The Overlooked GDPR Requirement: Consent Records

When a customer lands on your store, they’re often met with a cookie banner. They click Accept, Reject, or customize their preferences… but what happens next?

Truth be told, for full compliance, you need more than just a cookie banner on your storefront. GDPR and other global privacy laws have various requirements - and one of them is something called consent records or consent logs.

They exist as businesses are required to be able to prove their compliance efforts. Meaning - after obtaining user consent you also need a mechanism to track, record and store it.

This guide breaks down what consent records are, which laws require them, what they must include, and everything else you need to know about them. 

We’ve also included an additional section for Shopify merchants and how they can handle consent logs.

Key Takeaways

• Consent records are proof of what users decided on your cookie banner.
• GDPR explicitly requires them, and other privacy laws expect demonstrable consent too.
• A valid record logs who made the choice, what they picked, and when it happened.
• Extra details like page URL, device, or location strengthen your compliance.
• Manual tracking is risky, messy, and doesn’t scale as your store grows.
• Consentmo automates the process, logging every interaction in real time and backing up to Google Drive.
• Clear records keep you audit-ready, reduce legal risk, and build customer trust.

What are Consent Records?

Every time a visitor interacts with your cookie banner — whether they hit Accept, Reject, or carefully adjust their preferences — that choice isn’t just about what data you can or can’t collect. 

It also creates an obligation for you as a business to be able to prove that the choice was made, when it was made, and under what conditions.

That proof is called a consent record.

Which Laws Require Consent Records?

The most explicit rule comes from the General Data Protection Regulation (GDPR), which applies across the EU and the UK.

Article 7(1) of the GDPR is very clear: “Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented.” 

In other words, if you rely on consent to use cookies, run analytics, or process personal data, you must be able to prove it happened.

Regulators in individual countries, such as the CNIL in France, also issue guidance that makes it clear: during an audit, you’ll need to show proof of how consent was obtained.

And the requirement isn’t limited to Europe. 

In the United States, new state-level privacy laws like the California Privacy Rights Act (CCPA), Colorado Privacy Act (CPA), and Virginia Consumer Data Protection Act (VCDPA) don’t exactly name “consent records,” but they still require businesses to demonstrate that opt-ins for sensitive data were valid. 

In practice, this means that maintaining some form of consent log is just as important for merchants serving US customers.

The bottom line: if your business collects data based on user consent, you are expected to prove it. Whether you’re selling across Europe or the States, regulators increasingly expect businesses to have reliable consent records ready.

What Should a Consent Record Contain?

Once you know you must be able to demonstrate consent, the next question is what your record needs to show. 

Regulators don’t require a single format, but there are some outlined required details to store.

The mandatory elements:

• Who made the choice — a user or device identifier that links the record to the individual interaction (e.g., a user ID or Shopify customer ID for logged‑in users).
• What they decided — Accept, Reject, or granular preferences (by purpose/cookie category).
• When it happened — precise timestamp (with timezone).

Optional but strongly recommended:

• Page URL where the decision was made (home, checkout, etc.).
• Device/browser details (mobile/desktop)
• Location (country/region)

How to Create Consent Records Automatically

If you’re like most store owners, the last thing you want is another manual task on your compliance checklist. Exporting spreadsheets, double-checking timestamps, and worrying whether you’ve logged the latest banner version - that’s a recipe for frustration (and mistakes).

The good news: you don’t need to build consent logs by hand.

With a compliance app like Consentmo, every interaction on your cookie banner is tracked and stored automatically. 

You don’t have to worry about losing records or missing an update - the system takes care of it in real time. And if regulators or customers ever ask, you can generate a clean export in just a few clicks.

Automatic Backups with Google Drive

Even with automatic consent logging inside the app, many merchants like the extra peace of mind of having an external backup. That’s why Consentmo also supports automatic Google Drive backups.

Here’s how it helps you:

• Extra layer of security - Your consent records aren’t just in one place; they’re also backed up to your own Google Drive.
• Easy access - Need to share logs with your legal team or a consultant? Just grab them directly from Drive.
• Less manual work - no need to remember making manual exports. Everything is backed up and stored automatically.

For merchants, this means your compliance data is both secure in the app and duplicated in the cloud, with zero extra effort.

How Long Should You Keep Consent Records?

The GDPR doesn’t give a fixed number like “12 months” or “3 years.” Instead, it applies the storage limitation principle: you should only keep personal data (including consent records) for as long as you actually need it.

For consent, that usually means:

• As long as you rely on that consent - if you’re still processing data (e.g., cookies, analytics) based on a user’s choice, you need to keep the proof of it.
• If consent is withdrawn - you should still keep a record that the user withdrew, so you can show regulators you respected their rights.
• Not forever - once the data linked to that consent is no longer used, keeping the record serves no purpose and may even go against GDPR’s data minimization rules.

In practice, many merchants align their retention with cookie lifetimes (often 6–24 months). 

That way, your proof of consent covers the same period you might still be using cookie data.

The key is having a clear policy: decide how long you’ll keep records, apply it consistently, and be ready to explain it if asked.

Summary

Consent records are part of the foundation of consent compliance. Without them, you have no proof that you are collecting and using customer data legally.

For Shopify merchants, the challenge is balancing compliance with day-to-day business tasks. Manually tracking logs in spreadsheets isn’t realistic when you’re running a growing store. That’s why tools like Consentmo exist: to keep you covered automatically.

With Consentmo you can:

• Log every consent interaction in real time
• Preview or export records whenever you need them
• Back them up securely to Google Drive
• Stay audit-ready without any extra manual work

In a world where privacy laws keep evolving, having your consent records sorted means fewer worries about fines and more focus on building your business.

If you haven’t already, now’s the time to make consent records a part of your compliance setup!

While on the topic of GDPR - we suggest going over another compliance basic - Cookie Banner Failures. Avoid These Common GDPR Mistakes.