Consent Info

Check — before calling a Network API — whether the subscriber has the required permission to process data for a specific purpose and scope, and get a redirect URL when consent management is needed.

Consent info decorative image of a man, ahvng a conversation over the phone with papers in his hand

The ‘Consent Info’ API enables developers to quickly verify if they have the required permissions to handle a user’s personal data for a particular purpose prior to accessing other CAMARA APIs. It offers a straightforward true/false response and, when relevant, provides a URL to direct the user to manage their consent at the most appropriate time.

By using this API, developers can utilize their understanding of their customers to initiate the consent collection process through the most appropriate channel for their application’s use case.

Trust by Orange

In a fast-moving digital economy, trust is the condition for adoption. Orange has made trust a strategic priority through its roadmap “Trust the Future” (2026–2030), aligned with its purpose: “Orange gives everyone the keys to a responsible digital world.” This ambition is about going beyond basic customer experience to build a more proactive, personal relationship at scale.

To deliver that ambition, Orange is investing in innovative growth: expanding beyond connectivity with digital services, cybersecurity, and cloud capabilities. In that context, Network APIs are a key step forward—opening programmable, standardized network capabilities that help enterprises build secure, identity-verified, high-performance user journeys.

Crucially, Orange’s approach is that growth and responsibility must move together. Network APIs are designed not only as technical enablers, but as a way to embed privacy and transparency into execution. Through Orange’s consent and privacy governance, compliance with data protection regulations (including GDPR and equivalent frameworks) becomes a programmable mechanism that supports safer experiences and helps reduce friction, rather than creating operational barriers.

Benefits

Enhanced User Trust and Security

This API reinforces trust by ensuring that privacy management and ownership remain with the API provider. The actual consent capture occurs within the API provider’s secure environment, authenticating the user with their provider credentials.

Improved Conversion and User Experience

By leveraging knowledge of their customer, developers can trigger the consent process at the most effective time and channel. This boosts the chances of a positive response and avoids friction by first checking if consent is already in place before prompting the user.

Flexible and Decoupled Integration

The API allows a developer to retrieve the consent URL from a backend server and present it on any device or application interface. This is ideal for pure backend services (e.g., background anti-fraud checks) where a user is not actively using a device, or for services on devices with limited interaction capabilities.

Use cases

Consent capture during onboarding

During a user’s digital or physical registration process, a developer can take advantage of the user’s presence to pre-capture the consent required for the set of APIs the service will use later.

In-app notification for consent

Developers can push a notification within their application, allowing customers to directly access the consent capture process in an easy-to-access place.

Consent capture campaigns

Applications can create campaigns via email or other channels to capture consent from substantial portions of their user base.

Personalized services

For experiences that rely on service personalization signals, verify permission first and route users to consent management only when necessary.

Orange exposes network capabilities to enterprises through GSMA Open Gateway and CAMARA-standard Network APIs (e.g., SIM Swap, Device Location). In this model, privacy compliance is shared end-to-end: Orange provides compliant network infrastructure, but application providers remain responsible for their own regulatory obligations and for using the APIs in line with the declared purpose and rules.

To invoke a Network API under GDPR, the application must rely on a valid legal basis. In practice, Network API use typically falls into two main categories, which also shape the user experience:

Legitimate Interest (security & protection): Used for essential security needs such as fraud prevention or protecting accounts. The enterprise must perform and document a balancing test (necessity, proportionality, no less intrusive alternative, and no unreasonable user surprise). This path can run silently to reduce friction and avoid tipping off fraudsters, while still encouraging clear user information and preserving the right to object (opt-out) via Orange customer channels.
Explicit Consent (enhanced services & personalization): Required when processing involves more sensitive or precise data or supports comfort/personalization use cases. The user must take a clear affirmative action before data is processed, in a foreground experience similar to OS permissions. Consent is time-bound and typically needs periodic renewal (often around one year, depending on the agreed lifecycle).

Frequently Asked Questions

Consent Info is a permission pre-check used before calling other Orange Network APIs. It tells you whether you are allowed to process data for a given scope and purpose, and can provide a URL to manage consent when action is required.

No. Cookie banners typically manage web tracking permissions. Consent Info governs permissioning tied to network API access (purpose/scope-based processing) and is used as a gate before invoking Network APIs.

Use it as a pre-flight verification step before invoking another Network API. This lets you proceed instantly when permission already exists and handle consent only when needed.

Consent Info indicates that processing is not allowed and may provide a redirect URL so your application can route the user to the appropriate consent management experience.

No. When permission is already valid, the check can remain invisible to the user. Redirect is only relevant when the network indicates that user action is required.

A legal basis is the GDPR justification that allows you to process personal data. For Network APIs, it determines whether the journey can run silently (when allowed) or must include an explicit user consent step before any data is processed or returned.

Explicit consent is typically required for use cases involving more sensitive/precise data or for enhanced service experiences such as personalization. In those cases, the user must actively agree before any processing or data release happens.

Consent must be:
– Freely given (no coercion or penalty for refusal),
– Specific (tied to a single purpose/use case),
– Informed (clear, accessible explanation of what and why),
– Unambiguous (explicit affirmative action; no pre-ticked boxes or passive acceptance).