for making sales calls to people who had explicitly opted out (Ping Identity, 2023)
  • Zoom settled for $85 million after being sued for sharing user data with third parties like Facebook without sufficient disclosure (Ping Identity, 2023)

These are proof that customers are watching, regulators are acting, and privacy matters more than ever. But here’s the flipside: when done right, customer consent is a competitive advantage.

Over 76 million consumer accounts are now using the Financial Data Exchange (FDX) to share their data willingly, up to 11 million in just six months. This reflects a growing willingness among consumers to share data if they trust you (Stripe, 2024).

So what happens when businesses build that trust?

They get:

  • Better data: accurate, permissioned, and relevant
  • Stronger relationships: because customers feel respected
  • Smarter campaigns: personalization that doesn't feel creepy
  • A stronger brand: ethical practices are now a selling point

Best Practices for Getting and Managing Consent

When individuals share their personal data with your business, they are placing a significant amount of confidence in how that information will be handled. Earning and maintaining that trust requires a thoughtful, ethical approach.

Below are key best practices for collecting and managing customer consent effectively:

1. Use clear, accessible language

Consent requests should be written in understandable terms. Avoid legal or overly technical language. Customers should be able to understand exactly what they’re agreeing to without confusion or ambiguity.

2. Explain what data you’re collecting and why

Be transparent about your intentions. Whether the data is used for marketing, analytics, or improving user experience, users are more likely to give meaningful consent when they understand the purpose behind the request.

3. Provide easy opt-out and withdrawal mechanisms

Consent should be freely given and just as easily withdrawn. Ensure that users can change their preferences or revoke consent at any time, without difficulty or penalty.

4. Maintain detailed consent records

Keep a secure, verifiable record of when, how, and for what purpose consent was given. Consent Management Platforms (CMPs) or Customer Relationship Management (CRM) systems can help ensure this process is well-documented and legally defensible.

5. Practice data minimization

Collect only the data that is truly necessary for your operations. The more data you collect, the greater your responsibility, and the higher the potential risk. Focus on gathering information that directly supports your stated business purposes.

6. Educate your internal teams

Ensure that all departments (especially those interacting with customer data) understand privacy principles and consent obligations. Regular training sessions help instill a culture of accountability and reduce the risk of accidental misuse.

7. Reevaluate your consent practices regularly

Laws and user expectations are evolving. Conduct periodic audits of your consent frameworks to ensure they remain compliant with regulatory changes and aligned with your customers’ values.

Final Thoughts

Getting consent right isn’t just about following the rules, it’s about treating your customers with respect. And when you do that, you don’t just meet regulatory standards, you earn customer trust and loyalty.

Whether you’re a startup or an enterprise, a local brand or a global company, the message is the same: protect customer privacy, and they’ll protect your brand in return.

If your business is navigating Indonesia’s PDP Law or looking to strengthen its data protection posture, Cisometric can support you through every stage, from readiness assessments and consent audits to staff training and secure system implementation. Our team combines cybersecurity expertise with a privacy-first approach to help you go beyond and build meaningful digital trust.

Let’s build a safer, more transparent data culture, together.

Get in touch with our team and book a meeting with us, click here.

For more updates on cybersecurity insights and expert tips, follow our social media:

LinkedIn: Cisometric

Instagram: @cisometric

Youtube: @Cisometric 



Reference:

What is consumer-permissioned data? Here’s how to use it and why it’s so important

Indonesia's new data protection law: everything you need to know

Top 5 Reasons Why Customer Data Privacy Is Important

Customer Privacy and Consent Best Practice 

You may like this...

Thought Leadership
Cybersecurity in Indonesia’s Healthcare Industry Needs Urgent Attention

Cybersecurity in Indonesia’s Healthcare Industry Needs Urgent Attention

Indonesia has been accelerating the digitization of healthcare services, with mandatory electronic medical records (Rekam Medis Elektronik/RME) enforced under Peraturan Menteri Kesehatan (PMK) No. 24 Tahun 2022 and hospital information management systems

Read More
Events
#Cybertalks: Managing Data Privacy — Principles and Practice

#Cybertalks: Managing Data Privacy — Principles and Practice

On May 7, 2025, Cisometric, in collaboration with ALTA Advocates, welcomed professionals from across legal, compliance, and IT security fields to our first #CyberTalks session of the year

Read More
Industry Updates
Tariff Trade: Our Personal Information as a Trade Offer?

Tariff Trade: Our Personal Information as a Trade Offer?

Because in this era of AI, algorithmic profiling, and platform-driven everything, personal data is no longer just metadata, it’s also behavioral insight, political targeting, digital identity, and economic leverage.

Read More
Cybersecurity Insights
Inside Allianz Life’s Massive Data Breach

Inside Allianz Life’s Massive Data Breach

Allianz’s own systems weren’t directly hacked. Instead, attackers slipped in through the backdoor of a cloud-based customer relationship management (CRM) system provided by a vendor.

Read More
Company Updates
Cisometric Has Earned ISO 27001 Certification

Cisometric Has Earned ISO 27001 Certification

We’re proud to announce that Cisometric has officially received the ISO 27001 certification, a globally recognized standard for information security management!

Read More

Search Article by Category