The key is that the data controller be able to demonstrate AND RECORD that consent was received. If I clear my cookies, how does data controller prove consent?
“keep a record of consent statements received, so [the controller] can show how consent was obtained, when consent was obtained and the information provided to the data subject at the time ... [and] also be able to show that the data subject was informed and the controller’s workflow met all relevant criteria for a valid consent.”
With that guidance in mind, and from a practical standpoint, consider keeping records of the following:
The name or other identifier of the data subject that consented;
The dated document, a timestamp, or note of when an oral consent was made;
The version of the consent request and privacy policy existing at the time of the consent; and,
The document or data capture form by which the data subject submitted his or her data."
Just seems like some huge liability here if you didn't record the required elements in a manner that allowed you to produce them. Does GDPR allow me to requisition my users devices if I'm investigated?
The consent and the data collected via the consent need to be linkable. That's why it makes sense to store consent records for identified users on the server-side, because you "know" the user in that case.
For pseudonymous users, e.g. those you track via a Google Analytics cookie you don't know who the user is and you (hopefully) can't reidentify them without the Google Analytics cookie. Since the cookie is stored in the users' browser it makes sense to also store the consent record there. If you would store that consent record on the server-side you'd still need a cookie in the users' browser to link the consent record to them.
> The consent and the data collected via the consent need to be linkable. That's why it makes sense to store consent records for identified users on the server-side, because you "know" the user in that case.
Yup, this is why a lot of websites try to lure you into logging in to the website to enjoy the full content (they won't tell you this is the reason, of course).
Thanks for the answer. Not sure if I misunderstood the GDPR but I thought it had the requirement to be able to provide the consent documentation for any identifiers used (like Google Analytics ID or Matomo ID).
The user has the consent documentation on their device. But I can't provide the documentation myself.
I actually don't think the risk is very high. And I agree that storing this information on my side is additional data privacy risk.
Exactly. If you read the cases, a fair number of them are gotcha type things. For example, ask yourself, if google tried to say they couldn't provide consent records (despite CLEAR language in GDPR) because they are only stored on devices - I have a feeling a MAJOR fine would be inbound.
But we get expert advice here that it is fine.
One of the claims I saw was that google hadn't said something about information being used to advertise - but when I read the related disclosure (they have all the versions) it seemed clear enough to me. I'm not saying ruling was wrong, but they in some cases hinge on issues just like this.
And we are just scratching the surface of things here.
If you clear site data for a site tracking anonymous consent, you've cleared your consent. No records necessary unless you are linking consent to user accounts stored on your backend.
The key is that the data controller be able to demonstrate AND RECORD that consent was received. If I clear my cookies, how does data controller prove consent?
“keep a record of consent statements received, so [the controller] can show how consent was obtained, when consent was obtained and the information provided to the data subject at the time ... [and] also be able to show that the data subject was informed and the controller’s workflow met all relevant criteria for a valid consent.”
With that guidance in mind, and from a practical standpoint, consider keeping records of the following:
The name or other identifier of the data subject that consented; The dated document, a timestamp, or note of when an oral consent was made; The version of the consent request and privacy policy existing at the time of the consent; and, The document or data capture form by which the data subject submitted his or her data."
Just seems like some huge liability here if you didn't record the required elements in a manner that allowed you to produce them. Does GDPR allow me to requisition my users devices if I'm investigated?
Of course, we are told GDPR is "easy".