# GDPR: Log cookie consent?



## ShadowHunter (Jun 4, 2018)

Hello, I'm in doubt about the GDPR requirement to log cookie consent.

Given a normal webpage (no login) how to keep track who consents with cookies and who withdraws it? I believe you will only have the IP to log? But in turn, the IP is personal data... how should this  be done?

Thanks!

ShadowHunter


----------



## silentbogo (Jun 4, 2018)

You simply store it client-side in cookies.
Looks like this:


----------



## ShadowHunter (Jun 4, 2018)

Hi silentbogo,

Thanks for your feedback. 

When it is stored client side how can you proof that consent was given when a dispute is made? My understanding is that you are required to log it yourself? Or do I misunderstand this requirement?

Cheers,

ShadowHunter


----------



## silentbogo (Jun 4, 2018)

ShadowHunter said:


> When it is stored client side how can you proof that consent was given when a dispute is made? My understanding is that you are required to log it yourself? Or do I misunderstand this requirement?


It's basically up to the website owner to figure out how to log this. Here on TPU we have an identifier in cookies and most likely on servers, some sites only store a date of consent while the rest is logged server-side.

EU GDPR has no clear guidelines. Basically all they say is "you need to minimize the amount of sensitive info stored server-side and you need to let your users know that you are using cookies and that some of their info is stored on servers". They only say "what", but not "how" so in my opinion it's a total mess and it's absolutely pointless.

For more info you might wanna visit this website:
https://gdpr-info.eu/
All they have to say about consent logging is in Chapter 2 Article 7 (stupid to the point of laughable).


----------



## kruk (Jun 9, 2018)

ShadowHunter said:


> Hello, I'm in doubt about the GDPR requirement to log cookie consent.
> 
> Given a normal webpage (no login) how to keep track who consents with cookies and who withdraws it? I believe you will only have the IP to log? But in turn, the IP is personal data... how should this  be done?
> 
> ...




You can use the same anonymization method that Google Analytics uses: 



> When a customer of Analytics requests IP address anonymization, Analytics anonymizes the address as soon as technically feasible at the earliest possible stage of the collection network. The IP anonymization feature in Analytics sets the last octet of IPv4 user IP addresses and the last 80 bits of IPv6 addresses to zeros in memory shortly after being sent to the Analytics Collection Network. The full IP address is never written to disk in this case.



Don't forget to include a timestamp of consent.


----------

