Do I need to log consent of a website visitor?

Article 7.1 of the GDPR states the following: Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.

This means that you, as a website owner, must be able to document that a website visitor has given consent to the processing of his/her personal data (through the use of cookies).

Article 29 Working Party, an independent EU Advisory Body, has released an updated ‘Guidelines on consent under Regulation 2016/579’. In point 5.1, they give an example of how a controller can prove that valid consent has been obtained from the data subject. The controller may keep a record of consent statements received, so he can show how consent was obtained, when consent was obtained, and the information provided to the data subject at the time shall be demonstrable. The controller shall also be able to demonstrate that the data subject was informed about the use of cookies, and that the controller’s workflow met all relevant criteria for a valid consent.

The Dutch Authority for Consumers & Markets also recommends website owners to log all the user consents in a consent log. These log files can serve as evidence for complaints. It is recommended to also store what information was given to the website visitor and which privacy statement was applicable at that time.