Consent vs. Authorization: what’s the diff?
Consent vs. Authorization: what’s the diff? I was recently considering the differences between the terms Authorization and Consent …
I was recently considering the differences between the terms Authorization and Consent in our digital data interactions: are these terms really distinct or are they synonymous at some level?
Consent is often used in the context of granting permission to some online entity to collect, use, and/or share data about a user–cookie banners, EULA terms, etc. It is also used in, for example, medical settings, where a patient consents to some treatment or procedure. In short, it seems consent is about giving permission to some entity to perform some digital or physical action that is otherwise prohibited by law, regulation or ethical considerations.
Authorization, on the other hand, is often used in the context of giving permission to some party to access or act on a particular digital resource or interface. For example, we define authorization policies that encode permissions for certain subjects to perform particular actions on particular resources. This allows access decisions to be made consistent with those policies. For example, I may be authorized to read but not modify a particular digital document, or I may be authorized to access my employer’s office building only on weekdays.
Both Consent and Authorization seem to revolve around the concept of permission. So are they in fact really the same thing? I think the answer is a qualified “yes”: under the covers, both require some sort of permission check but the linguistic usage of the two terms is somewhat different. That said, the linguistic usages are inconsistent. For example, I might say, “I consent to medical treatment”. But I could just as validly say that “I authorize medical treatment”. No difference really.
What do you think?
Steve Venema
Distinguished Engineer
ForgeRock