Understanding Consent Records

Learn how ConsentProof stores, verifies, and manages consent records to ensure compliance.

What is a Consent Record?

A consent record is an immutable, cryptographically verified proof that a user has given (or withdrawn) consent for a specific policy at a particular point in time.

User Information

Stores user reference, email, and metadata like IP address and user agent.

Policy Details

Links to specific policy version with title, type, and content hash.

Cryptographic Hash

SHA-256 hash of the entire consent event for tamper-proof verification.

Timestamp

Exact date and time when consent was given or withdrawn.

Consent Record Structure

Here's what a complete consent record looks like:

Example consent recordjson
{
  "id": "123e4567-e89b-12d3-a456-426614174000",
  "policyVersionId": "pol_abc123def456",
  "userReference": "user_12345",
  "userEmail": "user@example.com",
  "consentGiven": true,
  "consentHash": "a1b2c3d4e5f6...",
  "ipAddress": "192.168.1.1",
  "userAgent": "Mozilla/5.0...",
  "metadata": {
    "source": "signup_form",
    "location": "checkout_page"
  },
  "createdAt": "2024-01-15T10:30:00Z",
  "policyDetails": {
    "title": "Privacy Policy",
    "type": "privacy_policy",
    "version": "1.0.0",
    "contentHash": "xyz789..."
  }
}

Cryptographic Verification

Every consent record generates a unique SHA-256 hash that proves its authenticity.

How it works:

  1. 1. Consent data is collected (user, policy, timestamp, IP, etc.)
  2. 2. SHA-256 hash is generated from all consent data
  3. 3. Hash is stored immutably - cannot be changed
  4. 4. Anyone can verify authenticity by regenerating the hash
Hash generation examplejavascript
const crypto = require('crypto');

// Consent data
const consentData = {
  userReference: 'user_123',
  userEmail: 'user@example.com',
  policyVersionId: 'pol_abc',
  consentGiven: true,
  timestamp: '2024-01-15T10:30:00Z',
  ipAddress: '192.168.1.1'
};

// Generate hash
const consentString = JSON.stringify(consentData);
const consentHash = crypto
  .createHash('sha256')
  .update(consentString)
  .digest('hex');

console.log(consentHash);
// Output: a1b2c3d4e5f6...

Immutability & Compliance

Once created, consent records cannot be modified or deleted. This ensures:

Audit Trail

Complete history of all consent events for regulatory audits (GDPR Article 5(2)).

Legal Protection

Cryptographic proof that consent was obtained, protecting both users and businesses.

Tamper Detection

Any attempt to modify a record invalidates its hash, making tampering immediately detectable.

Querying Consent Records

Retrieve consent records by user, policy, or date range:

Get user consent historyjavascript
// Get all consent records for a specific user
const records = await axios.get(
  'https://api.consentproof.io/api/v1/consent/user/user@example.com',
  { headers: authHeaders }
);

// Filter by policy type
const privacyConsents = records.data.filter(
  r => r.policyDetails.type === 'privacy_policy'
);

// Check if user has valid consent
const hasValidConsent = privacyConsents.some(
  r => r.consentGiven === true
);

Best Practices

  • Always record withdrawals: When users revoke consent, create a new record with consentGiven: false
  • Include metadata: Store source, location, and context for better audit trails
  • Use webhooks: Get notified immediately when consent events occur
  • Verify hashes: Periodically verify consent record integrity using the hash