Advanced Cross-Device Consent Controls

The California Privacy Protection Agency's enforcement push against Disney made one thing clear: under CCPA/CPRA, an opt-out is a person-level right, not a per-device one. A user who opts out on their phone shouldn't be re-targeted on their laptop. Without cross-device consent, every device is a separate visitor with its own state, and that gap is exactly what regulators are now testing.

Concord's Unified Identity & Consent system maintains a single source of truth for consent across every device a user logs in from. This release adds advanced controls that make that source of truth more accurate and easier to maintain. For teams that don't need login-based identity, Concord also offers automatic cross-domain consent, an easy-to-use option that links sessions across sibling domains without any server-side identity work.

What's New

The benefit of this architecture is straightforward: one record of consent per person, applied wherever they show up.

  • Real-time synchronization — When a visitor identifies on your site, Concord checks the global consent vault and applies any existing preferences instantly.
  • Consent inheritance — If a user opts into marketing on their desktop, those preferences apply automatically when they log in from their phone. No second banner.
  • Anonymous-to-known transition — When an anonymous visitor later identifies, Concord merges that session into their permanent profile. The most recent decision is the one that sticks.

Not every team needs login-based identity, and not every team that needs it has the same setup. Concord supports both ends of the spectrum:

  • Advanced mode (JWT-based identity) — For teams that want consent tied to a logged-in account across devices. Your server signs a short-lived token; Concord verifies it and links the browser session to a persistent identity. Setup details and code samples are in Implementing Cross-Device Identity & Consent.
  • Automatic cross-domain consent (contextId) — For teams that just need consent to flow between sibling domains without standing up a token-signing endpoint on every domain. A contextId is a cryptographically random UUID, so no JWT is required. See the contextId pattern in the same guide.

For the conceptual overview of how identity, context, and session relate, start with Understanding Unified Identity & Consent Management.

Why It Matters

Cross-device consent is no longer optional. CCPA/CPRA regulators and EU supervisory authorities under GDPR treat opt-out as a person-level right, and enforcement is moving in that direction. A single source of truth is how you make that real.