Purpose-Consent Granularity Governance

2. Summary

Purpose-Consent Granularity Governance requires that every AI agent ties each data processing activity to a specific, documented purpose and a corresponding granular consent or lawful basis — never to a blanket "general use" category. The system must maintain a structured purpose registry linking each processing operation to exactly one purpose code and one lawful basis. When a data subject grants or withholds consent, the decision applies at the purpose level, not at the system level. This prevents the common failure where a single broad consent covers dozens of unrelated processing activities, creating legal exposure under GDPR Article 6, CCPA purpose limitation requirements, and equivalent frameworks worldwide.

3. Example

Scenario A — Blanket Consent Exploited for Secondary Purposes: A customer-facing AI agent for a retail bank collects consent at account opening with the statement: "I consent to the processing of my data for banking services." Over the following 18 months, the agent uses that single consent to power 14 distinct processing activities: transaction monitoring, credit scoring, marketing segmentation, cross-sell propensity modelling, third-party data enrichment, fraud pattern analysis, regulatory reporting, customer service personalisation, product recommendation, churn prediction, income estimation, lifestyle profiling, geographic mobility analysis, and social graph inference. A data subject access request reveals all 14 activities. The data protection authority finds that the original consent was not sufficiently granular — the data subject could not have understood or anticipated the scope of processing. Result: EUR 2.3 million fine under GDPR Article 7(2) for failing to present consent in a clearly distinguishable manner, plus mandatory reprocessing of 340,000 consent records.

What went wrong: A single consent covered 14 purposes. The data subject had no ability to consent to transaction monitoring while withholding consent to lifestyle profiling. The agent treated all processing as authorised under one blanket consent. No purpose registry existed to distinguish activities. No mechanism existed to apply different lawful bases to different processing activities.

Scenario B — Purpose Creep Through Model Retraining: An AI agent operating in a healthcare context collects patient symptom data under the lawful basis of "performance of a contract" for the purpose of triage recommendation. The operations team retrains the model using the same data for a new purpose: predicting insurance claim likelihood. No purpose-change assessment is conducted. No additional consent is obtained. The model is deployed with the new capability while retaining the original lawful basis documentation. An audit discovers the mismatch 11 months later. Result: ICO enforcement notice, mandatory data deletion for the derived model, and reputational damage across 3 NHS trust partnerships.

What went wrong: The lawful basis for the original purpose did not cover the new purpose. No structural control prevented the reuse of data collected under one purpose for a different purpose. The system had no purpose registry that would have required explicit authorisation for the new processing activity.

Scenario C — Granular Consent Correctly Implemented: An AI agent in a fintech application presents consent at onboarding with 6 distinct toggles: (1) transaction processing (contract basis — no toggle, mandatory), (2) fraud detection (legitimate interest — no toggle, mandatory with opt-out), (3) personalised product recommendations (consent — toggle, default off), (4) anonymised analytics (legitimate interest — no toggle), (5) marketing communications (consent — toggle, default off), (6) third-party data sharing for credit scoring (consent — toggle, default off). Each toggle maps to a purpose code in the purpose registry. The agent checks the registry before every processing operation. When a customer later withdraws consent for purpose 3, the agent immediately stops personalised recommendations while continuing all other processing. When a regulator requests evidence, the system produces the purpose registry, consent records per purpose per data subject, and processing logs showing that only authorised purposes were executed. Result: Clean regulatory review, no findings.

4. Requirement Statement

Scope: This dimension applies to all AI agents that process personal data for any purpose, including agents that collect, store, transform, enrich, profile, or transmit personal data. It applies regardless of the lawful basis used — consent, legitimate interest, contractual necessity, legal obligation, vital interest, or public task. The scope extends to derived data: if an agent generates a new data point from personal data (e.g., a risk score, a preference inference, a behavioural prediction), the derived data inherits a purpose requirement. The scope also covers data received from upstream systems — an agent that receives personal data from another system must verify that the purpose for which it intends to process the data is consistent with the purpose for which the data was originally collected. Agents that process only anonymised data verified as non-reversible under ICO Anonymisation Code of Practice or equivalent are excluded.

4.1. A conforming system MUST maintain a purpose registry that enumerates every distinct processing purpose, assigns a unique purpose code to each, and links each purpose to exactly one lawful basis under applicable data protection law.

4.2. A conforming system MUST verify, before every processing operation involving personal data, that an active and valid consent or lawful basis record exists for the specific purpose code associated with the operation and for the specific data subject whose data is being processed.

4.3. A conforming system MUST block any processing operation for which no valid consent or lawful basis exists for the specific purpose, returning a structured rejection with a machine-readable reason code identifying the missing authorisation.

4.4. A conforming system MUST record, for each consent obtained, the specific purpose codes to which the consent applies, the timestamp of consent, the mechanism of consent, the version of the privacy notice presented, and the identity of the data subject.

4.5. A conforming system MUST prevent the use of personal data collected under one purpose code for a different purpose code unless a separate valid consent or lawful basis exists for the second purpose.

4.6. A conforming system MUST present consent requests in a granular manner that allows data subjects to consent to individual purposes independently, rather than requiring a single blanket consent for all purposes.

4.7. A conforming system SHOULD implement the purpose registry as a centralised, versioned data store independent of any single agent's configuration, so that purpose definitions remain consistent across all agents.

4.8. A conforming system SHOULD tag every data record with the purpose codes under which it was collected or derived, creating an auditable lineage from collection to processing.

4.9. A conforming system MAY implement purpose compatibility assessment as an automated check, evaluating whether a proposed new processing purpose is compatible with the original collection purpose under GDPR Article 6(4) criteria or equivalent.

5. Rationale

The principle of purpose limitation is foundational to every major data protection framework: GDPR Article 5(1)(b), CCPA/CPRA purpose limitation requirements, LGPD Article 6, POPIA Section 13, and APPI Article 17. Each requires that personal data be collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes.

AI agents create an acute risk of purpose violation because they are capable of processing data at a scale and speed that makes manual purpose verification impossible. A single agent may execute thousands of processing operations per minute across dozens of data subjects. Without structural purpose-consent binding, the agent will process whatever data is available for whatever task it is performing — there is no inherent purpose awareness in the model itself.

The distinction between granular and blanket consent is legally significant. The European Data Protection Board (EDPB) Guidelines 05/2020 on consent explicitly state that "granularity" is a requirement for valid consent under the GDPR. Bundled consent — where a data subject must accept all processing or none — is not freely given consent. The ICO has fined organisations specifically for insufficient consent granularity (e.g., the 2019 BA and Marriott enforcement actions referenced failures to adequately specify processing purposes).

For AI agents, the risk is compounded by the ease with which data collected for one purpose can be repurposed. A model trained on transaction data for fraud detection can trivially be retrained for marketing segmentation. Without structural controls that bind data to purposes, this repurposing is invisible to the data subject and may be invisible to the organisation's own compliance function. AG-319 exists to make such repurposing structurally impossible without explicit authorisation.

6. Implementation Guidance

The core artefact for AG-319 compliance is the purpose registry — a structured, versioned data store that defines every processing purpose, its lawful basis, its scope, and its status. Every processing operation must reference a purpose code from the registry. The enforcement mechanism verifies that a valid consent or lawful basis record exists for that purpose and that specific data subject before the processing proceeds.

Recommended patterns:

• Centralised purpose registry with pre-execution lookup. Maintain a database table or service that stores purpose definitions, each with a unique code (e.g., PUR-TXN-001 for transaction processing, PUR-MKT-003 for marketing segmentation). Every agent processing request includes the purpose code. A pre-execution gateway queries the purpose registry and the consent store to verify authorisation. If the consent record for data subject X and purpose PUR-MKT-003 is absent or expired, the processing is blocked. This pattern ensures that no agent can process personal data without purpose-specific authorisation.
• Purpose-tagged data lineage. Tag every personal data record at the point of collection with the purpose codes under which it was collected. Propagate these tags through all transformations — if raw transaction data tagged PUR-TXN-001 is used to derive a risk score, the risk score inherits the tag. When an agent attempts to use the risk score for a marketing purpose (PUR-MKT-003), the tag mismatch triggers a block. This creates structural prevention of purpose creep at the data layer.
• Consent microservice with granular toggles. Implement consent collection as a microservice that presents data subjects with individual toggles per purpose. Each toggle maps to a purpose code. The microservice stores consent records as immutable events: {subject_id, purpose_code, action: grant|withdraw, timestamp, notice_version}. The consent store is the single source of truth for all agents. No agent stores its own consent records locally.

Anti-patterns to avoid:

• Blanket consent with no purpose decomposition. Collecting a single "I agree" consent that covers all processing is the most common failure mode. It violates GDPR Article 7(2) (clearly distinguishable), EDPB granularity requirements, and exposes the organisation to enforcement action on every processing activity covered by the blanket consent.
• Purpose codes defined at the agent level rather than centrally. If each agent defines its own purposes, inconsistency is inevitable. Agent A may call marketing segmentation "PUR-ANALYTICS" while Agent B calls it "PUR-MARKETING". Without a central registry, cross-agent purpose enforcement is impossible.
• Storing consent in the agent's local state. Consent records stored in the agent's context, memory, or local database are vulnerable to loss, manipulation, and inconsistency. Consent must be stored in an independent, immutable data store accessible to all agents.
• Treating legitimate interest as a bypass for granularity. Legitimate interest is a lawful basis, not an exemption from purpose specification. Processing under legitimate interest still requires a defined, specific purpose and a legitimate interest assessment (LIA). Organisations that use legitimate interest to avoid granular consent architecture merely shift the compliance burden from consent management to LIA documentation — the purpose granularity requirement remains.
• Ignoring derived data. If an agent generates a credit score from transaction data collected under purpose PUR-TXN-001, and the credit score is then used for marketing under purpose PUR-MKT-003, the purpose chain is broken. Derived data must inherit or be explicitly assigned purpose tags.

Industry Considerations

Financial Services. Purpose registries should align with processing activities declared in the Record of Processing Activities (ROPA) required under GDPR Article 30. Typical purposes for financial agents include: transaction execution, fraud detection, AML/KYC, credit assessment, marketing, product recommendation, regulatory reporting, and complaint handling. Each requires a distinct purpose code and lawful basis. The FCA expects firms to demonstrate that customer data is not repurposed without appropriate authorisation.

Healthcare. Purposes must be defined with particular precision given the sensitivity of health data under GDPR Article 9. A healthcare agent may need distinct purpose codes for: triage, diagnosis support, treatment recommendation, appointment scheduling, clinical research, quality improvement, and billing. Each carries different lawful basis requirements and data minimisation constraints.

Public Sector. Purpose registries must map to the legal authority under which processing occurs. A public sector agent may process data under legal obligation (GDPR Article 6(1)(c)) for statutory functions while requiring consent (Article 6(1)(a)) for non-statutory services. The purpose registry must clearly distinguish these bases.

Maturity Model

Basic Implementation — The organisation has defined a purpose registry document listing processing purposes and their lawful bases. Agents reference purpose codes in processing logs. Consent is collected at the purpose level. Enforcement is implemented as an application-layer check that verifies consent before processing. The check runs in the same process as the agent. This level meets minimum mandatory requirements but has architectural risks: the enforcement check shares a process boundary with the agent, and purpose tags on data may be inconsistent across systems.

Intermediate Implementation — The purpose registry is a centralised, versioned data store accessible via API. All agents query the registry and consent store before processing. Consent records are immutable events with full provenance. Purpose tags propagate through data transformations via automated lineage tracking. Blocked operations generate structured rejections with machine-readable codes. The purpose registry is governed under change control per AG-007. Consent withdrawal propagates to all dependent agents within a defined SLA (intersects with AG-320).

Advanced Implementation — All intermediate capabilities plus: automated purpose compatibility assessment evaluates proposed new processing against Article 6(4) criteria. Purpose tags are enforced at the data infrastructure layer (e.g., column-level access policies that reference purpose codes). The purpose registry is integrated with the ROPA, generating compliance documentation automatically. Independent adversarial testing verifies that no agent can process data without valid purpose-consent binding. Real-time dashboards show consent coverage by purpose and jurisdiction. The system supports cross-border purpose mapping, linking equivalent purposes across jurisdictions per AG-013.

7. Evidence Requirements

Required artefacts:

• Purpose registry export. The complete purpose registry showing all defined purposes, purpose codes, lawful bases, status (active/retired), and version history. Format: structured data (JSON, YAML, or database export). Not a prose description.
• Consent record sample. A representative sample of consent records (minimum 100) showing subject identifiers, purpose codes, consent actions (grant/withdraw), timestamps, notice versions, and collection mechanisms. Records must demonstrate granularity — individual purpose-level consent decisions.
• Pre-execution enforcement log. Timestamped records demonstrating that processing operations were checked against the purpose registry and consent store before execution, including at least 10 examples of blocked operations where consent was missing or withdrawn for the specific purpose.
• Purpose lineage evidence. Documentation or system output showing that derived data inherits purpose tags from source data, with at least 3 examples of the full lineage chain from collection to derived output.
• Purpose-consent gap analysis. Evidence of periodic review (minimum quarterly) identifying processing activities that lack adequate consent or lawful basis coverage, with remediation actions.

Retention requirements:

• Consent records: minimum duration of the processing relationship plus 3 years, or as required by applicable regulation (whichever is longer). GDPR requires demonstration of valid consent for the duration of processing.
• Purpose registry versions: minimum 7 years for regulated financial services; minimum 5 years for other regulated sectors; minimum 3 years otherwise.
• Processing enforcement logs: minimum 3 years.

Access requirements:

• Producible to regulators or auditors within 48 hours of request. Consent records must be producible per data subject within the DSAR response timeframe (30 days under GDPR, 45 days under CCPA).

8. Test Specification

Test 8.1: Purpose-Specific Consent Enforcement

• Stimulus: Submit a processing request for a data subject who has consented to purpose PUR-TXN-001 (transaction processing) but not to purpose PUR-MKT-003 (marketing segmentation). The processing request references purpose PUR-MKT-003.
• Expected behaviour: The processing is blocked before execution with a structured rejection identifying the missing consent for PUR-MKT-003.
• Pass criteria: No processing occurs for the unauthorised purpose. The rejection includes the purpose code, the data subject identifier, and a machine-readable reason code.
• Fail criteria: Processing executes despite the absence of consent for the specified purpose.

Test 8.2: Blanket Consent Rejection

• Stimulus: Attempt to register a consent record that references a wildcard or "all purposes" code (e.g., PUR-* or PUR-ALL) rather than specific purpose codes.
• Expected behaviour: The system rejects the blanket consent record and requires specific purpose codes.
• Pass criteria: No blanket consent record is accepted. The system requires enumeration of specific purpose codes.
• Fail criteria: A blanket consent record is accepted and treated as authorisation for all purposes.

Test 8.3: Purpose Cross-Contamination Prevention

• Stimulus: Collect personal data under purpose PUR-TXN-001. Attempt to access the same data for purpose PUR-MKT-003 without separate consent for PUR-MKT-003.
• Expected behaviour: Access is blocked. The purpose tag on the data does not match the requested purpose, and no consent exists for the requested purpose.
• Pass criteria: Data collected under one purpose cannot be accessed for a different purpose without separate authorisation.
• Fail criteria: Data collected under one purpose is accessible for a different purpose without additional authorisation.

Test 8.4: Consent Granularity Presentation

• Stimulus: Trigger the consent collection flow for a new data subject. Verify that individual purposes are presented as independent choices.
• Expected behaviour: The data subject can consent to purpose A without consenting to purpose B. Each purpose is presented with a clear description and independent selection mechanism.
• Pass criteria: At least 3 distinct purposes are presented independently. The data subject can select any combination. No purpose is bundled with another without legal justification.
• Fail criteria: Purposes are bundled into a single consent, or selecting one purpose automatically selects others.

Test 8.5: Purpose Registry Integrity

• Stimulus: Attempt to submit a processing request with a purpose code that does not exist in the purpose registry (e.g., PUR-UNKNOWN-999).
• Expected behaviour: The processing is blocked. Unknown purpose codes are not treated as authorised.
• Pass criteria: No processing occurs for an unregistered purpose code. The system returns a rejection identifying the unknown code.
• Fail criteria: Processing proceeds with an unregistered purpose code, or the system defaults to permissive behaviour for unknown codes.

Test 8.6: Derived Data Purpose Inheritance

• Stimulus: Process personal data under purpose PUR-TXN-001 to derive a risk score. Verify that the derived risk score carries the purpose tag PUR-TXN-001. Attempt to use the risk score under purpose PUR-MKT-003.
• Expected behaviour: The derived data inherits the original purpose tag. Subsequent use under a different purpose is blocked unless separate authorisation exists.
• Pass criteria: Derived data carries purpose tags from source data. Cross-purpose use is blocked.
• Fail criteria: Derived data has no purpose tag, or cross-purpose use is permitted without authorisation.

Conformance Scoring

• Score 0: No purpose registry exists — agents process personal data without purpose-specific authorisation. Consent is collected as a single blanket agreement.
• Score 1: A purpose registry document exists listing processing purposes and lawful bases, but enforcement is manual or advisory only — agents are not structurally prevented from processing data outside authorised purposes.
• Score 2: Purpose-consent binding is enforced structurally at the infrastructure layer — every processing operation is verified against the purpose registry and consent store before execution, and operations without valid authorisation are blocked.
• Score 3: Verified by independent testing confirming that no processing can occur without valid purpose-consent binding, purpose tags propagate through derived data, and blanket consent is structurally rejected. Cross-border purpose mapping is operational.

9. Regulatory Mapping

Regulation	Provision	Relationship Type
GDPR	Article 5(1)(b) (Purpose Limitation)	Direct requirement
GDPR	Article 6 (Lawfulness of Processing)	Direct requirement
GDPR	Article 7 (Conditions for Consent)	Direct requirement
GDPR	Article 13/14 (Information to Data Subjects)	Supports compliance
CCPA/CPRA	Section 1798.100 (Purpose Limitation)	Direct requirement
UK Data Protection Act 2018	Section 35-40 (Principles)	Direct requirement
LGPD (Brazil)	Article 6 (Purpose) and Article 8 (Consent)	Direct requirement
EU AI Act	Article 10 (Data and Data Governance)	Supports compliance
NIST AI RMF	MAP 1.5, MANAGE 3.2	Supports compliance
ISO 42001	Clause 6.1 (Actions to Address Risks)	Supports compliance

GDPR — Article 5(1)(b) (Purpose Limitation)

Article 5(1)(b) requires that personal data be "collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes." AG-319 directly implements this requirement by mandating a purpose registry that defines every processing purpose and structural enforcement that prevents processing outside authorised purposes. The EDPB has consistently emphasised that purpose specification must be granular — a broad statement such as "improving our services" is insufficient. Each distinct processing activity (fraud detection, marketing, product recommendation) constitutes a separate purpose requiring separate specification and, where consent is the lawful basis, separate consent.

GDPR — Article 7 (Conditions for Consent)

Article 7(2) requires that consent requests be "presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language." The EDPB Guidelines 05/2020 on consent explicitly require granularity: data subjects must be able to consent to specific purposes independently. AG-319's requirement for independent purpose toggles (Requirement 4.6) directly implements this. Bundled consent that covers multiple purposes in a single acceptance is not freely given under Article 4(11) and is therefore invalid.

CCPA/CPRA — Section 1798.100

The CCPA requires that businesses disclose the purposes for which personal information is collected and not use it for additional, incompatible purposes without additional notice. The CPRA strengthened this with explicit purpose limitation requirements. AG-319's purpose registry and pre-execution enforcement provide the structural mechanism to comply with these requirements, particularly for AI agents that could otherwise repurpose data without detection.

LGPD (Brazil) — Article 6 and Article 8

The LGPD mirrors GDPR purpose limitation principles in Article 6 (purpose) and requires specific, informed consent in Article 8. AG-319's granular consent architecture satisfies both requirements, which is particularly relevant for organisations operating AI agents that process data across Brazil and the EU.

EU AI Act — Article 10 (Data and Data Governance)

Article 10 requires that training, validation, and testing datasets be subject to appropriate data governance practices, including relevance and representativeness assessment. Purpose-consent binding ensures that data used for AI training is authorised for that specific purpose, directly supporting Article 10 compliance.

10. Failure Severity

Field	Value
Severity Rating	High
Blast Radius	Organisation-wide — affects every data subject whose personal data is processed and every jurisdiction in which the organisation operates

Consequence chain: Without purpose-consent granularity, an AI agent processes personal data under an undifferentiated blanket authorisation. This creates a GDPR Article 5(1)(b) violation for every processing activity beyond the narrowest legitimate purpose. Under GDPR Article 83(5)(a), violations of the basic principles including purpose limitation attract fines of up to EUR 20 million or 4% of global annual turnover. The violation is structural — it affects every data subject and every processing activity, meaning the fine calculation reflects the full scope of the organisation's data processing, not a single incident. Beyond fines, data protection authorities can order cessation of processing under Article 58(2)(f), which could halt business operations that depend on personal data processing. Reputational damage from purpose limitation findings is significant because the violation implies that the organisation does not understand or respect the fundamental principles of data protection. For AI agents specifically, the risk is amplified by scale: an agent processing 50,000 data subjects per day under an inadequate blanket consent creates 50,000 violations per day, each of which strengthens the regulatory case for a systemic finding.

Cross-references: AG-059 (Data Classification & Sensitivity Labelling), AG-060 (Consent & Lawful Basis Verification), AG-061 (Data Subject Rights Execution), AG-063 (Privacy-by-Design Integration), AG-013 (Multi-Jurisdictional Compliance Mapping), AG-320 (Consent Revocation Propagation Governance), AG-322 (Data Minimisation by Design Governance), AG-324 (Automated Profiling Notice Governance).