Logging and demonstration of user consents

What is required under the EU GDPR?

The EU General Data Protection Regulation (GDPR) states the following in its Article 7 named 'Conditions for consent':

7.1 Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.

In other words, you as a website owner or operator must be able to document that your website users coming from the European Union have given consent to you processing their personal data on your website.

See also 'How does logging and demonstration of user consents work?' below regarding how the EU Article 29 Data Protection Working Party interprets this.

How does Cookiebot help me be compliant with the EU legislation?

Cookiebot logs all your user consents in a consent log, stored in one centralized place. You have access to this consent log and can easily download it from the backend Manager on Cookiebot.com (see instructions below). This means that if you are required by the authorities to demonstrate the user consents, you will be able to do so quickly and effectively.

What information does Cookiebot collect and log about the user consents?

When a website visitor (user) submits a consent from your website(s), the following data are automatically logged at Cybot, the company behind Cookiebot:

• The user's IP number in anonymized form (by removing the last 16 bit of IPv4 addresses and by removing the last 96 bit of IPv6 addresses).
• The date and time of the consent.
• User agent of the user's browser.
• The URL from which the consent was submitted.
• An anonymous, random and encrypted key value.
• The user's consent state, serving as proof of consent.

The key and consent state are also saved in the user's browser in the 1^st party cookie 'CookieConsent' so that the website can automatically read and respect the user's consent on all subsequent page requests and future user sessions for up to 12 months.

The key is used for proof of consent and an option to verify that the consent state stored in the user's browser is unaltered compared to the original consent submitted to Cybot. (see below)

If Cross-domain Consent Sharing is enabled, whereby a single consent can be given by the user for multiple websites, a separate random, unique ID with the user's consent will be stored in an encrypted form in the 3^rd party cookie 'CookieConsentBulkTicket' on the user's browser.

How does the logging and demonstration of user consents work?

When a website visitor (user) submits a consent on your website, the user's individual consent state is stored in a first part cookie named "CookieConsent" on the user's browser along with a random, unique, anonymous and encrypted key. The same information is stored in Cookiebot's server-side consent log, transmitted to Cookiebot's servers through an encrypted connection.

When you, the website owner, need to demonstrate that the user (data subject) has consented to the processing of his or her personal data, the data subject must provide the consent key from his or her browser, so that you the website owner can look up the consent in Cookiebot's consent log and provide details about the consent and thus demonstrate the existence and attributes of the submitted consent.

This method ensures that the data subject is anonymous and only needs to reveal his or her identity when proof of consent is needed, for example because it is requested by the authorities. The encrypted key can also be used to confirm that the consent has not been modified by the data subject him/herself or by a malicious third party service since it was submitted from the website.

The Article 29 Data Protection Working Party has released an updated 'Guidelines on consent under Regulation 2016/679' on 10 April 2018 (http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=623051). In point '5.1. Demonstrate consent' they state the following:

"Controllers are free to develop methods to comply with this provision in a way that is fitting in their daily operations. At the same time, the duty to demonstrate that valid consent has been obtained by a controller, should not in itself lead to excessive amounts of additional data processing. This means that controllers should have enough data to show a link to the processing (to show consent was obtained) but they shouldn't be collecting any more information than necessary.

It is up to the controller to prove that valid consent was obtained from the data subject. The GDPR does not prescribe exactly how this must be done. However, the controller must be able to prove that a data subject in a given case has consented. As long as a data processing activity in question lasts, the obligation to demonstrate consent exists. After the processing activity ends, proof of consent should be kept no longer then strictly necessary for compliance with a legal obligation or for the establishment, exercise or defence of legal claims, in accordance with Article 17(3)(b) and (e).

For instance, the controller may keep a record of consent statements received, so he can show how consent was obtained, when consent was obtained and the information provided to the data subject at the time shall be demonstrable. The controller shall also be able to show that the data subject was informed and the controller's workflow met all relevant criteria for a valid consent. The rationale behind this obligation in the GDPR is that controllers must be accountable with regard to obtaining valid consent from data subjects and the consent mechanisms they have put in place. For example, in an online context, a controller could retain information on the session in which consent was expressed, together with documentation of the consent workflow at the time of the session, and a copy of the information that was presented to the data subject at that time. It would not be sufficient to merely refer to a correct configuration of the respective website."

How can I access and download the Cookiebot consent log?

1. Log in to your Cookiebot account and the back-end Manager via https://manage.cookiebot.com 

2. Choose the top menu 'User consents' (DA: Samtykker , DE: Nutzereinwiligungen, IT: Autorizzazioni utente, FR: Consentements utilisateur, ES: Consentimiento del usario)

3. In the top bar, select the domain name from the drop-down menu and the time period for which you want to download the consent log

4. In the upper right corner of the top bar, click the button 'Download log' (DA: Download log, DE: Protokoll herunterladen, IT: Scarica log, FR: Télécharger journal, ES: Descargar registro)

5. The log will download in a CSV file format, which you can open using e.g. Excel

What should I do if the authorities ask me to demonstrate the user consents for my website?

You should always seek legal advice if you are in doubt about your rights and obligations and what procedure you should follow.

From a technical point of view, you can present the authorities with the downloaded consent log. This will serve as documentation that you are indeed logging your user consents in a meaningful way and with the data described above. If you are required to provide further proof of how the logging works, you can request and obtain a few user keys to demonstrate the methodology as described above in How does the logging and demonstration of user consents work?

If you are asked by the authorities to demonstrate your user consents, you are very welcome to contact us via our helpdesk for technical support or to clear any additional technical questions you may have.

What should I do if a user of my website launches a complaint with the authorities or demands to see proof of his/her consent?

You should always seek legal advice if you are in doubt about your rights and obligations and what procedure you should follow.

From a technical point of view, the user who has initiated the complaint or request must provide his/her anonymous, random and encrypted key, saved in his/her browser in the first party cookie 'CookieConsent'. You as the website owner can then look up the consent in Cookiebot's consent log and provide details about the consent such as a) the fact that the consent exists and b) what attributes it has (e.g. what types of cookies has the user consented to, when etc.). Along with the consent log, you can also download a scan report from the date when the user gave his/her consent. The date of the consent is also stated in the cookie 'CookieConsent' in the user's browser. The scan report will show exactly what cookies and what wording the user gave his/her consent to at the time. The scan report can be downloaded from the top menu 'Reports' (DA: Rapporter, DE: Berichte, IT: Rapporti, FR: Rapports, ES: Informes).

If you ever find yourself in this kind of situation, you are very welcome to contact us via our helpdesk for technical support or to clear any additional technical questions you may have.

FAQ:

Q: In the case of an audit where we have to prove that a user has given consent, what happens if the user has deleted his cookies and (falsely) argues that he never gave consent?

A: If a person has visited the website, the cookie 'CookieConsent' will be set on the user's browser. If the cookie is not present on the browser, the user has either a) not activated cookies or b) deleted the cookie. In both cases no cookies will be set, as Cookiebot ensures that the default consent state is a complete opt-out (privacy by design). If a user cannot provide the cookie, the user cannot prove that he or she has visited the website and thereby there is no case.