How to prove that you have consent to process someone's data?

Consent is one of the legal bases that are available to select when processing someone's data. In most cases, it comes in the form of a checkbox that a user checks to show that they give you your consent.

But say the regulator came along and asked you to prove that you have this consent. What would you need to show to prove that you collected consent in a lawful way?

Evidence to show lawful consent

To show that consent is valid, the ICO says we must show the following information:

• Who consented: the name or other identifier (eg, online user name, session ID).
• Timestamp of the consent: show the date when they consented. This can be achieved via a copy of a dated document or by including a timestamp if it happens online.
• What you told them to consent to: A copy of the statement presented to the individual and any other privacy policy or information presented to them.
• How they consented:
• for online consent, provide the data submitted and the timestamp.
• for written consent, a copy of the relevant document or data capture form
• Whether they have withdrawn consent: and if so, when.
• A user can withdraw consent at any time.

Practical Examples of demonstrating consent + Template

Bad Example

Good Example

Practical tip: if the form/document used doesn't change, you can include the proof once. Same for your Privacy Policy. Yet, if these would change, you do need to keep track of the versions presented to the user. A simple screenshot or download/copy of the form/document or policy is good enough!

Template

You can find an editable template of the good example above so that you can adapt it to your use-case.

You must make it easy to withdraw consent

Make sure that you have a way for individuals to withdraw their consent. This is normally explained when consent is been gathered and there's a section in your Privacy Policy that explains it.