Consent Registry and Logging
Comprehensive consent logging system ensuring Swiss nFADP compliance and providing detailed audit trails for regulatory requirements.
What is Stored in the Consent Registry
The biskoui consent registry maintains a complete, tamper-proof record of all consent-related events for compliance and auditing purposes.
Core Consent Events
Consent Given:
{
"event_type": "consent_given",
"timestamp": "2024-01-15T14:30:22.123Z",
"user_identifier": "session_abc123xyz",
"ip_address": "192.168.1.100",
"user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36",
"domain": "example.com",
"page_url": "https://example.com/privacy-policy",
"consent_categories": {
"essential": true,
"analytics": true,
"marketing": false,
"functional": true
},
"consent_method": "banner_accept_all",
"legal_basis": "article_6_1_a_gdpr"
}
Consent Withdrawn:
{
"event_type": "consent_withdrawn",
"timestamp": "2024-01-20T09:15:45.678Z",
"user_identifier": "session_abc123xyz",
"ip_address": "192.168.1.100",
"user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36",
"domain": "example.com",
"page_url": "https://example.com/privacy-center",
"previous_consent": {
"essential": true,
"analytics": true,
"marketing": false,
"functional": true
},
"new_consent": {
"essential": true,
"analytics": false,
"marketing": false,
"functional": false
},
"withdrawal_method": "privacy_center_manual"
}
Banner Displayed:
{
"event_type": "banner_displayed",
"timestamp": "2024-01-15T14:30:10.456Z",
"user_identifier": "session_abc123xyz",
"ip_address": "192.168.1.100",
"domain": "example.com",
"page_url": "https://example.com/",
"banner_version": "v2.1.0",
"display_reason": "no_previous_consent",
"device_type": "desktop",
"browser": "Chrome/120.0.0.0"
}
Service Blocked/Activated:
{
"event_type": "service_state_change",
"timestamp": "2024-01-15T14:30:23.789Z",
"user_identifier": "session_abc123xyz",
"domain": "example.com",
"service_name": "Google Analytics",
"service_category": "analytics",
"previous_state": "blocked",
"new_state": "active",
"trigger": "consent_given"
}
Additional Metadata
Geographic Information:
{
"geo_data": {
"country_code": "CH",
"region": "Zurich",
"timezone": "Europe/Zurich",
"applicable_laws": ["nFADP", "GDPR"]
}
}
Technical Context:
{
"technical_context": {
"screen_resolution": "1920x1080",
"viewport_size": "1200x800",
"language": "de-CH",
"do_not_track": false,
"cookie_enabled": true,
"local_storage_available": true
}
}
Compliance Metadata:
{
"compliance_data": {
"data_controller": "Your Company AG",
"privacy_policy_version": "v3.2",
"privacy_policy_url": "https://example.com/privacy",
"dpo_contact": "dpo@example.com",
"retention_period": "2_years"
}
}
Swiss nFADP Compliance Requirements
The Swiss Federal Act on Data Protection (nFADP) requires specific documentation and logging practices that biskoui automatically handles.
Required Documentation Elements
Data Processing Information (Art. 19 nFADP):
{
"nfadp_compliance": {
"data_controller": {
"name": "Your Company AG",
"address": "Musterstrasse 123, 8001 Zürich, Switzerland",
"contact": "info@example.com"
},
"processing_purpose": "Website analytics and user experience optimization",
"legal_basis": "Consent of the data subject",
"data_categories": [
"Usage data",
"Technical data",
"Preference data"
],
"retention_period": "24 months from last interaction",
"data_recipients": [
"Google Analytics (US)",
"Internal analytics team (CH)"
],
"transfer_countries": ["US"],
"transfer_safeguards": "Standard Contractual Clauses (EU Commission)"
}
}
Consent Validity Documentation:
{
"consent_validity": {
"informed_consent": {
"purpose_explained": true,
"data_types_specified": true,
"recipients_disclosed": true,
"retention_communicated": true
},
"freely_given": {
"no_detriment_for_refusal": true,
"granular_choices": true,
"easy_withdrawal": true
},
"specific_consent": {
"purpose_specific": true,
"clear_affirmative_action": true,
"no_pre_checked_boxes": true
},
"unambiguous_consent": {
"clear_language": true,
"explicit_agreement": true,
"documented_choice": true
}
}
}
Data Subject Rights Tracking
Access Requests (Art. 25 nFADP):
{
"access_request": {
"request_id": "AR-2024-001",
"timestamp": "2024-01-20T10:00:00.000Z",
"user_identifier": "session_abc123xyz",
"request_method": "email",
"data_provided": {
"consent_history": true,
"service_activations": true,
"data_processing_log": true
},
"response_deadline": "2024-02-20T10:00:00.000Z",
"status": "completed"
}
}
Deletion Requests (Art. 17 nFADP):
{
"deletion_request": {
"request_id": "DR-2024-001",
"timestamp": "2024-01-25T15:30:00.000Z",
"user_identifier": "session_abc123xyz",
"scope": "all_consent_data",
"retention_exception": "legal_obligation",
"anonymization_applied": true,
"deletion_confirmation": "2024-01-25T16:00:00.000Z"
}
}
Viewing Consent Logs
Dashboard Access
Navigation Path:
- Go to Analytics → Consent Registry
- Select date range and filters
- Choose export format if needed
Available Filters:
- Date Range: Specific time periods
- Event Type: Consent given, withdrawn, banner shown
- Domain: Filter by specific domains or subdomains
- User Identifier: Search for specific users
- Consent Category: Filter by analytics, marketing, etc.
- Geographic Region: Filter by country or region
- Legal Basis: Filter by GDPR, nFADP, etc.
Real-Time Monitoring
Live Event Stream:
// Real-time consent event monitoring
const eventSource = new EventSource('/api/consent-events/stream');
eventSource.addEventListener('consent_event', function(event) {
const consentEvent = JSON.parse(event.data);
console.log('New consent event:', consentEvent);
// Update dashboard in real-time
updateConsentDashboard(consentEvent);
});
// Monitor specific event types
eventSource.addEventListener('consent_withdrawn', function(event) {
const withdrawalEvent = JSON.parse(event.data);
// Handle consent withdrawal specifically
handleConsentWithdrawal(withdrawalEvent);
});
Dashboard Widgets:
- Recent Consent Events: Latest 50 consent activities
- Consent Rate Trends: Accept/reject ratios over time
- Geographic Distribution: Consent patterns by location
- Service Activation Rates: Which services are most commonly accepted
- Compliance Alerts: Potential compliance issues or anomalies
Search and Analysis
Advanced Search Interface:
-- Example search queries (dashboard provides UI for these)
-- Find all consent events for a specific user
SELECT * FROM consent_events
WHERE user_identifier = 'session_abc123xyz'
ORDER BY timestamp DESC;
-- Analyze consent rates by country
SELECT country_code,
COUNT(*) as total_events,
AVG(CASE WHEN event_type = 'consent_given' THEN 1 ELSE 0 END) as consent_rate
FROM consent_events
WHERE event_type IN ('consent_given', 'consent_rejected')
GROUP BY country_code;
-- Track consent changes over time
SELECT DATE(timestamp) as date,
COUNT(*) as consent_changes
FROM consent_events
WHERE event_type = 'consent_withdrawn'
GROUP BY DATE(timestamp)
ORDER BY date DESC;
Analytics Insights:
- Consent Journey Analysis: Track how users interact with consent over time
- A/B Testing Results: Compare consent rates across different banner designs
- Compliance Coverage: Ensure all required events are being logged
- Performance Impact: Monitor how consent collection affects site metrics
Data Export Capabilities
Export Formats
CSV Export:
timestamp,event_type,user_identifier,domain,consent_categories,ip_address,legal_basis
2024-01-15T14:30:22.123Z,consent_given,session_abc123xyz,example.com,"{\"analytics\":true,\"marketing\":false}",192.168.1.100,article_6_1_a_gdpr
2024-01-15T14:35:10.456Z,banner_displayed,session_def456uvw,example.com,,192.168.1.101,
JSON Export:
{
"export_metadata": {
"generated_at": "2024-01-25T10:00:00.000Z",
"date_range": {
"start": "2024-01-01T00:00:00.000Z",
"end": "2024-01-25T23:59:59.999Z"
},
"total_events": 15420,
"file_format": "json"
},
"consent_events": [
{
"event_type": "consent_given",
"timestamp": "2024-01-15T14:30:22.123Z",
"user_identifier": "session_abc123xyz",
"domain": "example.com",
"consent_categories": {
"essential": true,
"analytics": true,
"marketing": false,
"functional": true
}
}
]
}
XML Export (for legacy systems):
<?xml version="1.0" encoding="UTF-8"?>
<consent_export>
<metadata>
<generated_at>2024-01-25T10:00:00.000Z</generated_at>
<date_range>
<start>2024-01-01T00:00:00.000Z</start>
<end>2024-01-25T23:59:59.999Z</end>
</date_range>
</metadata>
<events>
<event>
<type>consent_given</type>
<timestamp>2024-01-15T14:30:22.123Z</timestamp>
<user_identifier>session_abc123xyz</user_identifier>
<domain>example.com</domain>
</event>
</events>
</consent_export>
Automated Exports
Scheduled Exports:
{
"export_schedule": {
"frequency": "weekly",
"day_of_week": "monday",
"time": "02:00",
"timezone": "Europe/Zurich",
"format": "csv",
"recipients": [
"compliance@example.com",
"dpo@example.com"
],
"retention": {
"keep_exports": "1_year",
"archive_location": "secure_storage"
}
}
}
API Export Access:
# Export consent data via API
curl -X GET "https://api.biskoui.ch/v1/consent-exports" \
-H "Authorization: Bearer your-api-key" \
-H "Content-Type: application/json" \
-d '{
"date_range": {
"start": "2024-01-01",
"end": "2024-01-31"
},
"format": "csv",
"filters": {
"domain": "example.com",
"event_types": ["consent_given", "consent_withdrawn"]
}
}'
Data Retention and Compliance
Swiss nFADP Retention Requirements
Standard Retention Periods:
- Consent Records: 2 years after consent withdrawal or last interaction
- Service Activation Logs: 2 years for accountability purposes
- Banner Display Events: 1 year for user experience optimization
- Compliance Audits: 5 years for regulatory examination
Automatic Data Cleanup:
{
"retention_policy": {
"consent_events": {
"retention_period": "2_years",
"trigger": "last_interaction",
"cleanup_method": "automatic_deletion"
},
"banner_events": {
"retention_period": "1_year",
"trigger": "event_timestamp",
"cleanup_method": "anonymization"
},
"compliance_logs": {
"retention_period": "5_years",
"trigger": "creation_date",
"cleanup_method": "archive_then_delete"
}
}
}
GDPR Compliance Integration
Additional GDPR Requirements:
{
"gdpr_compliance": {
"lawful_basis_documentation": {
"consent": "Article 6(1)(a) GDPR",
"consent_evidence": "Recorded user action",
"withdrawal_method": "Privacy center or email request"
},
"data_subject_rights": {
"access": "Automated via dashboard",
"rectification": "Manual process via support",
"erasure": "Automated deletion available",
"portability": "JSON/CSV export available"
},
"cross_border_transfers": {
"adequate_countries": ["Switzerland"],
"safeguards": "Standard Contractual Clauses",
"documentation": "Transfer impact assessments"
}
}
}
Anonymization Procedures
Data Anonymization Process:
{
"anonymization": {
"triggers": [
"retention_period_exceeded",
"user_deletion_request",
"regulatory_requirement"
],
"methods": {
"ip_address": "Hash with salt",
"user_identifier": "Replace with random ID",
"user_agent": "Remove or generalize",
"timestamp": "Round to hour/day"
},
"verification": {
"re_identification_test": "Monthly",
"anonymization_review": "Quarterly",
"compliance_audit": "Annually"
}
}
}
Compliance Reporting
Regulatory Report Generation
Swiss Data Protection Authority Reports:
{
"swiss_dpa_report": {
"report_period": "2024-Q1",
"data_controller": "Your Company AG",
"processing_activities": [
{
"purpose": "Website analytics",
"legal_basis": "Consent",
"data_subjects": 12450,
"consent_rate": "68.3%",
"cross_border_transfers": true,
"safeguards": "Standard Contractual Clauses"
}
],
"data_subject_requests": {
"access_requests": 15,
"deletion_requests": 8,
"rectification_requests": 2,
"average_response_time": "12_days"
}
}
}
GDPR Article 30 Records:
{
"article_30_record": {
"processing_activity": "Consent Management",
"controller_details": {
"name": "Your Company AG",
"contact": "dpo@example.com"
},
"purposes": [
"Legal compliance with privacy laws",
"User preference management",
"Service optimization"
],
"categories_of_data": [
"Consent preferences",
"Technical identifiers",
"Usage patterns"
],
"retention_periods": "2 years maximum",
"technical_measures": [
"Encryption in transit and at rest",
"Access controls and authentication",
"Regular security audits"
]
}
}
Audit Trail Documentation
Complete Audit Trail:
{
"audit_trail": {
"event_sequence": [
{
"step": 1,
"event": "banner_displayed",
"timestamp": "2024-01-15T14:30:10.456Z",
"evidence": "Log entry with screenshot"
},
{
"step": 2,
"event": "user_interaction",
"timestamp": "2024-01-15T14:30:22.123Z",
"evidence": "Click event on accept button"
},
{
"step": 3,
"event": "consent_recorded",
"timestamp": "2024-01-15T14:30:22.234Z",
"evidence": "Database transaction log"
},
{
"step": 4,
"event": "services_activated",
"timestamp": "2024-01-15T14:30:22.345Z",
"evidence": "Service activation logs"
}
],
"integrity_verification": {
"hash_chain": "SHA-256 linked hashes",
"tamper_detection": "Enabled",
"backup_verification": "Daily"
}
}
}
Performance and Statistics
Consent Analytics Dashboard:
- Overall Consent Rate: Percentage of users providing consent
- Category Breakdown: Acceptance rates by service category
- Geographic Trends: Consent patterns by country/region
- Time-Based Analysis: Consent rates over time periods
- Device/Browser Impact: How platform affects consent decisions
- A/B Testing Results: Banner optimization effectiveness
Compliance Metrics:
- Response Time: Average time to handle data subject requests
- Data Accuracy: Percentage of accurate consent records
- Retention Compliance: Adherence to data retention policies
- Cross-Border Compliance: Proper handling of international transfers
- Security Incidents: Any breaches or unauthorized access
Best Practices
Implementation Guidelines
- Comprehensive Logging: Ensure all consent-related events are captured
- Data Minimization: Only log necessary data for compliance purposes
- Security: Implement proper access controls and encryption
- Regular Audits: Periodically review logs for accuracy and completeness
- Staff Training: Ensure team understands compliance requirements
Maintenance Procedures
- Monthly Reviews: Check consent patterns and anomalies
- Quarterly Audits: Comprehensive compliance review
- Annual Assessment: Full privacy impact assessment
- System Updates: Keep logging systems current with legal changes
- Backup Verification: Ensure consent logs are properly backed up
Next Steps
After setting up your consent registry: