The consent and the data collected via the consent need to be linkable. That's why it makes sense to store consent records for identified users on the server-side, because you "know" the user in that case.
For pseudonymous users, e.g. those you track via a Google Analytics cookie you don't know who the user is and you (hopefully) can't reidentify them without the Google Analytics cookie. Since the cookie is stored in the users' browser it makes sense to also store the consent record there. If you would store that consent record on the server-side you'd still need a cookie in the users' browser to link the consent record to them.
> The consent and the data collected via the consent need to be linkable. That's why it makes sense to store consent records for identified users on the server-side, because you "know" the user in that case.
Yup, this is why a lot of websites try to lure you into logging in to the website to enjoy the full content (they won't tell you this is the reason, of course).
Thanks for the answer. Not sure if I misunderstood the GDPR but I thought it had the requirement to be able to provide the consent documentation for any identifiers used (like Google Analytics ID or Matomo ID).
The user has the consent documentation on their device. But I can't provide the documentation myself.
I actually don't think the risk is very high. And I agree that storing this information on my side is additional data privacy risk.
Exactly. If you read the cases, a fair number of them are gotcha type things. For example, ask yourself, if google tried to say they couldn't provide consent records (despite CLEAR language in GDPR) because they are only stored on devices - I have a feeling a MAJOR fine would be inbound.
But we get expert advice here that it is fine.
One of the claims I saw was that google hadn't said something about information being used to advertise - but when I read the related disclosure (they have all the versions) it seemed clear enough to me. I'm not saying ruling was wrong, but they in some cases hinge on issues just like this.
And we are just scratching the surface of things here.
For pseudonymous users, e.g. those you track via a Google Analytics cookie you don't know who the user is and you (hopefully) can't reidentify them without the Google Analytics cookie. Since the cookie is stored in the users' browser it makes sense to also store the consent record there. If you would store that consent record on the server-side you'd still need a cookie in the users' browser to link the consent record to them.