A record of consent is documented proof that a specific person gave valid, informed consent to data processing. GDPR requires you to produce this proof on demand, not just collect consent in the first place.
Below: why the law makes this a burden-of-proof problem, what a valid record must contain, and the mistakes that make a record worthless.
Why a Record of Consent Matters (the GDPR Burden of Proof)
Under GDPR Article 7(1), the controller must be able to demonstrate that the data subject consented. Without a stored record, you cannot prove that, and unprovable consent is treated the same as no consent at all.
The text of Article 7(1) is direct: the controller "shall be able to demonstrate that the data subject has consented" to processing. This is not a suggestion. It is the legal standard a regulator applies during an investigation or a complaint.
Article 5(2) reinforces the same point from a different angle. It establishes the accountability principle: the controller must be "responsible for, and be able to demonstrate compliance with" the data protection principles. Recital 42 adds the informed-consent condition, requiring that the data subject knew the controller's identity and the processing purpose at the time they consented.
Article 7(3) then adds a companion duty on the withdrawal side. It states that "it shall be as easy to withdraw as to give consent". Withdrawal does not undo processing that was already lawful before it. So your record must capture the withdrawal event too, not just the original opt-in.
Practitioners describe the practical effect bluntly. The obligation comes down to logging every consent opt-in and opt-out with a timestamp. That is the burden of proof in plain language: a timestamped log, not a memory or a policy statement.
This obligation sits inside your broader consent management responsibilities. Consent management covers how you collect, store, and honor choices. The record of consent is the specific artifact that proves the "store" part happened correctly.
CCPA works differently here. It does not require an affirmative consent record for most processing; it requires an opt-out mechanism and proof that you honored opt-out requests. GDPR's opt-in model is what makes the record of consent a distinct, higher-stakes artifact in the EU.
What a Valid Record of Consent Must Contain
A valid record answers five questions: who consented, when, what they were told, how they consented, and whether they later withdrew. The UK Information Commissioner's Office (ICO) sets out this exact framework, and it is the closest thing to a regulatory checklist for this page.
| Element | What it must show |
|---|---|
| Who consented | The individual's name or another identifier, such as a username or session ID |
| When they consented | A dated document or a timestamped online record; for oral consent, a note of the date and time |
| What they were told | The exact consent statement and policy version shown at that time, with version numbers and dates |
| How they consented | A copy of the form or data-capture record; for online consent, the submitted data plus a timestamp |
| Whether they withdrew | A record of the withdrawal, and when it happened |
Every element must be specific and granular. A record that only says "user agreed" cannot show which purposes the person actually consented to.
GDPR's own consent standard shapes what "valid" means here too. Consent must be freely given, specific, informed, unambiguous, and verifiable. A record that cannot show all five conditions were met does not protect you, even if a checkbox exists somewhere in your database.
Practitioners flag the practical proof problem from the other direction. You must be able to show the consent given was valid, including screenshots of past banner versions. That maps directly to the "what they were told" element: you need the banner as it looked on that date, not today's version.
Record of Consent vs Consent Log vs Audit Trail
A consent log is the running store of every individual consent event. A record of consent is the proof for one of those events. An audit trail is the full, tamper-evident history you show a regulator.
The three terms describe the same underlying data at different scales. Your consent logs and analytics system captures each visitor's choice as it happens. Pull a single entry out of that log and you have one record of consent. Export the whole history with its timestamps intact and you have an audit trail.
One more term gets confused with this, and it trips up even published guides. A record of consent is not the same as your Article 30 records of processing activities. Article 30 is a separate, broader register of your processing operations, covering purposes, data categories, and recipients. It is a different obligation from proving that one person consented.
Vendors and regulators use these terms loosely, so confirm scope before assuming what a source means by the word record.
How a Record of Consent Is Created and Stored
A record of consent is created the moment a visitor makes an affirmative choice on your banner. It is stored as a timestamped entry tied to that choice. The lifecycle runs in four steps, listed below.
- The banner presents a specific, granular consent choice, matching your opt-in vs opt-out consent model for that visitor's region.
- The visitor takes an affirmative action: accept, reject, or a granular per-category choice.
- The consent management platform (CMP) writes a timestamped log entry containing the visitor's identifier, their choice, and the policy or banner version shown.
- The entry is retained as part of the audit trail and stays exportable if a regulator or client asks for proof.
Practitioners describe step 3 in exactly these terms. A cookie or session identifier saves the accept, reject, or withdrawal event with a timestamp. That identifier is what links a specific record back to a specific visit.
If you also pass consent signals to Google tags, this same event needs to translate into Google Consent Mode states. That keeps your analytics and ads platforms aligned with the choice the record just captured.
How Long You Must Keep Records of Consent
Keep a record of consent for as long as you rely on that consent to process data. Review it periodically rather than treating it as permanent. GDPR sets no fixed expiry date for consent itself, but the ICO recommends refreshing consent about every two years as a default practice.
The ICO's own guidance states it plainly: keep this evidence for as long as you are still processing based on the consent. That way you can demonstrate compliance with your accountability obligations. There is no statutory countdown clock; the obligation is tied to your processing activity, not a calendar date.
Refreshing and retaining are two different questions. The ICO's two-year figure is refresh guidance, meaning how often you re-ask for consent to keep it current. Separately, common practice is to retain the record itself for roughly three to five years after you last relied on it. That range reasons from typical civil statutes of limitations for related claims, and some data protection authorities anchor specific figures to it. France's CNIL, for instance, recommends keeping marketing consent data for about three years after the last contact. Treat these numbers as jurisdiction-specific practice, not a single GDPR requirement.
A tension shows up at data-erasure requests, often called the record of records problem. A controller can purge everything about a data subject but keep the consent event itself, given or retracted.
The ICO's own guidance supports this. You may retain a withdrawal or refusal record under a separate lawful basis, such as legal obligation or legitimate interest. This holds even after erasing the rest of that person's data.
Record of Consent vs Consent to Record a Call (a Common Mix-Up)
"Record of consent" in privacy law means the stored proof that someone consented to data processing, not consent to record a phone call or conversation. Those two ideas share a name but sit in different areas of law.
Call and conversation recording is governed by one-party or two-party consent rules that vary by US state and country. That is a separate body of wiretapping and eavesdropping law, with no connection to GDPR or data privacy. If you searched "record of consent" looking for phone-recording rules, this page will not help; the data-privacy meaning is the focus here.
A third meaning appears in medical and academic research. There, a record of consent is the signed, documented informed-consent form an ethics board or federal regulation requires before a study enrolls a subject. That is documentation of research consent, again distinct from the GDPR proof-of-consent artifact this page covers.
Common Mistakes That Make a Record of Consent Worthless
A record of consent fails to protect you when it cannot answer the ICO's five questions on demand. The most common failures are structural, not exotic.
- A spreadsheet that just says "consent: yes." The ICO cites this exact example as invalid. A name with "consent provided" next to it proves nothing about what the person agreed to or when.
- Relying on pre-ticked boxes or silence. Neither is valid consent under GDPR. A record built on top of them is a record of invalid consent, not proof of anything.
- Not storing which policy or banner version was shown. Without a version number and date, you cannot prove what the person actually saw.
- No timestamp or identifier at all. A record without a "when" and a "who" cannot be tied to a specific individual or moment.
- Treating one blanket opt-in as consent for every purpose. Consent must be specific; a single "I agree" cannot cover unrelated processing purposes added later.
Each of these mistakes breaks one of the five required elements. Fix the element, and the record becomes usable again.
How Consently Records and Stores Consent
Consently's consent logs automatically capture and store each visitor's consent as a timestamped, audit-ready record you can export on demand.
When a visitor interacts with your banner, Consently writes that choice to the consent log with a timestamp and a status. Statuses include accepted, rejected, or a specific category preference. You do not configure this separately; it runs as part of the standard banner setup.
Two features do the heavy lifting here. Consent logs give you an audit-ready record of every visitor's choice. Consent log export plus consent analytics let you download that proof for an audit and track consent trends over time. Both are included on every Consently plan, so you are not paying extra for an exportable record when a regulator or client asks for one.
Try Consently free to see your consent logs populate from the first banner interaction.
FAQs
What is a record of consent under GDPR?
A record of consent is documented proof that a specific person gave valid consent to data processing. GDPR Article 7(1) requires you to be able to demonstrate this on demand.
Is a record of consent a legal requirement?
Yes. Article 7(1) makes the ability to demonstrate consent mandatory, and a stored record is the practical way almost every controller satisfies that requirement. Some data protection authorities go further and expect explicit, retrievable records during an audit.
What counts as valid proof of consent?
Valid proof shows who consented, when, what they were told, and how they consented. Pre-ticked boxes and silence never count, no matter how the rest of the record looks.
Do you need to keep a record of a user's refusal?
You may keep a suppression or withdrawal record under a separate lawful basis, such as legal obligation or legitimate interest. Note this retention in your internal records so it stays justified and documented.
How long should consent records be kept?
Keep the record for as long as you rely on that consent to process data. The ICO recommends refreshing consent about every two years, though some practitioners retain the underlying record longer for legal-defense purposes.
What are the main types of consent under GDPR?
GDPR recognizes two consent standards: regular consent and explicit consent. Explicit consent is the higher bar, required for special-category data such as health or biometric information. Consent is also described by how it is collected, as opt-in rather than pre-ticked or implied consent, which GDPR does not accept.
Is withdrawing consent supposed to be as easy as giving it?
Yes. Article 7(3) states it must be as easy to withdraw consent as to give it. Your record should log the withdrawal event with its timestamp, since withdrawal does not undo processing that was already lawful before it happened.
Can you keep a consent record after a data-erasure request?
Yes. You can retain the "record of records," proof that consent was given or withdrawn, under a separate lawful basis. This holds even after erasing the rest of that person's data.

