How Long to Keep Cookie Consent Records
UK law sets no fixed retention period for cookie consent records. You keep them long enough to demonstrate consent for as long as you rely on it, then no longer than you need. Common practice is to hold records for around two years, and to re-ask for consent every 6 to 12 months or whenever your cookies materially change. The principle behind it is data minimisation: keep what proves the point, for as long as it proves the point, and delete the rest.
Two questions sit inside this: how long to keep the record, and how long the consent itself stays valid. They are related but not the same.
Retention vs re-consent
| Question | Common approach |
|---|---|
| How long to keep the record | Around two years, so you can evidence past consent if challenged |
| How long consent stays valid | Re-ask every 6 to 12 months, or sooner if cookies change |
| When to delete | Once the record no longer serves a purpose and the retention period has passed |
Consent that is two years stale is weak. A visitor's agreement from years ago, to a cookie set-up that has since changed, will not convince a regulator. That is why re-consent runs on a shorter clock than record retention.
Why re-ask at all
Your cookies change. You add a tag, switch analytics, or start running ads. Consent given before those changes did not cover them, so re-asking keeps the consent matched to what your site actually does now. A material change to your cookies resets the clock regardless of the calendar.
What to keep
Keep enough to reconstruct each event: the timestamp, the choice, and the banner version the visitor saw. See how to prove cookie consent for the full record. Consentfolio keeps consent records per domain for around two years and lets you export them, which matches this practice without you managing the retention by hand. See UK cookie law explained.
Frequently asked questions
Is there a legal minimum for keeping consent records? No. UK law sets no fixed period. You keep records long enough to evidence consent while you rely on it, guided by data minimisation.
How often should I re-ask for cookie consent? Commonly every 6 to 12 months, and whenever your cookies materially change. Stale consent carries little weight.
Can I keep consent records forever? You should not. Once a record no longer serves a purpose and its retention period has passed, delete it. Holding data with no purpose runs against data minimisation.
Written by Tudor Rusmanica, founder of Consentfolio. Tudor has spent over a decade in agency SEO, working where search performance meets data protection: the analytics, tagging and consent setups that keep measurement useful and lawful. Connect on LinkedIn.
Published 13 July 2026. This guide is general information, not legal advice.