How to Record Consent Under GDPR
If you’re relying on a person’s consent to process their personal data, the GDPR states that you must be able to demonstrate that you’ve obtained their consent.
Good consent recording practices mean you can prove that you have a person’s consent. This is a core GDPR accountability requirement—and might be helpful if the person makes a complaint or a regulator audits your company.
This article will explain what consent information you need to record, whether you need to record when a person has withdrawn or refused consent, and look at some GDPR enforcement decisions involving consent recording.
Do we need to record consent?
The GDPR states that you must be able to demonstrate when a person has given consent, at Article 7(1):
“Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.”
And Recital 42 of the GDPR states:
“Where processing is based on the data subject’s consent, the controller should be able to demonstrate that the data subject has given consent to the processing operation.”
If you’re responsible for requesting consent, you must record when someone has provided consent so that you can demonstrate this if required.
What consent information do we need to record?
When recording consent, the information you need to record depends partly on the context in which you requested consent.
The UK’s data regulator, the Information Commissioner’s Office or ICO, recommends that you keep a record of:
- Who consented.
- When the person consented.
- How the person provided consent.
- What the person was told when they consented.
- Whether they have withdrawn consent, and if so, when they did so.
Let’s look at each of these points in a little more detail.
Recording who consented
Your consent records should identify each individual that has provided consent.
This does not mean that you need to record each person’s name—you should use a pseudonym, username, session ID, or some other identifier if appropriate.
Remember that this identifier is, by definition, “personal data” under the GDPR — you are using the information to identify an individual. Therefore, you must comply with the GDPR’s rules and principles when storing, using, and otherwise processing it.
For example, instead of storing a person’s full IP address, consider whether you can obfuscate (disguise) or hash the identifier to make it harder for the person to be directly identified.
Recording when a person consented
You should record the date and, if relevant, the time that a person provided consent. This could be a timestamp or a copy of a dated document if you obtained consent in writing.
Recording how a person consented and what they consented to
Again, recording how a person consented is context-dependent, but you should be able to refer back to the consent mechanism you used to obtain their consent. This should include a record of the information the person received when you obtained their consent.
In the case of recording cookie consent, this means storing the consent record along with a record of the cookie banner that was in place at the time they consented.
Recording whether a person has withdrawn consent
If a person initially consents and then later withdraws consent, you should keep a record of this together with the time and date on which the person withdrew consent.
Do we need to record when a person has refused consent?
The GDPR does not require you to record when a person has refused consent, but sometimes you might need to do so. For example, you want to avoid repeatedly asking for a person’s consent once they have refused.
When it comes to recording that a person has rejected cookie consent, the law is not entirely clear regarding the best solution.
If a person rejects cookies, it’s reasonable to assume their preference will not change for some time—at least not within the same session. If the person rejects cookies on your website’s homepage, they probably won’t want to see another consent request when visiting another page.
To prevent this, one option might be to set a consent preference cookie on the person’s device that indicates the person’s consent preference. This could be an acceptable solution if the cookie is:
- Only used to signal the person’s cookie consent preference.
- Not shared with any third parties.
- Limited in duration (possibly just for one session).
Arguably, a consent preference cookie such as this does not require consent as it is “strictly necessary” for providing a service requested by the user (dismissing the cookie banner). The UK’s data regulator suggests that this might be an acceptable solution.
However, proceed with caution — the rules on cookies vary between European countries.
GDPR Decisions Involving Consent Recording
We’ll now look at three GDPR enforcement decisions about consent recording.
Consent preference cookies can be personal data
In 2022, the Belgian regulator made an important decision about Interactive Advertising Bureau (IAB) Europe. The regulator decided that IAB Europe was a “data controller” under the GDPR because of how the organisation handled cookie consent preferences.
IAB Europe manages a cookie compliance system called the Transparency and Consent Framework (TCF) 2.0. Along with providing guidance for companies operating under the TCF 2.0, IAB Europe manages the “TC String” — a code that signals consent preferences across websites.
IAB Europe claimed it was not subject to the GDPR because it was not processing personal data. However, the Belgian regulator found that the TC String itself was personal data.
The implication is that any identifier used to record consent individuals’ consent preferences should be treated as personal data — and this requires compliance with all the GDPR’s principles (such as purpose specification, storage limitation, and security).
You can’t record ‘consent’ given via a pre-ticked box
The Beglian regulator fined Roularta Media Group €50,000, partly for failing to keep a record of consent. The root of the problem here was that Roularta Media Group was not requesting consent in a GDPR-compliant way.
The company used a pre-ticked box in its cookie banner—and assumed people consented to cookies if they had not unticked the box. Using a pre-ticked box is a “dark pattern” that violates the GDPR’s requirement that consent is unambiguous.
There is an important lesson here: You must obtain consent via a “statement or a clear affirmative action”. Otherwise, you won’t know who has consented, and you could violate the GDPR’s requirement to demonstrate consent.
You might struggle to demonstrate ‘third-party consent’
A company called Leads Work received a fine of approximately €291,000 from the UK regulator in 2021, partly because it could not demonstrate that people had consented to receive direct marketing messages via SMS.
Leads Work had obtained third-party personal data about people who had supposedly consented to receive marketing communications from Leads Work. However, this alleged consent had been obtained by a third party.
In part because of a lack of due diligence, Leads Work was unable to demonstrate that the individuals had consented to receive marketing messages. There was no record that the recipients had specifically consented to Leads Work’s marketing.
GDPR Consent Recording
We’ve looked at how and when to record a person’s consent preferences. Remember that to demonstrate consent under the GDPR, you should record:
- Who consented.
- When they consented.
- How they consented.
- What information they were given.
You should also make a record of when a person withdraws consent.
Remember that the record of a person’s consent preferences is personal data under the GDPR—all the law’s rules and principles apply.
Try Wide Angle Analytics!