Skip to content
Learn · Glossary

Consent record

A consent record is the stored proof that a specific person agreed to a specific data-processing purpose — capturing who consented, when, how, the exact wording they saw, and any later withdrawal. GDPR Article 7(1) makes it the controller's job to demonstrate consent, so without the record, the consent legally does not count.

Updated 8 Jul 20262 min readBy fromHello
Key takeaways
  • A consent record proves who consented, when, how, to what wording, and for which purpose — not just the state of a ticked box.
  • GDPR Article 7(1) puts the burden of proof on you: no demonstrable record means no valid consent.
  • Store consent as append-only history — each grant and withdrawal is a timestamped event, never overwritten.

When someone opts in — ticks a box, confirms a double opt-in email, or submits a form — you capture a snapshot of that moment, not just a true/false flag. The record binds the person's identity to the exact purpose they agreed to, the wording they were shown, and the timestamp. If the purpose changes later, the old consent does not stretch to cover it: you collect fresh consent and log a new record.

  • Who: a stable identifier — user ID, email, or session ID — for the person who consented.
  • When: an exact timestamp, and for oral consent, a dated note.
  • How: the channel and mechanism — checkbox, confirmation link, signed form.
  • What they saw: a copy of the consent wording and any privacy notice shown at the time.
  • Purpose: the specific processing the consent covers — marketing email, analytics, profiling.
  • Withdrawal: if and when consent was revoked, logged the same way it was granted.
A consent record sits at the center — lawful basis, purpose, and withdrawal are the fields that give it legal weight.

Why does immutable history matter?

Consent is not a single boolean you overwrite. A person can grant it, withdraw it, and grant it again — and you may need to prove the state at any past date, for example the day you sent a given campaign. Store consent the way you would store an audit log: append-only, each grant and withdrawal a timestamped event. Overwriting the last value destroys the evidence GDPR expects you to keep.

Why it matters for a two-person team

Article 7(1) puts the burden of proof on you, whatever your headcount. If a subscriber complains or a regulator asks, a checkbox state proves nothing — you need the timestamped record. Building this in from the first signup is far cheaper than reconstructing it later, and it is one reason to keep consent data on infrastructure you control. See the deep guide on GDPR and self-hosting for how consent records, suppression, and residency fit together.

FAQ

Common questions

  • What is a consent record under GDPR?

    It is the documented evidence that a specific person gave valid consent to a specific purpose — capturing who, when, how, and what they were told. GDPR Article 7(1) requires the controller to be able to demonstrate this, so the record is what makes the consent legally usable.

  • Consent record vs audit log — what's the difference?

    A consent record is scoped to one thing: proof of a person's permission and its purpose. An audit log is a broader, tamper-evident trail of many system events. Consent records are often stored as audit-log-style append-only entries, but not every audit-log entry is about consent.

  • Do I need to store the exact wording someone was shown?

    The ICO advises keeping a copy of the consent statement and any privacy information presented at the time, so you can show what the person actually agreed to. If the wording changes materially, the old record still reflects what the earlier cohort saw.

  • How long should I keep a consent record?

    Regulators expect you to retain it for as long as you rely on that consent to process the data, so you can demonstrate the basis on request. There is no single fixed period; keep it while the processing continues and align retention with your wider policy.

See the platform the team runs.

Related guides
Early access

Put your growth teamon autopilot.

Early access opens gradually, so the team tunes to real use cases. Small teams with big ambitions go first.

500+ already on the list

Not ready to share an email? It's open source. Run it yourself today. View on GitHub

No spam. One email when your spot opens. Unsubscribe at any time.