Getting consent for cookies or data processing isn't enough by itself: you need a reliable way to prove you have the consent. A consent log is the best way to do this. Here's what you need to know and do.
- 1. What is a Consent Log and What Does it Do?
- 2. Why Would I Need a Consent Log?
- 2.1. General Data Protection Regulation (GDPR)
- 2.2. ePrivacy Directive
- 2.3. Other Privacy Laws
- 3. Why Else Would I Need a Consent Log?
- 4. What Should Be In A Consent Log?
- 5. What Format Should a Consent Log Be In?
- 6. Do Privacy Laws Cover a Consent Log?
- 7. How Long Should I Keep Consent Logs?
- 8. How To Choose A Consent Log Tool
- 9. Summary
What is a Consent Log and What Does it Do?
A consent log is a record of individuals giving consent for you to take an action that affects them. It's most commonly used in the context of a business or organization getting consent to issue a cookie or to process somebody's personal data.
The consent log proves two key things: you have the consent of a particular person in a particular situation, and you are making genuine efforts to get consent in all cases.
Why Would I Need a Consent Log?

Many laws which cover cookies or personal information not only say you must get consent in particular circumstances, but that you must be able to prove this consent. Keeping a consent log is the best, and often only, way to comply with these legal requirements. Here are a few examples.
General Data Protection Regulation (GDPR)
This law, which covers businesses, users and processing in the European Union, says you can only process personal data when a lawful basis applies. In many situations where a business processes somebody's data, consent will either be the most appropriate or the only applicable lawful basis.
Article 7 of the GDPR says that "Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data." A consent log lets you do this.
ePrivacy Directive
This European rule is formally known as Directive 2002/58/EC or "Directive on privacy and electronic communications." The rule is enforced through individual national laws in each EU country.
The directive says you can only issue cookies (other than those classed as "strictly necessary") if you have the user's consent. Later rulings by courts and regulators have clarified this must be active consent, so you can't use an opt-out system where you assume consent unless somebody says otherwise. Similarly, you can't assume that an action (such as browsing a website) implies consent: the user must actively give consent.
The directive does not explicitly say you need a consent log, but it is a practical necessity. Users have the right to withdraw their consent later on, meaning you'll need a record of the original consent that you can update if somebody withdraws consent.
Other Privacy Laws
Other laws which require consent to process personal data in some circumstances include:
- Personal Information Protection and Electronic Documents Act (PIPEDA)
- Australia's Privacy Act
- LGPD (Brazil)
In each case, having a consent log is a practical necessity, both to prove compliance with the law and to make it possible to respond to a user withdrawing consent later on.
Why Else Would I Need a Consent Log?
As well as meeting direct legal requirements, having a consent log brings several other benefits:
- It means you are ready if a data regulator or similar official body audits your data practices.
- It helps you track how successful different forms of presentation or wording are for persuading users to consent to cookies or data processing, for example when running A/B testing. (Remember that you must never use wording or presentation that misleads people or means their consent is no longer based on a meaningful choice.)
- Some third-party tech companies such as for online advertising or newsletter distribution may require you to keep a consent log.
- If you sell or merge your company, the new owners may want to see proof that you have the necessary consent for data processing.
What Should Be In A Consent Log?

A consent log should cover any information you need to show who has consented to what. With consent for cookies, the key information includes:
- The date and time they gave consent.
- Their IP address.
- The categories of cookies to which they consented.
- The method of consent they used (such as online form, signed document, oral statement and so on.)
To avoid confusion, it's also sensible to record when somebody consents to some categories of cookies but rejects others, or when somebody rejects all categories (except for 'strictly necessary' cookies.)
The Moove Agency has a WordPress plugin that generates consent logs such as the one shown below, including different categories:

With consent for data processing, the key information is similar but instead of categories of cookies you should cover the types of information the consent covers and the purposes (reasons) of processing for which the person consented. That's because some privacy laws, including the GDPR, require separate consent for each purpose for which you process data. For example, somebody consenting to you using their data to send them a newsletter does not count as consent to you selling their data to an advertiser.
With both cookies and data processing, if you collect consent online, you should record the URL of the page at which you gathered the consent. This will make it easier to show what information the person had available and that they made a meaningful, informed choice to consent. If you change this page over time, it's worth keeping a record of the changes. You can then cross-reference this with your consent log to show the actual information the user saw at the time they gave consent. If you used a paper form to gather consent, keep a copy with the consent log.
What Format Should a Consent Log Be In?

Privacy laws and regulations don't explicitly require a particular format so what really matters is that you can easily retrieve specific details of somebody having given consent.
With consent you collect online, the most common format for a consent log is a spreadsheet document such as a CSV file, or a database file. If you have a lot of consent records, you can archive older records in a ZIP or similar format to save space, as long as you can easily retrieve the data.
Note that although the cookie you issue will usually include the fact somebody consented (meaning you don't have to get fresh consent every time they visit your site), the cookies themselves can't make up the consent log. That's because you need to keep the record of the consent unaltered and readily available, which won't happen if somebody deletes the cookie or takes their computer offline.
With consent to data processing, you may gather consent in a different way such as a paper form. In this case you may need to keep the forms and have them act as a consent log, particularly if the consent is shown by a written signature.
Grasmere Primary School uses paper consent forms. These could form part of a paper consent log, though the wording also allows for the form to be digitized:

Do Privacy Laws Cover a Consent Log?

Yes, technically a consent log can count as personal data itself if it contains any information about an identified or identifiable individual. This means you'll need to handle the consent log in the same way as other documents with personal data. As a result, you should:
- Keep the consent log secure from unauthorized access, alteration or deletion.
- Anonymize or pseudonymize data where possible without affecting the usefulness of the data. (We'll discuss this more in the 'How To Choose A Consent Log Tool' section.)
- Delete log entries when they are no longer needed. (See below for possible timescales.)
This consent log, a sample from Amasty, contains personal information including real names. This means the log itself is personal data under laws such as GDPR so must be kept secure, with controlled access:

How Long Should I Keep Consent Logs?

At the absolute minimum, you must keep consent logs for as long as you rely on consent.
Where the consent is for personal data, this means as long as you are still using the data for the original purpose for which the person gave consent. (Remember you need fresh consent to use the data for other purposes.)
If and when somebody withdraws consent, you should keep a record of this withdrawal for as long as your staff may try to use the data and need to know the consent is no longer valid. Don't delete a consent log (or delete the relevant entries) until you have deleted the personal data covered by the consent.
Where the consent is for a cookie, you should keep the consent log as long as the cookie is still valid. Most cookies let you define a duration, which is the period until it expires, and you will need to reissue it (with the user's consent) to have it work again.
Setting the duration is a balance between convenience (people get annoyed at being repeatedly asked to accept cookies) and the principle of consent (the longer it is since somebody consented, the less meaningful that consent is.) As a very rough guideline, a suitable duration is usually a period of months rather than days or years.
How To Choose A Consent Log Tool

In principle you can build your own consent log, capturing the relevant data and storing it in the required format. In practice, this can be a technically complex task, particularly when collecting consent signals from an online form or cookie banner.
For this reason, many businesses choose to use software tools marked with names such as a "consent management platform". These can generate forms or cookie banners with appropriate wording and options to use on your website. Most of these tools can also create a consent log automatically. Some key consent log features to look for when choosing such a tool include:
Anonymization or Pseudonymization of the data you gather. For example, tools may partially anonymize the IP address they collect by replacing the last digit with a zero or completely removing the last few digits. This can be a good balance between having reliable enough detail to show a particular person gave consent, but not having enough detail to risk somebody's privacy if, for example, the consent log was accessed without authorization.
Consent keys. This is an alternative pseudonymization method for cookie consent. It involves creating a unique key which is part of the cookie you issue. You then use this key in your log rather than identifying information such as an IP address.
Individual proof of consent. This means it's straightforward to take a complete consent log and extract a specific record of a particular user having given consent. You can then use this record without having to share the full log.
WPeka has a WordPress plugin for a consent log that can generate individual records:

A clear record of the specific message or banner a particular user gave when giving consent.
Easy filtering, for example letting you immediately see which users gave consent for a particular purpose of processing or category of cookie.
A guarantee that the consent logs are valid to follow specific laws or rules (such as the rules of Google Consent Mode for sharing customer data with Google.)
User access, meaning people can check the consent log to see the record you have of their consent. Such a feature must be carefully controlled so only the legitimate user can see the relevant record, and they cannot see any other record.
Summary
A consent log is a record of people consenting to you doing something, usually issuing a cookie or collecting personal data. It's a key way of complying with laws that say you must be able to prove you got consent, and for people to be able to withdraw consent later on.
Most consent logs come from an automated tool. They should store relevant information such as the date and time they consented, and exactly what they consented to (for example a category of cookies or a purpose of data processing). They should also make it possible to confirm what information they saw when giving consent, proving it was an informed decision.





