Consent logs and privacy laws confuse me! How long should I actually keep records of user consent?
If your website tracks users, it’s a best practice to securely store consent logs for as long as you rely on that consent and then for an additional three to five years, in case of a privacy audits or consumer complaints.
This aligns with requirements outlined by privacy laws like the General Data Protection Regulation and the California Consumer Privacy Act.
Under these laws, it is your responsibility to ensure these consent logs are safely stored and cannot be easily altered or accessed.
What Are Consent Logs?
Consent logs are simply a record showing what an individual chose when they interacted with your cookie consent banner on your site.
It acts like a receipt or archive of their permissions, and includes records of if and when they might change their minds.
Typically, a consent log should include the following components:
- Who interacted with the banner, a user, device identifier, or anonymized ID.
- When they interacted with it, in the form of an exact date and timestamp.
- What they agreed to specifically, like ads, analytics, or other cookies.
- How they gave their consent, via the banner, a form, or other means.
- Context of what they saw as a message on the banner or form.
Why Do I Need to Keep Logs or Records of User Consent?
Websites that track users need to keep logs or records of user consent if data privacy laws apply because it helps you respond if a privacy audit or investigation occurs.
Privacy laws also give users the right to submit complaints if they believe their rights have been violated, and consent logs are imperative in helping websites respond to these as well.
Under these laws, the burden of proof is on the business or website.
What Privacy Laws Impact Records of User Consent?
In general, nearly all existing privacy laws impact consent logs, including:
- General Data Protection Regulation (GDPR)
- California Consumer Privacy Act (CCPA)
- Brazil’s General Data Privacy Law (LGPD)
- Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA)
- ePrivacy Directive (EU Cookie Law)
- China’s Personal Information Protection Law (PIPL)
- Australia’s Privacy Act 1988 (the Privacy Act)
While specific details vary, typically these laws require websites to obtain valid consent, explain to users what you’re doing with their data, respect their choice regarding that data, and keep proof or a log of their choice.
Rather than trying to memorize every specific legal nuance, simply follow this best practice: If your website tracks users, maintain consent logs.
How Can I Create Consent Logs or Records of Consent?
To easily create consent logs or keep records of user consent, try using a consent management solution like Termly’s which includes consent logs as an essential feature.
Just configure a custom consent banner based on your site’s unique needs, and our tool will automatically capture and store these logs for you.
Let Termly take care of the stressful, technical aspects of consent management.
Try Termly for free today!