Securiti leads GigaOm's DSPM Vendor Evaluation with top ratings across technical capabilities & business value.

View

What is Proof of Consent under GDPR?

Download: Consent Report Q2 2024
Contributors

Anas Baig

Product Marketing Manager at Securiti

Maria Khan

Data Privacy Legal Manager at Securiti

FIP, CIPT, CIPM, CIPP/E

Listen to the content

This post is also available in: Brazilian Portuguese

Consent is one of the primary legal bases that organizations leverage to collect and process personal data. As per Article 7 of the GDPR, consent can only be an appropriate legal basis for data processing if it is freely given, specific, informed and an unambiguous indication of the data subject’s wishes. This requires that an individual’s consent must be given voluntarily without any pressure or influence that could affect his or her choice. The use of dark patterns such as pre-selected tick-boxes, cookie walls or other such tactics used in websites that misguide users and force them to consent is prohibited under the GDPR. Data subjects should also be allowed to withdraw their consent at any time without any detriment. Furthermore, separate consent must be obtained for separate data processing purposes.

The GDPR also requires data controllers to be able to provide evidence that the data subject has given consent to the processing operation where processing is based on the data subject’s consent. This article digs deeper into the data controller’s responsibility of being able to demonstrate consent compliance.

What is Proof of Consent?

Proof of consent means having proof or documentation that you got the okay from users before using cookies to collect their data on your website or online services. Having proof of consent is very important because it ensures that you're following data protection and privacy laws like the GDPR.

Article 7(1) of the GDPR states as follows:

“Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.”

While talking about burden of proof, Recital 42 of the GDPR states as follows:

“Where processing is based on the data subject’s consent, the controller should be able to demonstrate that the data subject has given consent to the processing operation.”

The afore-mentioned provisions of the GDPR indicate that the burden to demonstrate or prove that consent has been obtained from the data subject lies with the data controller. It is also consistent with the accountability principle of the GDPR, as stated in Article 5(2), that the controller shall be responsible for, and be able to demonstrate compliance with data protection principles.

As per the European Data Protection Board updated Guidelines on Consent, data controllers have liberty to create their own methods to demonstrate consent, in a way that does not hinder their daily operations. This should, however, not result in data controllers having excessive amounts of additional data processes. This means that organizations should have enough data to show consent was obtained but they should not be collecting any more information than necessary - to ensure data minimization.

What organizations must do to prove or demonstrate data subject’s consent?

To comply with the afore-mentioned requirements of the GDPR and EDPB Guidelines on Consent, organizations are required to do the following:

  1. Keep a record of consent statements received, as to indicate how consent was obtained, when consent was obtained, and the information provided to the data subject at the time.
  2. Be able to demonstrate that the data subject was informed and the controller’s workflow met all relevant criteria for a valid consent. According to the EDPB, in an online context, a controller must retain information on the session in which consent was expressed, together with documentation of the consent workflow at the time of the session, and a copy of the information presented to the data subject. It is to be noted that referring to a correct configuration on the respective website may not be sufficient.
  3. Keep a copy of the information that was presented to the data subject at the time of obtaining consent from him/her.
  4. As a best practice, consent should be refreshed at appropriate intervals.

Roadmap to Compliance

Securti’s Consent Management Platform helps organizations maintain comprehensive audit trails to demonstrate compliance as well as respect the data subject’s latest preferences. The audit trail is a detailed dashboard consisting of the following:

  • Data subject identity (online identifier)
  • Consent date (time and date stamp)
  • Copy of data capture (including any information presented to the data subject)
  • Cookie categories
  • Consent status (whether consent has been granted, declined or withdrawn)
  • Location code (cookie domain)
  • First party and third party

Securiti’s PrivacyOps platform captures the exact text of the agreement and the types of cookies to which the data subject consented to, thereby fulfilling the proof of consent requirement under the GDPR.

Conclusion

There can be several data processing operations where the data subject’s consent is considered an appropriate legal basis. For example, consent is relevant in email marketing and the installation of non-essential cookies and other similar tracking technologies. However, failing to obtain valid consent may expose organizations to exorbitant amounts of fines and penalties. Most global privacy regulations require organizations to not only obtain freely given consent but also to have proof of this consent for certain data processing activities. Doing this through manual methods is almost impossible given the amount of data that flows in and out of an organization in a single day.

Organizations need to find a solution that will help them automate this process, making it effective as well as cost and time-efficient. The Securiti Consent Management Solution offers:

  • Periodic scanning of websites
  • Consent orchestration
  • Configurable consumer preference center
  • Configurable workflows
  • Dynamic consent refresh
  • Granular and comprehensive consent records for audit and reporting

Request a demo today and see how it can help your organization comply with global consent regulations.


Frequently Asked Questions (FAQs)

Proof of consent under GDPR involves demonstrating that an individual has given free,  specific, informed, and unambiguous consent for their data to be processed. Organizations must keep records of how and when consent was obtained, what individuals were told, and be able to show that individuals can withdraw consent.

An example of GDPR-compliant consent is when a user actively selects or ticks a checkbox to explicitly agree to their personal data being processed for a specific purpose, such as receiving marketing emails.

Schedule Your
Personal Demo

Learn how you can leverage Securiti’s Data Command Center to address data security, privacy, governance, and compliance.

See a demo
Schedule your demo today
Join Our Newsletter

Get all the latest information, law updates and more delivered to your inbox


Share

More Stories that May Interest You
Videos
View More
Mitigating OWASP Top 10 for LLM Applications 2025
Generative AI (GenAI) has transformed how enterprises operate, scale, and grow. There’s an AI application for every purpose, from increasing employee productivity to streamlining...
View More
Top 6 DSPM Use Cases
With the advent of Generative AI (GenAI), data has become more dynamic. New data is generated faster than ever, transmitted to various systems, applications,...
View More
Colorado Privacy Act (CPA)
What is the Colorado Privacy Act? The CPA is a comprehensive privacy law signed on July 7, 2021. It established new standards for personal...
View More
Securiti for Copilot in SaaS
Accelerate Copilot Adoption Securely & Confidently Organizations are eager to adopt Microsoft 365 Copilot for increased productivity and efficiency. However, security concerns like data...
View More
Top 10 Considerations for Safely Using Unstructured Data with GenAI
A staggering 90% of an organization's data is unstructured. This data is rapidly being used to fuel GenAI applications like chatbots and AI search....
View More
Gencore AI: Building Safe, Enterprise-grade AI Systems in Minutes
As enterprises adopt generative AI, data and AI teams face numerous hurdles: securely connecting unstructured and structured data sources, maintaining proper controls and governance,...
View More
Navigating CPRA: Key Insights for Businesses
What is CPRA? The California Privacy Rights Act (CPRA) is California's state legislation aimed at protecting residents' digital privacy. It became effective on January...
View More
Navigating the Shift: Transitioning to PCI DSS v4.0
What is PCI DSS? PCI DSS (Payment Card Industry Data Security Standard) is a set of security standards to ensure safe processing, storage, and...
View More
Securing Data+AI : Playbook for Trust, Risk, and Security Management (TRiSM)
AI's growing security risks have 48% of global CISOs alarmed. Join this keynote to learn about a practical playbook for enabling AI Trust, Risk,...
AWS Startup Showcase Cybersecurity Governance With Generative AI View More
AWS Startup Showcase Cybersecurity Governance With Generative AI
Balancing Innovation and Governance with Generative AI Generative AI has the potential to disrupt all aspects of business, with powerful new capabilities. However, with...

Spotlight Talks

Spotlight 11:29
Not Hype — Dye & Durham’s Analytics Head Shows What AI at Work Really Looks Like
Not Hype — Dye & Durham’s Analytics Head Shows What AI at Work Really Looks Like
Watch Now View
Spotlight 11:18
Rewiring Real Estate Finance — How Walker & Dunlop Is Giving Its $135B Portfolio a Data-First Refresh
Watch Now View
Spotlight 13:38
Accelerating Miracles — How Sanofi is Embedding AI to Significantly Reduce Drug Development Timelines
Sanofi Thumbnail
Watch Now View
Spotlight 10:35
There’s Been a Material Shift in the Data Center of Gravity
Watch Now View
Spotlight 14:21
AI Governance Is Much More than Technology Risk Mitigation
AI Governance Is Much More than Technology Risk Mitigation
Watch Now View
Spotlight 12:!3
You Can’t Build Pipelines, Warehouses, or AI Platforms Without Business Knowledge
Watch Now View
Spotlight 47:42
Cybersecurity – Where Leaders are Buying, Building, and Partnering
Rehan Jalil
Watch Now View
Spotlight 27:29
Building Safe AI with Databricks and Gencore
Rehan Jalil
Watch Now View
Spotlight 46:02
Building Safe Enterprise AI: A Practical Roadmap
Watch Now View
Spotlight 13:32
Ensuring Solid Governance Is Like Squeezing Jello
Watch Now View
Latest
View More
Databricks AI Summit (DAIS) 2025 Wrap Up
5 New Developments in Databricks and How Securiti Customers Benefit Concerns over the risk of leaking sensitive data are currently the number one blocker...
Inside Echoleak View More
Inside Echoleak
How Indirect Prompt Injections Exploit the AI Layer and How to Secure Your Data What is Echoleak? Echoleak (CVE-2025-32711) is a vulnerability discovered in...
What Is Data Risk Assessment and How to Perform it? View More
What Is Data Risk Assessment and How to Perform it?
Get insights into what is a data risk assessment, its importance and how organizations can conduct data risk assessments.
What is AI Security Posture Management (AI-SPM)? View More
What is AI Security Posture Management (AI-SPM)?
AI SPM stands for AI Security Posture Management. It represents a comprehensive approach to ensure the security and integrity of AI systems throughout the...
Beyond DLP: Guide to Modern Data Protection with DSPM View More
Beyond DLP: Guide to Modern Data Protection with DSPM
Learn why traditional data security tools fall short in the cloud and AI era. Learn how DSPM helps secure sensitive data and ensure compliance.
Mastering Cookie Consent: Global Compliance & Customer Trust View More
Mastering Cookie Consent: Global Compliance & Customer Trust
Discover how to master cookie consent with strategies for global compliance and building customer trust while aligning with key data privacy regulations.
View More
Key Amendments to Saudi Arabia PDPL Implementing Regulations
Download the infographic to gain insights into the key amendments to the Saudi Arabia PDPL Implementing Regulations. Learn about proposed changes and key takeaways...
Understanding Data Regulations in Australia’s Telecom Sector View More
Understanding Data Regulations in Australia’s Telecom Sector
Gain insights into the key data regulations in Australia’s telecommunication sector. Learn how Securiti helps ensure swift compliance.
Gencore AI and Amazon Bedrock View More
Building Enterprise-Grade AI with Gencore AI and Amazon Bedrock
Learn how to build secure enterprise AI copilots with Amazon Bedrock models, protect AI interactions with LLM Firewalls, and apply OWASP Top 10 LLM...
DSPM Vendor Due Diligence View More
DSPM Vendor Due Diligence
DSPM’s Buyer Guide ebook is designed to help CISOs and their teams ask the right questions and consider the right capabilities when looking for...
What's
New