I’ve been thinking a lot about privacy consent lately. Not the legal side—though that matters—but the experience side. The way we currently handle consent is, frankly, insulting to users.
You know the drill. Land on a site, get slapped with a modal, click through seventeen toggles you don’t understand, accept something you didn’t read, and get on with your life. Nobody reads those consent forms. Nobody understands the toggles. And nobody—nobody—feels like they made an informed decision.
We can do better. And I think LLMs give us a way to do it.
The Problem With Consent Walls
Traditional consent mechanisms suffer from a fundamental design flaw: they front-load all the complexity at the worst possible moment. User arrives, user wants to do something, user gets blocked by a wall of legalese.
The result?
| What we wanted | What we got |
|---|---|
| Informed consent | Exhausted acceptance |
| User control | User surrender |
| Trust building | Friction creation |
| GDPR compliance | Box-ticking theatre |
The irony is thick. GDPR was designed to protect users, but the implementation has trained everyone to click “Accept All” as fast as humanly possible. We’ve turned privacy into a speed bump.
Introducing: The Conversational Consent Pattern
Here’s a different approach. Instead of throwing consent at users upfront, what if we discussed it with them? What if privacy preferences emerged naturally through conversation, at the moment they become relevant?
I’m calling this the Conversational Consent Pattern, and it’s built on a simple insight: LLMs are really good at having nuanced conversations about complex topics. Privacy is a complex topic. Let’s put them together.
The pattern works like this:
- Default to permissive — Start with reasonable defaults that let users actually use your product
- Surface consent contextually — When you need specific consent, ask for it in the flow, not before it
- Use natural language — Let the LLM explain what you’re asking and why, in plain English
- Respect the answer — Store preferences, honour them, and don’t ask again unnecessarily
- Inject context to agents — Tell your AI what consent exists so it can behave appropriately
What This Looks Like In Practice
Imagine a beauty consultation app. Traditional approach: wall of consent toggles before you can ask a single question about skincare.
Conversational approach:
User: “I’ve got really oily skin and I’m breaking out around my chin. What should I do?”
Assistant: “I can definitely help with that! To give you the best advice, I’d love to understand a bit more about your skin history and routine. Would you be comfortable if I saved this information to your profile so I can give you more personalised recommendations over time? You can always change this later.”
User: “Yeah, that’s fine.”
Assistant: “Perfect, I’ve noted that. Now, about that oily skin…”
Notice what happened there. The user got value immediately (the conversation started). Consent was requested in context (when it became relevant). The explanation was conversational (not a wall of legal text). And the preference was captured and respected.
No modals. No toggles. No dark patterns. Just a conversation between adults.
The Technical Architecture
Here’s how you wire this up:
1. Compliance State Service
You need a service that tracks what consent exists for the current user:
interface ConsentState {
hasExplicitPreferences: boolean;
profileDataConsent: boolean;
conversationHistoryConsent: boolean;
behaviouralTrackingConsent: boolean;
marketingConsent: boolean;
analyticsConsent: boolean;
thirdPartyConsent: boolean;
consentVersion: string;
}
When no explicit preferences exist, you default to permissive (within legal bounds). When the user makes a choice, you store it.
2. Context Injection
Your LLM needs to know what consent exists. Inject the compliance state as context variables:
const contextVariables = {
// ... your other context
has_privacy_preferences: consentState.hasExplicitPreferences,
consent_profile_data: consentState.profileDataConsent,
consent_analytics: consentState.analyticsConsent,
is_privacy_restrictive: isRestrictiveMode(consentState),
};
Now your agent can make intelligent decisions. If the user has opted out of profile storage, the agent knows not to offer personalisation features.
3. Consent Collection Functions
Register “tools” or “functions” that your LLM can call when consent is needed:
{
name: 'requestConsentForCategory',
description: 'Request user consent for a specific data category. Call this when you need to perform an action that requires consent the user hasn\'t yet given.',
parameters: {
category: {
type: 'string',
enum: ['profile', 'analytics', 'marketing', 'third_party'],
description: 'The consent category needed'
},
reason: {
type: 'string',
description: 'Plain language explanation of why this consent is needed'
}
}
}
When the LLM determines it needs consent it doesn’t have, it can request it conversationally, explain why, and handle the user’s response.
4. Backend Integration
Your consent state needs to persist. Build proper API endpoints:
GET /api/me/privacy/consent— Current preferencesPUT /api/me/privacy/consent— Update preferencesGET /api/me/privacy/consent/history— Audit trail
The audit trail matters. GDPR requires you to prove consent was given freely and specifically. A conversational log showing the user explicitly agreeing is far stronger evidence than a checkbox click.
Why This Is Better
For users:
- No consent walls blocking their goals
- Natural language explanations they actually understand
- Consent requested only when relevant
- Easy to change preferences by just… talking
For compliance:
- Clear audit trail of consent conversations
- Specific, informed consent (not blanket acceptance)
- Demonstrable that consent was freely given
- Easy to implement right to withdraw
For product:
- Lower bounce rates (no consent wall abandonment)
- Higher engagement (users aren’t annoyed before they start)
- Better data quality (users who consent actually meant it)
- Competitive advantage (privacy as a feature, not a burden)
The Philosophical Bit
There’s something deeper here. Traditional consent mechanisms treat privacy as a barrier—something to get past before the real experience begins. The Conversational Consent Pattern treats privacy as part of the relationship.
When you ask someone for permission in conversation, you’re treating them as a person. When you explain why you need something, you’re building trust. When you respect their answer, you’re demonstrating integrity.
This is how humans actually handle sensitive information. We don’t front-load consent; we build trust over time through appropriate disclosure and respect for boundaries.
LLMs give us the tools to bring that human pattern into software. We should use them.
Real-World Implementations
We’ve been exploring this pattern at TheControlGroup and Laris, particularly in our BeautyAI work. The results have been encouraging—users are more willing to share information when asked conversationally, and more likely to actually understand what they’re agreeing to.
I can’t share specifics (client work, NDAs, the usual), but the pattern itself is generic enough to apply anywhere you’re collecting user data: healthcare apps, financial services, e-commerce personalisation, anything where trust matters.
Getting Started
If you want to try this:
- Audit your current consent flows — Where are you front-loading consent? What could be deferred?
- Build your consent state service — Track what explicit preferences exist
- Inject context to your LLM — Tell it what consent exists (and doesn’t)
- Register consent collection functions — Let the LLM request consent when needed
- Wire up your backend — Proper storage with audit trails
- Test with real users — Watch how they respond to conversational consent vs. traditional modals
The code isn’t complicated. The mindset shift is the hard part—treating consent as conversation rather than obstacle.
The Bet
Here’s the thing: privacy regulations aren’t going away. If anything, they’re getting stricter. The companies that figure out how to make privacy feel good are going to have a massive advantage.
Dark patterns are being banned. “Accept All” buttons are being scrutinised. The consent wall approach is on borrowed time.
Conversational consent is future-proof. It’s compliant by design. It’s user-friendly by nature. And it actually achieves what privacy laws were trying to accomplish all along: informed consent from empowered users.
That’s the bet, anyway. Build privacy into the conversation, not around it. Let the LLM do what it’s good at—explaining, contextualising, respecting nuance. Let your backend do what it’s good at—storage, audit trails, enforcement.
Neither system is doing something it’s bad at. Sound familiar?
If you’re working on similar problems—conversational AI, privacy architecture, or the intersection of both—I’d love to hear about it. Find me on the usual channels.