A critical yet often overlooked component of the consent management process is the consent log: a record of user consents that have been obtained.

This article explains whether consent logs are required for cookie consent banners, why and when they are needed, how to maintain them in a legally compliant way, and how to set up and manage them for legal defense. It also compares leading Consent Management Platforms (CMPs) and their approaches to consent logging.

Use our Cookie Consent all-in-one solution (Privacy Consent) for cookies management to comply with GDPR & CCPA/CPRA and other privacy laws:

  • For GDPR, CCPA/CPRA and other privacy laws
  • Apply privacy requirements based on user location
  • Get consent prior to third-party scripts loading
  • Works for desktop, tables and mobile devices
  • Customize the appearance to match your brand style

Create your Cookie Consent banner today to comply with GDPR, CCPA/CPRA and other privacy laws:

  1. Start the Privacy Consent wizard to create the Cookie Consent code by adding your website information.

    TermsFeed Privacy Consent: Add website information - Step 1

  2. At Step 2, add in information about your business.

    TermsFeed Privacy Consent: Add about your business type, select the country - Step 2

  3. At Step 3, select a plan for the Cookie Consent.

  4. You're done! Your Cookie Consent Banner is ready. Install the Cookie Consent banner on your website:

    TermsFeed Privacy Consent: Install the Cookie Consent banner on your website - Step 4

    Display the Cookie Consent banner on your website by copy-paste the installation code in the <head></head> section of your website. Instructions how to add in the code for specific platforms (WordPress, Shopify, Wix and more) are available on the Install page.



A consent log is a record of consents that you have obtained, such as through a cookie consent banner or email newsletter sign-up form. They help prove compliance with privacy laws such as the GDPR.

Consent logs will typically look like columns of information that show the consent status of an IP address, and timestamps for when consent was granted.

Here's an example of a consent log from Meetanshi. You can see how the information is streamlined and easy to read and sort/filter, as seen here from:

Meetanshi cookie consent log screenshot

While consent logs are not explicitly required by name in most data protection laws, they are implicitly required in order to demonstrate compliance.

For example, a law can have a requirement to prove that valid consent has been obtained, and a consent log is the way to meet this requirement.

Global privacy and data protection laws put an emphasis on transparency and accountability, which implies the need for keeping records to verify user consent.

For instance, Article 7(1) of the GDPR states:

"Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data."

While the GDPR doesn't say "you must keep a consent log," it does require you to be able to demonstrate (or prove) that you have obtained consent.

If you don't keep a consent log, you may be unable to meet this requirement of the GDPR.

The CCPA/CPRA doesn't require a consent log, but it does require that businesses be able to prove that they comply with opt-out requirements, particularly for a "Do Not Sell or Share My Personal Information" page.

Keeping a consent log that tracks when users opt out of having information sold or shared would be a key aspect of complying with this requirement.

Consent logs are needed for many reasons, including the following:

  • To maintain legal compliance: Consent logs provide evidence that users actively consented (or declined) to having their personal information processed. It also helps track when users withdraw consent and shows proof that you allow users to do this.
  • To streamline audits: Regulatory bodies, such as the European Data Protection Authorities, will likely request proof of compliance during audits. Consent logs make it possible and very easy to comply with these requests and verify our compliance.
  • To help with legal defense: If you ever get legally accused of not complying with consent requirements, or if a user says you collected or processed their data without obtaining consent, having consent logs can help you prove that you did obtain valid consent. If you don't maintain a consent log, you risk being unable to defend yourself against legal accusations.
  • To operate more efficiently: Keeping a consent log will help you track consent trends. This will make it easier to experiment with different cookie consent banner designs to see which ones land you the best rates of consent. You can also get other analytics data from consent logs to notice trends in patterns of consents granted, and consents denied.

Consent logs are necessary in the following scenarios:

  • If applicable privacy laws require it: If your website targets users in the EU (GDPR, ePrivacy Directive), UK (UK GDPR), California (CCPA/CPRA), Brazil (LGPD), or other regions that have consent requirements, you must maintain consent logs as part of your compliance plan. Otherwise you will not be able to prove you're complying.
  • If you use non-essential cookies: Consent is required for non-essential cookies (such as advertising cookies). Before placing these cookies, make sure you maintain a log that documents you received consent to do so.
  • If you process sensitive personal information: Consent requirements around this type of personal information are more strict, so always maintain a consent log to prove you obtained consent for processing any sensitive personal information.
  • If you use third-party services: Third-party services like Google Analytics, Meta Pixel, or advertising networks will require you to comply with all privacy laws and requirements before using their service. As noted above, privacy laws require that you be able to prove compliance. Therefore, it's a must to keep a consent log.

To ensure compliance, it's recommended to always create and maintain a legally compliant consent log.

Follow these steps to ensure your consent log meets legal requirements.

Log All Relevant Data

Your consent log should include the following key information:

  • A timestamp of when the consent choice was made, including the date and time
  • The consent status, such as accepted, rejected/declined, or partially accepted
  • What categories of cookies were consented to
  • The user's pseudonymized IP address and country of location

You can include additional information such as what device a user was on when making the consent choice, or what version of your cookie consent banner was used if you wish.

Keep your consent log stored in a compliant database that prevents unauthorized access. This will help you prove that anything in your log is true and accurate information, and that the log is valid and trustable.

Make sure you can easily export your consent log data if you're ever called to do so by a regulatory authority or a court of law. This can be in a CSV format or Excel, for example.

Your users have the right to see (and change) what consents they have given you. If you provide users with a Preference Center, such as one through a Customer Relationship Management (CRM) system or Consent Management Platform (CMP), confirm they're able to access and edit their consent data.

Do a periodic review of your consent log to determine:

  • Works correctly and is accurately capturing consent actions
  • Is still in compliance with any new or updated privacy laws and regulations
  • Reflects any changes in your cookie usage

Regulatory authorities, auditors and lawyers will often request consent logs as evidence of compliance during audits, investigations or legal proceedings.

Not maintaining compliant consent logs can result in significant fines and penalties. For example, in 2021, Amazon was fined €746 million for GDPR violations, which was partly due to its inadequate documentation of consent.

Take the following steps to set up and maintain your consent log for legal defense purposes.

We suggest you use a CMP to ensure the highest level of legal compliance. CMPs are third-party services that specialize in consent management, including keeping and maintaining compliant consent logs.

A CMP will automate consent logging and will integrate with your website, making sure that your consent log complies with relevant global privacy regulations and laws.

Here are some benefits that come with using a CMP:

  • Customizable cookie consent banners: You'll be able to easily display clear and customizable cookie consent notices that allow users to accept, deny, or customize their consent preferences.
  • Automatic consent logging: The CMP will automatically keep records of consent activity such as the date and time consent was granted/denied, as well as the method of consent and the user's IP address.
  • User-friendly interfaces: A CMP will provide intuitive and streamlined methods for users to update or withdraw consent at any time.
  • Full integration: A CMP will be able to fully integrate with your website, third-party analytics, and any advertising tools you use.

We've included a section that outlines and compares a number of different CMPs later in this article so you can choose the best CMP for your needs.

A CMP will also help with this. Customize your cookie consent banner to make sure it clearly explains what cookies you're collecting, and why. Include options to fully accept, fully reject, or customize consent granted (such as with a settings or preferences section).

Use concise, plain language in consent requests, avoiding legal jargon or vague terms.

Here's an example of a cookie consent banner that keeps things clear and simple, while providing multiple options as well as links to relevant legal policies:

Example cookie consent notice banner

Make sure you embed the CMP's script into your website so that it correctly captures consent when given or denied. The CMP you select should help you with this and make the process very simple.

We suggest you configure the CMP to block all non-essential cookies from being placed until consent is given.

CMPs come with consent logging capabilities amongst other convenient features and functionality. Below is a comparison of some of the leading CMPs.

TermsFeed

  • Consent Logging Features: Automatically logs consent decisions, including timestamp, IP address, consent status, and categories of cookies. Consent logs are set up to comply with region-specific laws and are stored securely and exportable as CSV files for audit purposes.
  • Strengths: Extremely easy to set up. Automatically adjusts consent requirements based on the visitor's location to ensure global compliance. Consent notices are automatically translated into the visitor's language, which helps with compliance by increasing accessibility.
  • Weaknesses: The platform is not optimized for very large and complex businesses or organizations, making it best for small to midsize businesses.

Osano

  • Consent Logging Features: Tracks and stores consent data including user preferences and timestamps. Supports granular consent and global regulations.
  • Strengths: Simplifies compliance for 50+ countries and 45+ languages. Minimal technical expertise required to set it up.
  • Weaknesses: Pricing can be on the high end for larger websites.

CookieYes

  • Consent Logging Features: Logs IP addresses, timestamps, consent status, and cookie categories. Exportable as CSV for audits. Supports WCAG and ADA accessibility standards.
  • Strengths: Affordable (limited free tier available, paid plans from $100/year) and easy to set up.
  • Weaknesses: Free plan lacks multilingual support, and logs are English-only unless upgraded.

Cookiebot

  • Consent Logging Features: Automatically logs consent events, including timestamps, IP addresses, consent statuses, and cookie categories. Logs are stored securely and exportable for audits.
  • Strengths: User-friendly setup, deep scanning technology, and integration with Google Consent Mode.
  • Weaknesses: Free plan is limited, and the advanced logging features require premium plans.

Secure Privacy

  • Consent Logging Features: Maintains detailed audit logs with timestamps, IP addresses, and consent changes.
  • Strengths: Supports over 70 languages and integrates with CMS platforms like Shopify.
  • Weaknesses: Less established than some other CMPs.

Summary

Consent logs are not explicitly required by name in privacy laws, but maintaining them are a key part of proving your compliance with global privacy laws like the GDPR, the CCPA/CPRA, and the LGPD.

This is because consent logs act as proof that you're obtaining consent when you are required to.

Your consent log should record important information surrounding consent, such as the IP address of the user, a date and timestamp of the consent action, and what action the user took (such as granted or denied consent, or gave limited consent).

Always store your consent logs on a secure server and be able to export them in a format such as CSV for audit or legal defense purposes.

Using a CMP like TermsFeed can help streamline most of the consent process for you, including the creating and maintaining of consent logs.

Privacy Policy Generator
The first step to compliance: A Privacy Policy.

Stay compliant with our agreements, policies, and consent banners — everything you need, all in one place.

Generate Privacy Policy