Consent Audit Logs: Why Proof of Consent Is Your Best Defence

The Regulator's First Question

When a data protection authority investigates a complaint about your website, one of the first things they ask is: "Can you demonstrate that you obtained valid consent from this individual?"

Having a cookie banner is not proof. The banner shows what you offered — not what the user chose. What you need is a consent audit log: a timestamped record of every consent decision, storing what was consented to, when, and by whom.

What Must a Consent Log Include?

Based on EDPB guidance and regulatory practice, a robust consent log should record:

• Timestamp — Exact date and time of the consent event
• User identifier — An anonymised or pseudonymised identifier (not necessarily the user's name)
• Consent choices — Which categories were accepted and which were rejected
• Banner version — The version of the consent text/interface shown at the time
• Method — How consent was given (click, GPC signal, explicit rejection)
• Withdrawal events — If the user later changed their preferences, this must also be logged

Why "We Have a Cookie Banner" Isn't Enough

Consider this scenario: a user visits your site, accepts analytics cookies, and three months later files a complaint claiming they never gave consent. Without an audit log, it's your word against theirs. The regulator has no way to verify your claim, and the burden of proof is on you (the data controller).

With a consent audit log, you can pull up the exact record: "User identified by hash XYZ consented to analytics and functional cookies on March 1, 2026 at 14:32 UTC, banner version 2.1."

This is the difference between a dismissed complaint and a five-figure fine.

How Long Should You Keep Consent Records?

There is no explicit retention period defined in GDPR for consent records. Best practice is to keep them for as long as the consent is active, plus the statute of limitations for regulatory action (typically 3–5 years depending on jurisdiction).

LegalBanner retains consent records according to configurable retention policies, with automatic archival and cleanup.

LegalBanner's Consent Audit Log

Every consent decision recorded by LegalBanner includes all required fields. The log is accessible from your dashboard, searchable by date range and consent status, and exportable as CSV for regulatory submissions.

For Pro plan users, the audit log integrates with the tag governance system, creating a complete chain of evidence: what scripts were approved, what consent was given, and what scripts actually executed.