Why Cookie Consent Records Matter in Regulatory Investigations
Data protection authorities across Europe have moved from issuing guidance to actively investigating cookie compliance. The Danish DPA announced website tracking as an enforcement priority for 2026, while the Dutch Autoriteit Persoonsgegevens warned 50 organisations in April 2025 and monitors roughly 10,000 Dutch websites annually. The CNIL fined SHEIN EUR 150 million in 2025 following a cookie compliance inspection that began with charting a user's journey on the website.
Under Article 7(1) of the GDPR, the controller bears the burden of demonstrating that a data subject consented to processing. This is not a theoretical obligation. If you cannot produce evidence that consent was obtained validly, regulators will treat it as though consent never existed.
The practical consequence is straightforward: your cookie banner is only as defensible as the records behind it.
What Data Protection Authorities Typically Request
DPA investigations follow a recognisable pattern. An authority will send a formal information request, often triggered by a complaint, a sweep of websites in a particular sector, or a referral from another supervisory authority. The request will specify a deadline, usually between 14 and 30 days, and list the evidence you must supply.
Regulators commonly ask for the following categories of evidence:
| Evidence Category | What Regulators Want to See | Why It Matters |
|---|---|---|
| Consent logs | Timestamped records showing each visitor's consent choice per cookie category | Proves consent was actually obtained |
| Banner versioning | Historical snapshots of your cookie banner text, design, and button layout | Confirms the banner presented to users was compliant at the time |
| Cookie policy versions | Dated copies of your cookie policy as it existed during the investigation period | Shows transparency obligations were met |
| Cookie scan reports | Results from automated scans showing which cookies your site sets | Demonstrates you know what runs on your site |
| Script blocking evidence | Proof that non-essential cookies are blocked before consent | Validates that consent is not merely cosmetic |
| Withdrawal mechanism | Documentation showing how users can withdraw consent | Required under GDPR Article 7(3) |
| Data processing agreements | DPAs with third-party vendors whose scripts set cookies | Demonstrates accountability for third-party processing |
The CNIL's investigation of SHEIN, for instance, examined whether cookies were set before the user interacted with the consent mechanism. Technical evidence of script blocking proved just as relevant as the consent logs themselves.
Anatomy of a Defensible Consent Log
Not all consent records carry equal weight. A database entry showing "user accepted cookies" with a timestamp tells regulators very little. A defensible consent log captures granular detail about each consent interaction.
Each consent record should include:
- A unique, pseudonymised visitor identifier (not a name or email)
- The exact timestamp of the consent action in UTC
- The specific categories accepted or rejected (e.g., analytics: yes, marketing: no)
- The version of the banner and privacy policy shown at that moment
- The user's approximate geographic location for jurisdiction mapping
- Device type and browser for technical reproducibility
- Whether the action was an initial choice, a modification, or a withdrawal
The EDPB's Guidelines 05/2020 on consent state that the controller must retain proof of consent for as long as the processing activity continues. There is no fixed retention period in the GDPR itself, but five years is a commonly cited benchmark in regulatory practice.
Consent logs should be immutable. If a regulator suspects records have been altered, the entire evidence base collapses. Cryptographic hashing or append-only storage architectures protect log integrity.
Banner Versioning and Historical Snapshots
Regulators do not only ask what your banner looks like today. They want to see what it looked like on the date a specific complaint was filed, or during the period covered by the investigation. This means keeping dated records of every change to your banner's text, layout, button hierarchy, and cookie categories.
Banner versioning matters because compliance standards evolve. A banner that met CNIL requirements in 2023 may not satisfy the same authority's updated expectations in 2026. If you can show the banner version active at a specific date, you can demonstrate that you were compliant with the standards applicable at that time.
Store each version with its effective date range, a screenshot or HTML snapshot, and a changelog noting what was modified. This forms part of your broader accountability documentation under Article 5(2) of the GDPR.
Proving That Cookies Are Actually Blocked Before Consent
A compliant banner that fails to block non-essential cookies before consent is worse than no banner at all. It creates a false record suggesting consent was obtained when tracking was already active. Regulators test this by visiting your site, declining all cookies, and inspecting browser storage.
Your evidence should include:
- Automated cookie scan reports run regularly, showing which cookies load before and after consent
- Technical documentation of your script-blocking mechanism, whether through a tag manager, a CMP's built-in blocking, or custom code
- Test results from multiple browsers, since cookie behaviour varies across Chrome, Safari, and Firefox
The Dutch DPA's 2025 enforcement wave specifically targeted sites where consent banners were present but ineffective at actually preventing cookie placement. Having scan evidence on file is your strongest technical defence.
Third-Party Scripts and Vendor Accountability
Most cookie compliance failures trace back to third-party scripts. A Meta Pixel, a _ga analytics tag, or an embedded video player can set cookies outside your direct control. Regulators hold the site operator responsible regardless.
Under GDPR Articles 26 and 28, you must have data processing agreements with every vendor whose scripts process personal data on your site. During an investigation, a DPA may request copies of these agreements, along with a list of all third-party scripts active on your site and their cookie classifications.
Maintain a vendor inventory that maps each script to its cookies, its legal basis, and its data processing agreement. This document should be updated whenever you add or remove a third-party service.
How to Organise Your Documentation Before an Investigation Arrives
Preparing evidence after receiving a DPA request is stressful and error-prone. The better approach is to maintain investigation-ready documentation as a routine part of your compliance programme.
Build a Compliance Evidence Folder
Create a centralised, dated folder structure containing:
- Consent log exports (monthly or quarterly)
- Banner version history with screenshots
- Cookie scan reports from your CMP or scanning tool
- Records of processing activities relating to cookies
- Third-party vendor DPAs and the current script inventory
- Internal policies on consent management and cookie governance
Test Your Export Capability
DPA requests often ask for consent records filtered by date range, geographic region, or user cohort. If your CMP cannot produce filtered exports within a few days, you have a practical problem. Test this capability before you need it.
Assign Responsibility
Designate a person or team who will handle DPA requests. This might be your data protection officer, your legal team, or an external privacy consultant. The worst time to decide who responds is when the request arrives.
Common Mistakes That Weaken Your Position
Several patterns consistently undermine organisations during DPA investigations.
Relying on a cookie banner alone, without consent logging, is the most common failure. If you cannot produce records, regulators presume non-compliance. The burden of proof sits entirely with you.
Using dark patterns in your banner design, such as a prominent "Accept All" button paired with a buried reject option, generates consent records that regulators will not treat as valid. The EDPB has stated that pre-ticked boxes, scrolling, and asymmetric button designs do not constitute freely given consent.
Failing to update your cookie inventory after adding new marketing tools is another frequent gap. A scan report from six months ago will not help if your site now loads tracking scripts that were not present during the last audit.
Storing consent logs without integrity protection leaves them open to challenge. If records can be edited, they carry little evidentiary weight.
Responding to a DPA Information Request
When a request arrives, respond within the stated deadline. Extensions are sometimes possible if requested promptly with a valid reason, but missing a deadline without explanation can escalate the investigation.
Provide complete, organised evidence. A well-structured submission signals that your organisation takes compliance seriously. Conversely, disorganised or incomplete responses invite further scrutiny.
If you identify gaps in your compliance during the evidence-gathering process, address them immediately and document the remediation. Regulators in several jurisdictions, including the Dutch DPA and the ICO, have shown willingness to reduce penalties when organisations demonstrate swift corrective action.
Frequently Asked Questions
How long should cookie consent logs be retained?
The GDPR does not specify a fixed retention period for consent records. You must retain them for as long as the associated data processing continues. A common benchmark in regulatory practice is five years, though some organisations retain logs longer depending on their risk profile and jurisdiction.
Can a data protection authority fine me for missing consent logs?
Yes. Under Article 7(1) of the GDPR, the controller must demonstrate that consent was obtained. Without logs, you cannot meet this burden of proof, which regulators treat as equivalent to having no valid consent at all. Fines under Article 83 can reach EUR 20 million or 4% of annual global turnover.
What format should consent records be in for a DPA request?
Most DPAs do not mandate a specific file format. Structured data exports in CSV or JSON are widely accepted. The key requirement is that records are complete, filterable by date and region, and include all relevant fields such as timestamp, consent choices, and banner version.
Do I need to keep old versions of my cookie banner?
Yes. Regulators may investigate complaints or conduct sweeps covering past periods. Keeping dated snapshots of every banner version, including text, layout, and button placement, allows you to demonstrate compliance at any given point in time.
Is a cookie banner enough to prove GDPR cookie compliance?
No. A banner is the user-facing mechanism, but compliance requires evidence that the banner actually blocks cookies before consent, that choices are logged, and that third-party scripts respect those choices. A regulator reviewing your site will test all of these elements.
What happens if my CMP vendor cannot export consent logs?
You remain responsible for demonstrating consent regardless of your vendor's capabilities. If your current consent management platform cannot produce filtered, timestamped exports, consider migrating to one that can before an investigation forces the issue.
Take Control of Your Cookie Compliance
If you are not sure whether your consent records would survive regulatory scrutiny, start with a free scan. Kukie.io detects, categorises, and helps you manage every cookie, with full consent logging and banner versioning built in, so your evidence is ready before a DPA ever asks.
