consent log

How does the logging and demonstration of user consents work?

Consent logging has been a major topic of conversation since the passing of GDPR and CCPA. Consent logging is the collection of records of how users to a website opt-in or out to the website collecting their personal data. The Article 29 Data Protection Working Party has released an updated 'Guidelines on consent under Regulation 2016/679' on 10 April 2018 //ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=623051). In point '5.1. Demonstrate consent' they state the following:

"Controllers are free to develop methods to comply with this provision in a way that is fitting in their daily operations. At the same time, the duty to demonstrate that valid consent has been obtained by a controller, should not in itself lead to excessive amounts of additional data processing. This means that controllers should have enough data to show a link to the processing (to show consent was obtained) but they shouldn't be collecting any more information than necessary.
It is up to the controller to prove that valid consent was obtained from the data subject. The GDPR does not prescribe exactly how this must be done. However, the controller must be able to prove that a data subject in a given case has consented. As long as a data processing activity in question lasts, the obligation to demonstrate consent exists. After the processing activity ends, proof of consent should be kept no longer then strictly necessary for compliance with a legal obligation or for the establishment, exercise or defence of legal claims, in accordance with Article 17(3)(b) and (e).
For instance, the controller may keep a record of consent statements received, so he can show how consent was obtained, when consent was obtained and the information provided to the data subject at the time shall be demonstrable. The controller shall also be able to show that the data subject was informed and the controller's workflow met all relevant criteria for a valid consent. The rationale behind this obligation in the GDPR is that controllers must be accountable with regard to obtaining valid consent from data subjects and the consent mechanisms they have put in place. For example, in an online context, a controller could retain information on the session in which consent was expressed, together with documentation of the consent workflow at the time of the session, and a copy of the information that was presented to the data subject at that time. It would not be sufficient to merely refer to a correct configuration of the respective website."

Logging user's Consent

When the consent log feature is enabled, HelloConsent will log records of consent and consent preferences from site visitors along with necessary information required to look up user choices in case you'll have to demonstrate consent to authorities.

What information does HelloConsent collect and log about the user consents?

When a website visitor (user) submits a consent from your website(s), HelloConsent will store the following informations:

  • The user's IP number in anonymized form (by removing the last 16 bit of IPv4 addresses and by removing the last 96 bit of IPv6 addresses).
  • The date and time of consent.
  • User country (from where the consent was submitted)
  • User agent of the user's browser
  • The user's consent state, serving as proof of consent.
  • The URL from which the consent was submitted.
  • A token: an anonymous, random and encrypted key value.

Last updated: