Managing and Maintaining Consent Records for Regulatory Compliance

The Legal Requirement for Consent Records

Under GDPR Article 7(1), the data controller must be able to demonstrate that the data subject has consented to the processing of their personal data. This is not a suggestion; it is a legal obligation. If a Data Protection Authority (DPA) asks you to prove a specific user consented to analytics cookies on a specific date, you must be able to produce that evidence.

The DLA Piper GDPR Fines Survey reported that regulators processed an average of 363 breach notifications per day in 2024. Each notification can trigger scrutiny of your consent practices, making robust record-keeping a front-line defense.

What a Valid Consent Record Must Contain

A compliant consent record should include at minimum:

• Who: An identifier for the data subject (anonymized or pseudonymized visitor ID, or authenticated user ID).
• What: The specific processing operations or cookie categories consented to.
• When: A precise timestamp of the consent action (ISO 8601 format).
• How: The method of consent collection (banner interaction, preference center, API).
• Which version: The version of the consent notice and privacy policy presented at the time.
• Context: The URL or page where consent was collected, the user's jurisdiction, and the device/browser.

Storage Architecture

Consent records should be stored in a dedicated, immutable data store. Key architectural considerations:

• Immutability: Once written, consent records should never be modified. Use append-only storage to maintain a complete audit trail.
• Searchability: Records must be quickly retrievable by visitor ID, date range, or consent type for audit requests.
• Scalability: High-traffic websites generate millions of consent events. Choose a storage solution that scales horizontally.
• Geographic compliance: Ensure consent records are stored in compliance with data residency requirements for each jurisdiction.

Retention Periods

How long should you keep consent records? The GDPR does not specify an exact period, but best practices suggest:

• Retain records for at least as long as the processing they authorize continues.
• Keep records for an additional period matching the statute of limitations for GDPR enforcement actions (typically 3-5 years depending on the Member State).
• Implement automated cleanup to prevent indefinite data retention, which itself could violate data minimization principles.

Consent Versioning

When you update your cookie categories, add new third-party scripts, or modify your privacy policy, existing consent records may become stale. Implement a versioning system that:

1. Assigns a version number to each consent configuration.
2. Records which version was active when consent was collected.
3. Triggers re-consent when the consent configuration changes materially.
4. Maintains historical versions for audit reference.

Regular Auditing

Schedule quarterly audits of your consent records to verify:

• Records are being created for all consent interactions.
• No records have been corrupted or lost.
• Retention policies are being enforced.
• Records match the actual consent banner configuration at the recorded time.

Jerisaliant automatically generates and stores compliant consent records for every interaction, with built-in versioning, immutable storage, and one-click audit export.