Guide

How to Prove Cookie Consent Under GDPR

By Published 13 July 2026

Under UK GDPR you must be able to demonstrate that a visitor gave valid consent, so you need a record of each consent event: what the visitor was shown, what they chose, and when. A screenshot of your banner is not enough. If the ICO asks, you have to produce evidence tied to individual events, which means storing a record every time someone accepts or rejects.

Consent you cannot evidence is consent you cannot rely on. The record is the difference between a compliant banner and one that only looks compliant.

A defensible record captures enough to reconstruct the choice.

Element Why it matters
Timestamp Shows when consent was given or refused
The choice Which categories the visitor accepted or rejected
Banner version What wording and options the visitor actually saw
A visitor reference Links the event to a device or session without naming the person
Scope Which domain and purposes the consent covered

The banner version matters more than people expect. To show consent was informed, you have to show what the visitor was looking at when they chose, so a record that points to the exact banner text carries far more weight than a bare timestamp.

How long to keep it

UK law sets no fixed retention period for consent records. Common practice is to keep them for around two years, and to re-ask for consent every 6 to 12 months or whenever your cookies materially change. See how long to keep cookie consent records for the reasoning.

Producing it for the ICO

If the regulator asks, you need to export the records in a form a human can read, and look up a specific visitor's event on request. A consent tool that only shows aggregate counts will not do. You need per-event records you can filter and export.

Consentfolio records every consent event per domain, ties each to the banner version the visitor saw, and lets you export the records as CSV or look one up by visitor reference. See cookie banner software for how it fits together, and UK cookie law explained for the underlying obligation.

Frequently asked questions

Is a screenshot of my cookie banner enough proof? No. It shows the banner existed, not that a given visitor consented. UK GDPR expects per-event records tied to what each visitor saw and chose.

Do I need to store personal data to prove consent? No. A device or session reference is enough to tie the event to a visitor without naming them, which keeps the record itself low-risk.

How do I prove consent if the ICO investigates? Export your consent records for the period in question and, if asked, look up the specific event. The record should show the timestamp, the choice, and the banner version the visitor saw.


Written by Tudor Rusmanica, founder of Consentfolio. Tudor has spent over a decade in agency SEO, working where search performance meets data protection: the analytics, tagging and consent setups that keep measurement useful and lawful. Connect on LinkedIn.

Published 13 July 2026. This guide is general information, not legal advice.

Questions? consentfolio.com · This guide is general information, not legal advice.