Ask the Privacy Experts: Consent logs and privacy laws confuse me! How long should I actually keep records of user consent?

Written by: Natasha Piirainen Natasha Piirainen | Updated on: July 17, 2026

Reviewed by: Masha Komnenic CIPP/E, CIPM, CIPT, FIPMasha Komnenic CIPP/E, CIPM, CIPT, FIP | Director of Global Privacy @ Termly

Free Cookie Consent Solution for Websites Google Preferred Source
How-Long-Should-I-Keep-Records-of-User-Consent-01

If your website tracks users, it’s a best practice to securely store consent logs for as long as you rely on that consent and then for an additional three to five years, in case of a privacy audits or consumer complaints.

This aligns with requirements outlined by privacy laws like the General Data Protection Regulation and the California Consumer Privacy Act.

Under these laws, it is your responsibility to ensure these consent logs are safely stored and cannot be easily altered or accessed.

Table of Contents
  1. What Are Consent Logs?
  2. Why Do I Need to Keep Logs or Records of User Consent?
  3. What Privacy Laws Impact Records of User Consent?
  4. How Can I Create Consent Logs or Records of Consent?

Consent logs are simply a record showing what an individual chose when they interacted with your cookie consent banner on your site.

It acts like a receipt or archive of their permissions, and includes records of if and when they might change their minds.

Typically, a consent log should include the following components:

  1. Who interacted with the banner, a user, device identifier, or anonymized ID.
  2. When they interacted with it, in the form of an exact date and timestamp.
  3. What they agreed to specifically, like ads, analytics, or other cookies.
  4. How they gave their consent, via the banner, a form, or other means.
  5. Context of what they saw as a message on the banner or form.

Websites that track users need to keep logs or records of user consent if data privacy laws apply because it helps you respond if a privacy audit or investigation occurs.

Privacy laws also give users the right to submit complaints if they believe their rights have been violated, and consent logs are imperative in helping websites respond to these as well.

Under these laws, the burden of proof is on the business or website.

In general, nearly all existing privacy laws impact consent logs, including:

  • General Data Protection Regulation (GDPR)
  • California Consumer Privacy Act (CCPA)
  • Brazil’s General Data Privacy Law (LGPD)
  • Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA)
  • ePrivacy Directive (EU Cookie Law)
  • China’s Personal Information Protection Law (PIPL)
  • Australia’s Privacy Act 1988 (the Privacy Act)

While specific details vary, typically these laws require websites to obtain valid consent, explain to users what you’re doing with their data, respect their choice regarding that data, and keep proof or a log of their choice.

Rather than trying to memorize every specific legal nuance, simply follow this best practice: If your website tracks users, maintain consent logs.

To easily create consent logs or keep records of user consent, try using a consent management solution like Termly’s which includes consent logs as an essential feature.

Just configure a custom consent banner based on your site’s unique needs, and our tool will automatically capture and store these logs for you.

Let Termly take care of the stressful, technical aspects of consent management.

Try Termly for free today!

Natasha Piirainen

Written by Natasha Piirainen

Natasha Piirainen is a privacy writer with a Bachelor’s Degree in English and Philosophy from Wheaton College and over 10 years of professional experience in research-driven content development.

Read all posts by Natasha Piirainen
Masha Komnenic CIPP/E, CIPM, CIPT, FIP

Reviewed by Masha Komnenic CIPP/E, CIPM, CIPT, FIP

Masha Komnenic is a legal counsel and Termly’s Director of Global Privacy, who received her law degree from Belgrade University. She specializes in implementing, monitoring, and auditing business compliance with privacy regulations (HIPAA, PIPEDA, ePrivacy Directive, GDPR, CCPA, POPIA, LGPD).

Read all posts reviewed by Masha Komnenic CIPP/E, CIPM, CIPT, FIP

Enter Your Website URL

In order to help you create a cookie solution that is GDPR and Cookie Law compliant, we must first scan your website for cookies.