Consent receipts
A consent receipt is a machine- and human-readable record capturing the details of a consent interaction: who collected it, the purposes, the data categories, the timestamp, and how to withdraw. The Kantara Initiative published a Consent Receipt specification, and ISO/IEC TS 27560 standardises a consent-record information structure. Receipts support accountability and the ability to demonstrate consent. This page is educational, not legal advice.
What a consent receipt captures
A consent receipt records the parties (collector and subject reference), the purposes consented to, the categories of data, the timestamp and jurisdiction, the legal basis, and the means of withdrawal. The Kantara Consent Receipt specification defined an early JSON structure for this, and ISO/IEC TS 27560:2023 provides a standardised consent-record information model. The goal is a portable, verifiable artefact rather than a buried log line.
Why receipts help accountability
Regulations that rely on consent generally expect a controller to be able to demonstrate it was given. A consent receipt turns that into a concrete, retrievable record tied to a moment in time, which is useful for audits and for honouring later withdrawal. Receipts also help users understand and reuse what they agreed to. They do not, by themselves, fix a flawed consent flow — if the original prompt was unclear or pre-ticked, a tidy receipt of it still reflects defective consent.
Pair receipts with clear prompts and an easy withdrawal path.
- Records parties, purposes, scope, timestamp, withdrawal
- Kantara spec and ISO/IEC TS 27560 define structures
- Evidence of the transaction, not a cure for bad consent
How it appears in analytics and logs
If your consent platform issues a timestamped record per interaction, you have consent receipts; check they capture purposes, scope, and a withdrawal path.
Diagnostic use case
Keep a structured, retrievable record of each consent so you can demonstrate what a user agreed to, when, and how they can withdraw it.
What WebmasterID can help detect
WebmasterID favours minimised measurement; where consent is used, receipt-style records help demonstrate the basis without collecting extra personal data.
Common mistakes
- Treating a receipt as proof the consent flow was valid.
- Omitting the withdrawal mechanism from the record.
- Storing receipts without linking them to the actual prompt shown.
Privacy and accuracy notes
This page is educational, not legal advice. A receipt is evidence of a consent transaction, not proof the consent itself met every legal requirement.
Related pages
- Consent banners and analytics
A consent banner (or CMP) is the interface that asks visitors to accept or refuse non-essential storage and processing. For consent to be valid under EU rules it must be freely given, specific, informed, and unambiguous — which rules out pre-ticked boxes and 'accept-only' dark patterns. Reducing what needs consent in the first place is the cleaner path. This is educational, not legal advice.
- Preference center
A preference center is a durable, user-facing surface — distinct from the initial consent banner — where people can review and update the choices they have made: which processing they consent to, which communications they receive, and whether analytics or advertising is enabled. It supports the right to withdraw consent as easily as it was given, and to revisit choices over time. This page is educational, not legal advice.
- Records of processing activities (ROPA)
Records of processing activities (ROPA) is the documented inventory GDPR Article 30 requires controllers and processors to keep: what personal data you process, why, who receives it, where it goes, and how long you keep it. There is a partial exemption for some smaller organisations, but analytics is exactly the kind of processing a ROPA should capture. Maintaining one is also a practical map of your data. This is educational, not legal advice.
- Privacy-first analytics
Minimised measurement reduces what consent must cover.
Sources and verification notes
- ISO/IEC TS 27560:2023 — Consent record information structureStandardised consent-record structure. Educational, not legal advice.
- Kantara Initiative — Consent Receipt specificationEarly consent-receipt JSON specification.
Last reviewed 2026-06-24. Facts are checked against primary/official sources where available; uncertain specifics are marked “Data not yet verified” rather than guessed.