Collecting candidate consent for data retention

Available for Roles (Data compliance) Super Admin, Admin
(GDPR) Super Admin, Admin, Team Member, Limited Team Member
Permissions • (Data compliance ) View and edit compliance settings
• (GDPR) Manage profiles and view associated postings
Packages Lever Basic, LeverTRM, LeverTRM for Enterprise


This article depicts updates to data compliance settings included in our 2023 Fall release, scheduled to rollout progressively in November 2023. For more details related to the release, refer to our Fall 2023 Product Release Notes.

If you are relying on Explicit Consent as the lawful basis for retention of inactive candidate data, you will need to reach out to candidates to collected refreshed consent once their initial consent has expired. For help determining exactly how and when your organization should gather consent from candidates, it is best to consult legal counsel. Before proceeding, we advise reading the following help articles on the two (mutually exclusive) methods for managing data compliance in Lever, as the configuration you choose has bearing on how you will identify the candidates from which you must collect consent:

Identifying candidates from which consent must be collected

The method for identifying the candidates from which you must collected consent will depend on which data privacy settings you have configured for your Lever environment - (1) Data compliance or (2) GDPR. To better understand the distinction between the two options, refer to our help article on understanding the difference between Data Compliance and GDPR settings.

Note that, no matter which data privacy setting you have enabled for your Lever environment, owners of opportunities associated with candidates whose consent has expired will receive email (and in-app) notifications reminding them to collect refreshed consent from their candidates. This action can then be taken by navigating to the candidate's profile and following the prompts on the flyover banner. For full details, refer to our help article on resolving data requests.

The methods described below are meant to be used to identify candidates whose consent has expired in bulk.

If you have 'Data Compliance' enabled...

Storage and Future job opportunities (marketing) are configured separately. It is Storage that dictates when a candidate should be anonymized. 

Data compliance settings page with storage and list of explicit and legitimate consent outlined.


If a candidate revokes consent when sent a consent link, this will revoke both storage and marketing and will trigger a data removal request for the candidate.

Super Admins and Admins, and users with the ‘Anonymize candidates' custom permission can filter for candidates from which consent must be collected. Learn more about custom permissions in our role permissions breakdown article.

  • Navigate to Settings > Data compliance > Candidate data
  • The opportunities listed on this page are those for which consent from the associated candidate has expired. Use the time range filter to narrow down the selection of candidates based on how long ago their consent expired.

Candidate data list in Data compliance settings page

If you have 'GDPR' enabled...

Super Admins, Admins, Team Members, and Limited Team Members can filter their pipeline and archive for opportunities based on candidates' relationship to your GDPR policy. Start navigating clicking the list icon in the candidate search bar.

Arrow pointing to list icon in candidate search bar

The following filter parameters are available (filter parameters may vary depending on your lawful basis configuration):

  • Anonymization date range - i.e. how long until anonymization will be required
  • Consent status - any status, open to future jobs, not open to future jobs, missing consent
    • If filtering for candidates with a consent status of 'Open to future jobs' additional filters will appear that can be used to filter by the length of time until consent expires as well as the time range within which the last consent link was sent.
    • If filtering for candidates that are missing consent, an additional filter will appear that can be used to filter by the time range within which the last consent link was sent.

Advanced filter modal with GDPR filter fields shown

Once you have filtered for the appropriate opportunities, you can bulk email the associated candidates by selecting the checkboxes in the opportunity list and clicking the Email button in the bulk action tool bar.

Opportunity list filtered by consent status; GDPR filters are outlined and arrow points to email button in bulk action tool bar.

Sending consent links to candidates

Once you have identified which candidates need refreshed consent, you can capture their consent by email them a consent link via Lever.

What are consent links and how do they work?

A consent link is a unique URL that allows a candidate to update their consent regarding the retention of their data in your Lever system. When a candidate clicks a consent link, they will be brought to page where they can specify whether or not they consent to Lever retaining their data for the purpose of contacting them about future jobs. The length of time that their data is retained for is configured in your Lever environment's compliance settings (either 'Data compliance' or 'GDPR'). If you included a link to your organization's privacy policy in your compliance setup, that link will also appear to the candidate on the consent page.

Consent preferences page as it appears to candidate.

When a candidate provides or revokes consent, their preference is immediately applied to all of their archived opportunities in your Lever system.

A candidate applies for three different roles at the same organization over the course of 2 years. All three roles are archived within the organization's Lever system. The organization has configured GDPR with a lawful basis of candidate consent and a data retention period of 2 years. Exactly 2 years from the day of the candidate's first application, they receive an email with a consent link prompting them to refresh their consent. The candidate uses the link to revoke their consent. Their consent preference not only applies to the opportunity associated with their initial application, but also the opportunities associated with the two subsequent applications they submitted over the course of the following 2 years.

If a candidate with multiple archived opportunities refreshes their consent and you have GDPR enabled, their consent will be extended for the data retention period configured in your GDPR policy. If a candidate with multiple archived opportunities refreshes their consent and you have localized data compliance enabled, their consent will be extended for shortest retention period configured for all applicable countries, and will be added cumulatively to remainder of the consent period for other applicable opportunities.

A candidate applies to two job postings with different locations on January 1 2023. The location of posting A is configured with a data retention period of 6 months, and the location of posting B is configured with a data retention period of 1 year. On June 30 2023, the candidate refreshes their consent in relation to posting A. Their consent relative to posting A is thus extended for another 6 months (until December 31 2023). Their consent relative to posting B is extended by another 6 months, applied cumulatively to the ongoing data retention period for that country (i.e. their consent is extended to June 30 2024, adding 6 months to the 1 year to which they initially consented when they applied to posting B on January 1 2023). 

To learn more about how to set up location-specific data retention periods, refer to our help article on configuring localized data compliance settings.

Adding consent links to emails

When you are drafting an emails to candidates (either individually or in bulk), you can generate a consent link in the body of the email by inserting the 'Consent link' auto-text token. In the email editor, click the 'Insert' menu and select Consent link from the list of tokens. Note that since the consent link is unique for each candidate, the link is not actually generated until the placeholder is inserted into the email editor. Due to the sensitivity of data privacy, never copy/paste a candidate's unique consent link into an email to another candidate.

Email composition window with auto-text token menu expanded and consent link option highlighted on hover.

We recommend providing context to the candidate in the body of the email, so they know exactly what action is required in order to refresh their consent preference. To make the process of collecting candidate consent more scalable, consider using email templates with the consent link auto-text token embedded that you can then personalize using other auto-text tokens such as the candidate's name. To learn more, refer to our help article on how to create email templates.

Email template editor with auto-text token menu expanded and consent link option highlighted on hover.

Sending consent refresh emails in bulk

If you are sending emails in bulk to more than one opportunity associated with the same candidate, by default Lever will only send one email for each unique candidate. In order to send one email per opportunity (instead of one per candidate), de-select the checkbox in the email composition modal. You can also select the option to exclude candidates with other active opportunities (outside of those selected) from the bulk-sent email, as well as preview how the email will look to reach recipient.

Bulk send email modal with option to only send one email per unique candidate selected.


When sending emails in bulk, configure the sender field in the email editor so that the emails come from a no-reply email address in order to avoid rate limits set by your organization's email client. If you are bulk sending emails from your own work email address, we recommend sending no more than 50 emails at a time in order to avoid rate limit issues.
Was this article helpful?
0 out of 0 found this helpful