Consent capture: do's and don'ts
Updated 2026-05-07
Consent capture is one of the most-audited privacy features in 2026. EU supervisory authorities have built enforcement playbooks around it; US states (California, Colorado, Connecticut, Virginia) have followed with similar requirements.
For broader privacy context, see the GDPR and CIAM guide and the user data export best-practice.
Do
Separate consent from contract acceptance
GDPR Article 7 requires consent to be specific. Bundling consent for marketing into the 'I accept terms' checkbox invalidates the consent because it isn't separately granted.
GDPR text and EDPB guidance. EU supervisory authorities have fined controllers specifically for bundled consent. Modern privacy compliance separates terms-of-service acceptance from consent toggles.
Capture granular consent per processing purpose
Marketing email, analytics tracking, third-party data sharing, profiling, each is a separate processing purpose with separate consent. A single 'I consent' toggle can't satisfy specific consent for any of them.
GDPR Article 7(1) and Article 6(1)(a) require purpose-specific consent. EDPB guidance is explicit. Modern CMPs (OneTrust, TrustArc) and the strongest CIAM consent UX (SAP Customer Data Cloud, Akamai Identity Cloud) ship per-purpose granularity.
Store audit-grade consent records
Article 7(1) requires the controller to demonstrate that consent was given. Audit-grade records include timestamp, IP, user-agent, the version of policy text the user agreed to (or its hash), and the specific purposes consented to.
GDPR Article 7(1). EU supervisory authority enforcement actions specifically test the audit trail; controllers without records have been fined regardless of other compliance posture.
Make consent withdrawal as easy as giving it
Article 7(3) requires withdrawing consent to be as easy as giving it. A one-click consent that requires a support ticket to withdraw is a violation.
GDPR Article 7(3) text. Modern CIAM ship a self-service preference center where users can toggle individual consents without engineering assistance.
Re-prompt for consent when policies materially change
Consent is for the specific purposes and policy version the user agreed to. Material changes (new processing purposes, expanded data sharing) require fresh consent.
GDPR principle of specific consent and EDPB guidance on consent under changed circumstances. Modern privacy programs version policy texts and re-capture consent on material changes.
Don't
Don't pre-check consent boxes
GDPR explicitly disqualifies pre-checked boxes as valid consent. Consent must be an affirmative action by the user.
GDPR Recital 32 and the Planet49 case (CJEU, 2019). Pre-checked consent is one of the most-tested compliance violations in EU enforcement.
Don't condition service on irrelevant consent
Article 7(4) prohibits conditioning the contract on consent for processing not necessary for the contract. Forcing the user to consent to marketing to receive the service makes the consent invalid.
GDPR Article 7(4) and EDPB guidance. The 'cookie wall' pattern (consent or leave) is increasingly enforced as non-compliant.
Don't lose consent records during platform migrations
Migrations to new CIAM or new compliance tooling routinely drop the audit trail. Without the records, you can't demonstrate that prior consent was valid.
Documented migration incidents at major SaaS where consent audit was lost during platform changes. The fix is migration discipline: export consent records as part of the data migration; verify the new platform stores them in the same audit grade.
Don't treat consent as static
Users can withdraw, materially-changed policies require re-prompt, regulatory environments evolve. Consent is a continuous process, not a one-time signup checkbox.
GDPR principle of accountability (Article 5(2)) and ongoing controller obligations. Modern privacy programs treat consent as a managed lifecycle, not a registration-time event.