There is a difference between Proof of Consent and Records of Consent. Although getting consent before processing personal information is sometimes required under certain privacy laws, there is no legal obligation within the GDPR to keep active records of each user’s consent. If the need arises you must simply be able to provide proof of consent that show a certain process did occur in obtaining consent.
Recital 42 GDPR states:
“Where processing is based on the data subject’s consent, the controller should be able to demonstrate that the data subject has given consent to the processing operation.”
According to the EU Data Protection Authorities, the controllers are free to develop methods to comply with this provision in a way that is fitting in their daily operations. At the same time, the duty to demonstrate that valid consent has been obtained by a controller, should not in itself lead to excessive amounts of additional data processing. This principle of data minimization (GDPR article 5) means that controllers should have enough data to show a link to the processing (to show consent was obtained) but they shouldn’t be collecting any more information than necessary. It is up to the controller to prove that valid consent was obtained from the data subject. According to the EU Data Protection Authorities, the GDPR does not prescribe exactly how this must be done. The controller shall also be able to show that the data subject was informed and the controller ́s workflow met all relevant criteria for valid consent. The rationale behind this obligation in the GDPR is that controllers must be accountable concerning obtaining valid consent from data subjects and the consent mechanisms they have put in place.
With the registration and data minimization guideline combined, a website can offer the following 3 combined options:
- Consent management settings that are relevant to the time of consent. e.g., a cookie notice and other settings.
- The possibility of revoking settings is in full control of the user. On-page as well.