Consent Management

Control how AI agents interact with your web forms by requiring explicit user consent. Like GDPR cookie consent, but for AI agent interactions.

What is AI Consent Management?

AI consent management gives website visitors control over whether AI agents can interact with forms on their behalf. When an AI agent (like a browser assistant or automated tool) attempts to fill out or submit a form, dat2ai can require the user to explicitly approve the interaction before it proceeds.

Think of it as the GDPR cookie consent banner, but for AI. Just as users must consent to cookies, they can consent to (or decline) AI agent activity on your site. This creates a transparent, auditable record of user preferences.

How It Works

When consent is enabled, the following flow is triggered each time an AI agent attempts to invoke a tool on your site:

AI agent attempts to invoke a tool (e.g., fill out a contact form)

↓

dat2ai intercepts the invocation and checks whether consent has been given

↓

If consent is required and not yet given, a consent banner is displayed to the user

↓

The user accepts or declines. Their decision is logged in the audit trail and persisted in localStorage

↓

If accepted, the tool executes normally. If declined, the invocation is blocked and a consent_denied event is recorded

Dashboard Configuration

Enable and configure consent from the dashboard by navigating to Sites > [Your Site] > Consent Policy. The following settings are available:

Require Consent

Toggle whether consent is required before AI agents can interact with your site's forms. When disabled, all agents can interact freely.

Banner Text

Customize the message shown to users in the consent banner. Be clear about what AI agents will do and why consent is needed.

Policy URL

Link to your full AI interaction policy page. This appears as a 'More info' link in the consent banner.

Script Tag Configuration

If you are using the script tag installation method, you can configure consent directly in the Dat2AIConfig object:

<!-- Consent is configured in the dashboard and loaded automatically -->
<script async src="https://dat2ai.com/api/script/YOUR_SITE_KEY"></script>

<!-- Or override consent settings client-side: -->
<script>
  window.Dat2AIConfig = {
    siteKey: 'YOUR_SITE_KEY',
    consent: {
      required: true,
      bannerText: 'This site uses AI agents that may interact with forms. Do you consent?',
      policyUrl: 'https://example.com/ai-policy'
    }
  };
</script>
<script async src="https://dat2ai.com/api/script/YOUR_SITE_KEY"></script>

NPM Configuration

When using the npm package, pass the consent configuration to Dat2AI.init():

import { Dat2AI } from 'dat2ai';

Dat2AI.init({
  siteKey: 'YOUR_SITE_KEY',
  consent: {
    required: true,
    bannerText: 'This site uses AI agents that may interact with forms. Do you consent?',
    policyUrl: 'https://example.com/ai-policy',
    storageKey: 'dat2ai_consent'   // localStorage key for persisting decision
  }
});

Data Privacy

dat2ai is designed with privacy at its core. Here is what data is captured, how it is protected, and what is always excluded.

What Data is Captured

Tool name — which form was interacted with
Agent type — the type of AI agent (browser_agent, automated, etc.)
Timestamp — when the interaction occurred
Consent decision — whether the user accepted or declined
Form field values (optional) — only when captureFieldData is enabled

How Data is Encrypted

All form field data is encrypted using AES-256-GCM before being stored in the database. Each user account has its own encryption key. Data is encrypted at rest and only decrypted when viewed by the site owner in the dashboard.

Sensitive Fields Auto-Excluded

The following field types are NEVER captured, regardless of configuration. This is enforced at the SDK level and cannot be overridden:

Password fields (type="password")
Credit card fields (autocomplete containing "cc-")
Social Security Numbers (autocomplete="ssn" or common SSN field patterns)
Fields matching custom sensitive selectors configured in your consent policy

Decision Log

Every consent decision is recorded as an immutable entry in the audit trail. This creates a verifiable record of user consent for compliance purposes.

Each consent entry includes the timestamp, agent type, the user's decision (accepted or declined), and the browser session identifier. These entries are viewable in the dashboard under Sites > [Your Site] > Consent Policy > Consent Decisions. The log cannot be modified or deleted, ensuring a tamper-proof compliance record.

Compliance Export

Export consent data for GDPR, regulatory audits, or internal compliance reviews. Two export formats are available:

CSV

Spreadsheet-compatible format. Ideal for compliance teams, external auditors, and integration with GRC tools.

JSON

Structured data format. Ideal for programmatic processing, custom dashboards, and data pipeline integrations.

Navigate to Sites > [Your Site] > Audit Logs and use the Export CSV or Export JSON buttons. Filter by date range and event type before exporting.

Best Practices

Always link your privacy policy

Include a policyUrl that explains what AI agents do on your site, what data is collected, and how it is used. This builds trust and helps with regulatory compliance.

Use clear, non-technical banner text

Write your consent banner in plain language. Avoid jargon like 'WebMCP' or 'tool invocation'. Instead, explain that AI assistants may help fill forms on the user's behalf.

Minimize data collection

Only enable captureFieldData if you need the actual form values for your audit trail. The event metadata (tool name, agent type, timestamp) is often sufficient for governance.

Test consent flow before going live

Enable debug mode during development to verify the consent banner appears correctly, decisions are persisted, and events are recorded properly in the audit log.

Respect declined consent

When a user declines consent, do not re-prompt them on every page load. The decision is stored in localStorage and respected until the user clears their browser data.