Eng 2185 finalization and email for consent tasks

[JadeCara]

Ticket ENG-2185

Description Of Changes

🎯 Add email for consent task completion.

In this PR added a consent finalization email template which is not enabled by default and must be turned on by the user.

Code Changes

• ts files:
  • clients/admin-ui/src/features/messaging-templates/CustomizableMessagingTemplatesEnum.ts
  • clients/admin-ui/src/features/messaging-templates/CustomizableMessagingTemplatesLabelEnum.ts
  • clients/admin-ui/src/features/messaging-templates/CustomizableMessagingTemplatesLabelEnum.ts
  • clients/admin-ui/src/types/api/models/MessagingActionType.ts
  • clients/privacy-center/types/api/models/MessagingActionType.ts
• Added new template to src/fides/api/models/messaging_template.py
• Added new message to src/fides/api/schemas/messaging/messaging.py
• Updated src/fides/api/service/privacy_request/request_runner_service.py with new messaging call
• Updated all associated tests

Steps to Confirm

1. Run with fidesplus pointed at this back end.
2. From the Privacy Center we need to do a consent request. (http://localhost:3001/ if running locally). We want it to create a DSR which means it must be configured for your area.

• If you are not in the US you can add a new privacy center to http://localhost:3000/consent/privacy-experience with a privacy center component or update the US Privacy Center with wherever you are. Either way it must be enabled on the experience page.
• The notices on the privacy center must be enabled and have system wide enforcement. You can set this by going to http://localhost:3000/consent/privacy-notices enabling the notices and then clicking in to them to set the enforcment to system wide.

• Lets turn on the consent email notification as well. (http://localhost:3000/notifications/templates) enable the one at the end (Consent request completed) - you may need to set a property for it, the default is fine.

4. Now you can make that consent request. It will take a second because it also uses celery workers but it should come through in the Request Manager (http://localhost:3000/new-privacy-requests)

5. Then check your emails - you can also test that updating the template works here too.

• I edited the text on this one :) )

Pre-Merge Checklist

• Issue requirements met
• All CI pipelines succeeded
• CHANGELOG.md updated
  • Add a db-migration This indicates that a change includes a database migration label to the entry if your change includes a DB migration
  • Add a high-risk This issue suggests changes that have a high-probability of breaking existing code label to the entry if your change includes a high-risk change (i.e. potential for performance impact or unexpected regression) that should be flagged
  • Updates unreleased work already in Changelog, no new entry necessary
• UX feedback:
  • All UX related changes have been reviewed by a designer
  • No UX review needed
• Followup issues:
  • Followup issues created
  • No followup issues
• Database migrations:
  • Ensure that your downrev is up to date with the latest revision on main
  • Ensure that your downgrade() migration is correct and works
    • If a downgrade migration is not possible for this change, please call this out in the PR description!
  • No migrations
• Documentation:
  • Documentation complete, PR opened in fidesdocs
  • Documentation issue created in fidesdocs
  • If there are any new client scopes created as part of the pull request, remember to update public-facing documentation that references our scope registry
  • No documentation updates required

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

2 Skipped Deployments

Project	Deployment	Review	Updated (UTC)
fides-plus-nightly	Ignored	Preview	Jan 13, 2026 11:02pm
fides-privacy-center	Ignored		Jan 13, 2026 11:02pm

[codecov]

Codecov Report

❌ Patch coverage is 78.26087% with 10 lines in your changes missing coverage. Please review.
✅ Project coverage is 87.29%. Comparing base (7108d26) to head (efbaa45).

Files with missing lines	Patch %	Lines
.../service/privacy_request/request_runner_service.py	77.77%	6 Missing and 2 partials ⚠️
.../api/service/messaging/message_dispatch_service.py	50.00%	1 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #7102      +/-   ##
==========================================
- Coverage   87.30%   87.29%   -0.02%     
==========================================
  Files         533      533              
  Lines       35090    35121      +31     
  Branches     4067     4073       +6     
==========================================
+ Hits        30635    30658      +23     
- Misses       3570     3576       +6     
- Partials      885      887       +2     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[greptile-apps]

Greptile Overview

Greptile Summary

This PR adds consent request completion email functionality, mirroring the existing access/erasure completion email workflow. The implementation correctly prioritizes access/erasure emails over consent emails when a privacy request contains multiple action types.

Key Changes

• Added PRIVACY_REQUEST_COMPLETE_CONSENT messaging template with default subject "Your consent preferences have been saved" and body "Your consent request has been completed"
• Implemented initiate_consent_request_completion_email function in request runner service
• Updated finalization checkpoint logic to send consent emails only for consent-only requests (lines 856-893 in request_runner_service.py)
• Added new messaging action type across all TypeScript client enums (admin-ui and privacy-center)
• Added template to customizable messaging templates, enabling property-specific configuration
• Comprehensive test coverage for both DSR 2.0 and DSR 3.0

Implementation Details

The email sending logic follows this priority:

1. If request has access OR erasure actions → send access/erasure completion email
2. If request has ONLY consent actions → send consent completion email
3. Email is disabled by default and must be enabled by users in the notifications templates UI

The implementation is consistent with existing patterns for erasure completion emails (no body params required, simple template rendering).

Confidence Score: 5/5

• This PR is safe to merge with minimal risk
• The implementation follows established patterns, has comprehensive test coverage for both DSR 2.0 and 3.0, correctly handles email prioritization, and properly integrates with the existing messaging infrastructure. The changes are well-scoped and do not introduce breaking changes.
• No files require special attention

Important Files Changed

File Analysis

Filename	Score	Overview
src/fides/api/service/privacy_request/request_runner_service.py	4/5	Added initiate_consent_request_completion_email function and integrated consent email logic into finalization checkpoint. Logic correctly sends consent completion emails only for consent-only requests (access/erasure take priority).
src/fides/api/service/messaging/message_dispatch_service.py	5/5	Added consent completion email template handling in _build_email and _build_sms functions. Implementation correctly renders templates without body params, consistent with erasure completion emails.
src/fides/api/models/messaging_template.py	5/5	Added PRIVACY_REQUEST_COMPLETE_CONSENT template to DEFAULT_MESSAGING_TEMPLATES with appropriate default subject and body content.
src/fides/api/schemas/messaging/messaging.py	5/5	Added PRIVACY_REQUEST_COMPLETE_CONSENT enum value and included it in CONFIGURABLE_MESSAGING_ACTION_TYPES tuple to enable property-specific messaging configuration.
tests/ops/service/privacy_request/test_request_runner_service.py	5/5	Added comprehensive test coverage for consent completion emails including parametrized tests for both DSR 2.0 and 3.0, covering consent-only requests sending the correct email action type.
clients/admin-ui/cypress/e2e/messaging.cy.ts	5/5	Cypress tests validate that 10 messaging templates are displayed (updated count to include the new consent template). Tests cover template toggling, adding, and configuration flows.

[greptile-apps]

_{18 files reviewed, 1 comment}

_{Edit Code Review Agent Settings | Greptile}

[gilluminate]

LGTM

[JadeCara]

@greptile please review

[greptile-apps]

_{18 files reviewed, no comments}

_{Edit Code Review Agent Settings | Greptile}

[galvana]

I called out one issue but we should also check with @mfbrown to make sure we're not pausing system-generated consent requests.

[galvana]

There are some cases where we wouldn't want to pause the request for finalization even if the setting is enabled. I know this is at least the case for requests with a source of consent_webhook. These requests are system-generated and should just continue processing. You might want to check with @mfbrown if there are other sources that we want to exclude from this finalization (like Fides.js or Janus SDK).

[tvandort]

What would the impact of manualizing those be? I can imagine that if a notice was used on a website it might be too many DSRs to manually approve. But is there a technical reason beyond human workload?

[JadeCara]

Do we want to maybe add a specific type etc to the env var that way a user would turn on the finalization for the types they wanted explicitly?

[tvandort]

If we have to add this, that would be better yeah. My concern being that source should be more expansive than it currently is and I'd like some future wiggle room to define more of them.

[mfbrown]

I do think we should add a config to specify which sources require finalization. To the consent point, it would add a lot of manual work to a process that that could process many thousands of webhook responses, so I don't think we can put that work suddenly on customers for all requests.

I agree with @tvandort that we should add the ability to define more sources, more easily.

[JadeCara]

OK - making an update here. I did a little work on this over the last week. I have several PRs lined up to make Consent Manual Tasks a thing. I will update this PR to handle the email updates and remove the other elements.

The PR chain starts here The first couple are marked ready for review :)

[JadeCara]

This PR now only does the messaging portion - The consent tasks are being handled in other PRs

[JadeCara]

@greptile please review

[greptile-apps]

_{No files reviewed, no comments}

_{Edit Code Review Agent Settings | Greptile}

[JadeCara]

TODO: Need to fix the privacy center save button.

• this may need to be done in release candidate will test there and fix there or fix in main.