Consent stored and auditable

Severity: Critical

You need proof of what users consented to and when, in case of regulatory inquiry.

Check automatically:

# Look for consent storage
grep -riE "consent.*store|store.*consent|save.*consent|consent.*record|consent.*log" src/ app/ lib/ --include="*.ts" --include="*.js" --include="*.py"

# Check for consent database models/tables
grep -riE "consent|user_consent|consent_log|consent_record" src/ models/ migrations/ prisma/ --include="*.ts" --include="*.js" --include="*.sql" --include="*.prisma"

# Look for consent audit/history
grep -riE "consent.*history|consent.*audit|consent.*change" src/ app/ --include="*.ts" --include="*.js"

# Check if consent tool handles storage (OneTrust, Cookiebot store receipts)
grep -riE "onetrust|cookiebot|consent.*receipt|proof.*consent" docs/ src/ --include="*.md" --include="*.ts" --include="*.js"

Ask user:

• "Where is consent stored?" (your database, consent tool's cloud, cookies only?)
• "Do you store consent receipts/proof?" (timestamp, IP, version of policy agreed to)
• "Can you prove what a user consented to on a specific date?"
• "How long do you retain consent records?"

What to store for audit:

Field	Purpose
User ID / identifier	Who consented
Timestamp	When they consented
Consent categories	What they agreed to (analytics, marketing, etc.)
Policy version	Which version of privacy policy
Collection method	Banner, signup form, etc.
IP address (optional)	Additional proof

Pass criteria:

• Consent decisions stored persistently (not just cookies)
• Audit trail includes: who, when, what categories, policy version
• Can retrieve consent proof for any user
• Retention period defined

Fail criteria:

• Consent only in browser cookies (lost on clear)
• No server-side record of consent
• Can't prove what user consented to
• "Our consent tool handles it" but never verified

Evidence to capture:

• Storage location (database table, consent tool, etc.)
• Fields captured
• Retention period
• How to retrieve consent proof for a specific user

---