This article explains how the OpenSRS consent management process works for registrants, including the Your Data Sharing Preferences page, asynchronous and synchronous TLD handling, and consent statuses. Use it to understand what registrants experience, how OpenSRS groups products for consent, and what happens when consent is provided, withheld, or revoked.
Warning: GDPR enforcement guidance and consent flows change frequently. Validate timing windows, group definitions, and API behavior with the OpenSRS Support team before relying on the details below.
The Your Data Sharing Preferences page
When a registrant visits their Your Data Sharing Preferences page, they see an up-to-the-minute list of all active products they have registered, along with any products pending consent for the order to complete.
Actionable or essential items are presented first, based on dynamic generation. When a registrant has a new pending consent product and an older product with the consent choice already complete, the new product appears first. Asynchronous products are displayed before synchronous products because consent for asynchronous products is required to complete orders.
Data groupings
Each service or product offered through Tucows falls into a particular consent group. Once a consent preference is logged for a group, that choice applies to future purchases within that same group.
For two products to fall within the same consent group, they must be offered through the same service provider, contractually require the same data elements, and request the same consent-based data elements.
For example, a registry might operate multiple TLDs that all contractually require the registrant's name, email, and country and that all request consent to process the registrant's phone number. These TLDs fall into the same consent group. Once the registrant sets preferences for one TLD, that choice applies to all future purchases within the same group, and no further consent request emails are sent for those purchases. If the same registry later offers a TLD that also requests consent for the registrant's postal address, the registrant receives a new consent request because that TLD falls into a distinct consent group.
This grouping reduces how many consent requests the registrant receives while preserving their control over which personal data is shared and with whom.
Asynchronous and synchronous TLDs
The data elements that Tucows or a GDPR-compliant provider require are collected and processed on a legal basis.
For some TLDs and services, the provider requests additional data for which there is no contractual basis. In those cases, OpenSRS asks the registrant for consent to share that data.
In most cases, even if the registrant withholds or fails to provide consent, Tucows can immediately register the domain by sending the registry a combination of contractual data and placeholders for any consent-only data elements. These are synchronous services — they can be registered right away, without additional personal data beyond what the contract covers.
For some TLDs, placeholder data is not accepted by the registry, because Tucows does not have assurance from the registry that the data will only be used in ways that conform with data privacy regulations. Tucows cannot share that data without the registrant's consent. These are asynchronous services — they cannot be provided without sharing certain registrants' personal data, and there is no GDPR-compliant contract protecting the data, so affirmative consent is required before OpenSRS proceeds.
Asynchronous domains with yes-consent
To provide an intuitive experience, the consent status for any previously active asynchronous service is set to yes-consent by default. The registrant consented to processing by purchasing the service before these enhanced protections went into effect. Although consent has not technically been re-collected, the yes-consent status accurately reflects current data use: the end user's personal data has already been processed and shared with Tucows and the registry partner.
For registrants who want to revoke consent, the yes-consent status also clarifies the required action — uncheck the box and submit. They are then directed back to the reseller to complete the request and cancel the service. OpenSRS would prefer to replace consent-based data with placeholder data until consent is provided, but this is not permitted by the registry. The service must be cancelled for the withdrawal of consent to have effect.
For synchronous services where placeholder data is accepted, the consent checkbox starts empty and only shows a checked state once consent is given.
Providing or revoking consent
Synchronous products
If the registrant withholds or revokes consent, any existing services remain active and pending orders are processed normally. Tucows substitutes placeholder data for any consent-based personal data.
Asynchronous products
When an order is pending, failure to provide consent within ten days or a decision to withhold consent places the order on hold.
Note: Orders for asynchronous products cannot be completed without consent from the registrant.
Placeholders for consent-based data are rejected at the registry level because the personal data would not be handled in a GDPR-compliant manner.
For asynchronous services that are currently active, when the registrant chooses to withdraw consent, they are instructed to work with their service provider to cancel the service. Tucows does not require this consent-based data, but the registry or service provider does, and that provider has not offered a GDPR-compliant data erasure request process. The service must be cancelled for the withdrawal of consent to take effect.
Refunds related to consent
Tucows does not refund an active service that the end user cancels in order to revoke consent. Tucows logs the choice to revoke consent and directs the end user to work with the reseller to cancel services.
Tucows does refund pending orders that are cancelled when the end user withholds consent. The cost of the transaction is returned to the reseller's account once the order is cancelled. Consent requests remain pending for ten days, after which the order defaults to a non-consented status and is cancelled.
Consent contact messaging
Multiple contact messages
Once a purchase is made, the Tucows system waits one minute before sending a consent request email. Multiple purchases within one minute trigger a single consent request email. Purchases more than one minute apart result in multiple consent request emails.
Consent message timeout
A consent request times out when not acted upon. This is only consequential for registrants of asynchronous services. Ten days after the initial consent request, the registrant's consent status defaults to non-consent when no response has been received.
For synchronous services, the timeout has no consequence — Tucows continues to use placeholders for any consent-only data elements. Pending orders for asynchronous services are cancelled at the 10-day mark when no response is received.
Message triggers
The initial consent request is triggered by the registration, update, or transfer of a domain. Once preferences are logged, they apply to future purchases within the same consent group. A registrant may receive another consent request if they purchase a service whose provider requests additional data beyond what they have already granted or withheld consent for.
GDPR consent statuses
For synchronous TLDs, there are four possible consent options.
Status | What it means |
|---|---|
Pending | The registrant has not yet provided their consent choice. |
Response provided — contract only | The registrant has declined to share consent-based information. Only contract-based data is shared with the registry. |
Response provided — consent and contract | The registrant has provided consent to share both consent-based and contract-required data elements. Both are shared with the registry. |
N/A — all contractual data | The registry requires all data contractually, and no data elements depend on the registrant's consent. |
A registrant's consent status for a domain is returned as the gdpr_consent_status value in the get_domain API command response.
Next steps
Identify which TLDs are asynchronous. Review the data use information page to determine which TLDs in your portfolio require explicit registrant consent before registration can complete.
Customize your consent request email templates. Tailor the GDPR-related templates in the Reseller Control Panel to match your brand voice and support pathways.
Build internal handling for revocation requests. Make sure your support team knows how to process asynchronous service cancellations triggered by consent withdrawal.
Questions? Contact OpenSRS Support.
How helpful was this article?
Thanks for your feedback!
Do you still need help? If so please submit a request here.