Key Takeaways
- Under Article 7(1) GDPR, the burden of proof is yours: where you rely on consent, you "shall be able to demonstrate that the data subject has consented." A working banner is not proof — the ability to reconstruct what a specific person saw and clicked is.
- A defensible consent record captures five things the ICO expects: who consented, when, what they were told, how they signalled it, and whether they later withdrew — plus a snapshot of the consent wording and workflow live at that moment (EDPB Guidelines 05/2020, para 108).
- The retention clock for consent evidence is not the retention clock for the underlying data. The EDPB says proof should be kept even after processing ends — for as long as strictly necessary to defend a legal claim (Article 17(3)(b) and (e)), then deleted.
- Regulators enforce this on the "can you produce it?" test. CNIL fined Criteo €40 million in June 2023 after it could not prove valid consent; Italy's Garante fined a lead-generation firm €45,000 in June 2025, ruling that "simple logs are insufficient."
- Don't confuse CNIL's 6-month (remember-the-choice) and 13-month (tracker-lifespan) figures with proof-of-consent retention — they measure different things, and no regulator sets a fixed number of years for keeping the proof itself.
Introduction
Picture the email every marketing lead dreads: a data protection authority asks you to demonstrate that the 12,000 people on your newsletter list actually opted in. Not that your signup form has a checkbox — that this named person, on this date, ticked it after reading this notice.
Most online stores can describe their consent banner in detail. Far fewer can reconstruct a single historical consent event. That gap is where audits are lost, and it is a different problem from banner design. This guide covers what a GDPR consent record must contain, and the question that trips up nearly everyone: how long to keep proof of consent — including after you have deleted the customer's data.
This article is informational content, not legal advice. Retention and evidential standards vary by country and sector — confirm specifics with a qualified professional.
What "Proof of Consent" Means Under the GDPR
Proof of consent means you can show, for any individual, that they gave a freely given, specific, informed and unambiguous indication of agreement (Article 4(11)) — and reproduce the circumstances in which they gave it. It is an accountability obligation, not a UI feature: the banner collects consent, the record proves it.
Three provisions put the burden squarely on you. Article 7(1) states that "the controller shall be able to demonstrate that the data subject has consented." Recital 42 reinforces it: "the controller should be able to demonstrate that the data subject has given consent." And Article 5(2) — the accountability principle — makes you "responsible for, and able to demonstrate compliance with" every processing principle. In practice these read as one instruction: assume you will one day have to prove it, and keep what you would need to.
Why a "correctly configured banner" is not proof
A live banner shows how consent works today; it says nothing about what a customer saw two years ago. The EDPB's Guidelines 05/2020 on consent are explicit on this point: a controller "could retain information on the session in which consent was expressed, together with documentation of the consent workflow at the time of the session, and a copy of the information that was presented to the data subject." Merely pointing to "a correct configuration of the respective website" is, in the EDPB's words, "not sufficient" (para 108).
The reason is that consent notices change. You reword a purpose, add a vendor, redesign the flow. If your only evidence is the current banner, you cannot prove what the 2024 cohort agreed to — and the EDPB warns the obligation to demonstrate consent lasts "as long as a data processing activity in question lasts" (para 107). Consent is also invalid if it was never active choice: the EDPB confirms "the use of pre-ticked opt-in boxes is invalid," and silence or proceeding with a service "cannot be regarded as an active indication of choice" (para 79). Proof of a pre-ticked box proves a violation, not compliance.
What a Defensible Consent Record Must Contain
A defensible record answers, for one individual, the ICO's five questions — who consented, when, what they were told, how, and whether they have since withdrawn — and does so without over-collecting. The EDPB cautions that demonstrating consent "should not in itself lead to excessive amounts of additional data processing" (para 106): data-minimisation applies to the proof, too.
Here is the practical field set, mapping ICO's framing and EDPB para 108 to what an eCommerce stack should log per consent event:
| Field | What to store | Why it matters |
|---|---|---|
| Who | User ID, account ID, or session identifier | Ties the record to a specific data subject |
| When | ISO-8601 timestamp of the consent action | The EDPB expects the "when" of consent |
| What they were told | Consent statement text + linked privacy notice, with a version number and date | Proves the exact wording live at that session, not today's |
| How | Channel and the action taken — which checkbox(es), which form, which session | Evidences a clear affirmative act |
| What for | The specific purpose(s), recorded as separate opt-ins per purpose | The EDPB requires granularity; bundled consent is weak |
| Withdrawal state | Whether consent was later withdrawn, and when | Article 7(3): withdrawal must be as easy as giving, and logged |
Two design choices make this hold up. Store the consent statement version, not just a flag that consent was given — a boolean tells an auditor nothing about what was agreed. And treat each record as append-only: a consent log you can silently edit is worth little as evidence. For the marketing context specifically, Italy's Garante has signalled that double opt-in "constitutes, to date, a minimum standard of protection" — a confirmed second step that produces exactly this kind of dated, reproducible artefact.
How Long Do You Keep Proof of Consent?
Keep proof of consent for as long as you rely on that consent, and then beyond it — but only for as long as strictly necessary to comply with a legal obligation or to establish, exercise or defend a legal claim. The EDPB states this directly: after the processing ends, "proof of consent should be kept no longer than strictly necessary" under Article 17(3)(b) and (e) (para 107). After that window, delete it.
That is the single most misunderstood point in this topic, so it deserves its own heading.
The clock for consent evidence is not the clock for the underlying data
These are two separate timers, and eCommerce operators routinely collapse them into one. When a customer withdraws consent or asks for erasure, the instinct is to purge everything associated with them — including the consent log. That instinct is backwards.
Consider the mechanics. A customer withdraws marketing consent, then six months later complains to a DPA that you emailed them without a lawful basis. Your defence is the record showing they did consent, when, and to what — and that you stopped when they withdrew. Delete that record with the rest of their data and you have destroyed your own evidence. The right of erasure explicitly does not apply where processing is necessary for "the establishment, exercise or defence of legal claims" (Article 17(3)(e)); a minimised proof-of-consent record is a textbook example. Both enforcement cases below turned on exactly this failure — an inability to produce proof after the fact.
So the rule is: when the underlying personal data goes, a stripped-down consent record can lawfully stay — bounded by the relevant national limitation period for the claims that could arise, not kept indefinitely. There is no open-ended "keep it forever." Map the retention of your proof to when a claim could realistically still be brought, document that reasoning in your [record of processing activities](/resources/blog/data-mapping-101-how-to-build-a-record-of-processing-activities), and delete on schedule. For the underlying customer data, the logic is different again — see our guide to [how long you can keep customer data](/resources/blog/gdpr-data-retention-how-long-keep-customer-data).
Don't confuse CNIL's 6-month and 13-month figures with proof retention
Two CNIL numbers circulate in this discussion and neither is a proof-of-consent retention period. CNIL considers retaining a user's cookie choice for 6 months to be "a best practice" — that is how long to remember a decision before re-asking, not how long to keep the evidence. Separately, CNIL recommends a 13-month lifespan for audience-measurement trackers, and "13 months" also floats around as the IAB TCF consent-string validity. Three different meanings, none of them the answer to "how long do I retain proof of consent." The only principled bound any regulator gives for the proof itself is the EDPB's "strictly necessary for legal claims" — so anchor to your limitation period, not to a headline figure borrowed from cookies.
Common Mistakes That Cost Companies Their Case
Ranked by how often they turn up in enforcement, worst first:
- Deleting proof when consent is withdrawn or data is erased. The costliest mistake, because it destroys the one artefact that would defend you. Withdrawal ends the processing; it does not require you to bin the evidence that the earlier processing was lawful.
- Relying on "our banner is configured correctly." The EDPB has ruled this insufficient (para 108). If you cannot reproduce what a specific past cohort saw, you cannot prove their consent.
- Storing a boolean, not a record. A
consent = truecolumn with no timestamp, no statement version, and no purpose breakdown is not proof — it is an assertion. In lead-generation and third-party-intermediary contexts, the Garante held that "simple logs are insufficient." - Assuming your processor holds the proof for you. Criteo argued its partners collected consent; CNIL fined it €40 million in June 2023 because, as a controller, it still bore the obligation to prove valid consent and had no clause or audit programme securing that proof. If you rely on a partner's consent, contract for access to the evidence.
- Over-collecting in the name of proof. Logging full request payloads or excessive personal data to "be safe" breaches data-minimisation (EDPB para 106). Keep enough to demonstrate the link, no more.
The two fines make the pattern concrete. Neither company was punished for not having consent in the abstract — both were punished for being unable to demonstrate it when asked. That is the test your records exist to pass.
How PrivacyForge Helps
Passing that test is an infrastructure problem, and it is the problem PrivacyForge's consent management is built around. Every consent action is captured as an append-only record carrying the individual identifier, an ISO-8601 timestamp, the purpose, and — crucially — the version of the consent statement and notice shown at that moment, so you can reconstruct any historical event rather than pointing at today's banner.
Withdrawals are logged as their own dated events (Article 7(3)), and consent records are governed by a retention rule separate from your customer-data retention — so proof can outlive an erasure request for exactly as long as your limitation-period reasoning allows, then delete automatically. The same records feed your [record of processing activities](/resources/blog/data-mapping-101-how-to-build-a-record-of-processing-activities) and your compliance score, which is the difference between claiming you can demonstrate consent and actually being able to. If your consent evidence today lives in a database column named opted_in, that is the gap to close first.
Frequently Asked Questions
How do you prove GDPR consent?
You prove consent by producing a per-individual record showing who consented, when, what they were told, and how they signalled agreement — including the exact consent wording and privacy notice version live at that moment. Under Article 7(1) the burden is on you, and the EDPB has ruled that pointing to a "correctly configured" banner is not sufficient evidence.
How long should you keep consent records under GDPR?
Keep proof of consent for as long as you rely on that consent, and then only as long as strictly necessary to defend a potential legal claim — bounded by the applicable limitation period (EDPB Guidelines 05/2020, para 107; Article 17(3)). No regulation sets a fixed number of years. After the window for claims closes, delete the record.
Can you keep proof of consent after deleting the customer's data?
Yes. The right to erasure does not apply where retention is necessary "for the establishment, exercise or defence of legal claims" (Article 17(3)(e)). A minimised consent record — enough to show a specific person consented and when — can lawfully remain after the underlying personal data is deleted, so you can defend against a later complaint. Keep only what proves the point.
What must a valid consent record contain?
A valid record contains the data subject's identifier, a reliable timestamp, the specific purpose(s) consented to, the mechanism used (which checkbox or form), the version of the consent statement and privacy notice shown, and any later withdrawal with its date. The ICO frames this as who, when, what they were told, how, and whether they withdrew.
Is a checkbox on my signup form enough proof of consent?
No. A live checkbox shows how consent works now, not what a past customer agreed to. Consent statements change over time, so you must log each consent event with its statement version. The EDPB also confirms pre-ticked boxes are invalid — so an unlogged, defaulted checkbox can evidence a violation rather than compliance.
Conclusion
Consent is only as strong as your ability to prove it later. The stores that pass an audit are not the ones with the prettiest banners — they are the ones that can pull up a dated, versioned record for any individual and show exactly what was agreed and when. Treat proof of consent as append-only evidence with its own retention clock: keep it while you rely on the consent, keep it a bounded period longer to defend a claim, and never delete it reflexively just because the customer's data is gone.
Start with one question about your own stack: for a customer who signed up 18 months ago, can you reconstruct what they consented to? If the honest answer is "not really," [see how PrivacyForge captures defensible consent records](/resources/blog/cookie-consent-best-practices) and close that gap before a regulator finds it.
Sources
- [GDPR Article 7 — Conditions for consent](https://gdpr-info.eu/art-7-gdpr/)
- [GDPR Article 5 — Principles (accountability, 5(2))](https://gdpr-info.eu/art-5-gdpr/)
- [GDPR Article 17 — Right to erasure (17(3) exceptions)](https://gdpr-info.eu/art-17-gdpr/)
- [GDPR Recital 42 — Burden of proof for consent](https://gdpr-info.eu/recitals/no-42/)
- [EDPB Guidelines 05/2020 on consent under Regulation 2016/679 (PDF)](https://www.edpb.europa.eu/system/files/documents/files/file1/edpb_guidelines_202005_consent_en.pdf)
- [ICO — How should we obtain, record and manage consent?](https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/lawful-basis/consent/how-should-we-obtain-record-and-manage-consent/)
- [CNIL — Cookies et autres traceurs : questions-réponses](https://www.cnil.fr/fr/cookies-et-autres-traceurs/regles/cookies/FAQ)
- [noyb — Advertising company Criteo fined €40 million](https://noyb.eu/en/advertising-company-criteo-fined-eu40-mio)
- [DLA Piper Privacy Matters — Italy: is double opt-in now mandatory? (Garante decision, 4 June 2025)](https://privacymatters.dlapiper.com/2025/07/italy-marketing-privacy-consent-is-double-opt-in-now-mandatory/)