There is a difference between Proof of Consent and Records of Consent. Although getting consent before processing personal information is sometimes required under specific privacy laws, there is no legal obligation within the GDPR to keep active records of each website visitor’s consent. If the need arises, you must be able to provide proof that shows a particular process did occur in obtaining consent.
Recital 42 GDPR states:
“Where processing is based on the data subject’s consent, the controller should be able to demonstrate that the data subject has given consent to the processing operation.”
According to the EU Data Protection Authorities, the controllers are free to develop methods to comply with this provision in a way that is fitting in their daily operations. At the same time, the duty to demonstrate that a controller has obtained valid consent, should not in itself lead to excessive amounts of additional data processing. This principle of data minimization (GDPR article 5) means that controllers should have just enough data to show a link to the processing (to show consent was obtained). They shouldn’t be collecting any more information than is really necessary. The controller shall be able to show that the data subject was informed and that the controller ́s workflow met all relevant criteria for valid consent. The rationale behind this obligation in the GDPR is that controllers must be accountable concerning obtaining proper authorization from data subjects and the consent mechanisms they have put in place. In 2020 the EU Data Protection Authorities have reaffirmed this position in the updated guidelines on consent. Also, the latest September 2020 draft of the EU e-Privacy Regulation states that:
“2a. As far as the controller is not able to identify a data subject, the technical protocol showing that consent was given from the terminal equipment shall be sufficient to demonstrate the consent of the end-user according Article 8 (1) (b).”
When respecting the data minimization guideline, a website can use the technical protocol of the Complianz-plugin to offer the following three combined options as proof of consent:
- Complianz also records all the Consent management settings that are relevant to the time of consent. e.g., a cookie notice and other settings.
- The website should be blocking non-functional cookies and scripts before consent.
Apart from the GDPR principle of data minimization, there are also some other reasons why keeping actual records of consent in your database might be not such a good idea. For instance: If this enables you to identify persons through their IP addresses or other identifiers, your database is becoming an attractive target for hackers.