LET'S TALK
← All work
GDPR Art 7GDPR Art 4(11)ePrivacy 5(3)Tamper-Evident LogDeep Prototype

ConsentLedger — Append-Only Consent Proof Log

32 hash-chained consent events. Each entry: subject, purpose, prompt version, exact prompt text shown to subject, affirmative-action evidence, timestamp, source IP-truncated to /16, UA, signed envelope with the hash of the previous entry. Tamper-evident — the artifact that defends GDPR Art 7(1) 'the controller shall be able to demonstrate that the data subject has consented'.

ConsentLedger — Append-Only Consent Proof Log preview
Open live →

What it is

The shape behind every consent-management platform’s evidence layer — OneTrust, Cookiebot, Didomi, Sourcepoint. The actual append-only log the DPO points to when the supervisory authority asks “prove this subject consented.”

What’s in it

  • 32 hash-chained events across 4 purposes (marketing, analytics, personalization, sensitive PI, cookies).
  • Per-event proof envelope:
    • Subject ID + purpose + state (granted / declined / withdrawn / expired)
    • Prompt version — the exact version of the consent UI shown (banner-v3.2, optin-v2.1, kyc-onboarding-v4)
    • Exact prompt text shown to the subject at that moment
    • Affirmative-action evidence — POST body, response, cookie set, double-confirmation token
    • Timestamp + source IP (truncated to /16 for IP-minimization) + UA
    • Hash of the previous entry — modifying any record breaks the chain
  • Edge cases seeded:
    • CL-0007 — withdrawal via SendGrid unsubscribe
    • CL-0008 — Art 9(2)(a) explicit consent for KYC selfie + government ID
    • CL-0012 — KYC consent withdrawn, but 7-year legal retention overrides
    • CL-0013 + CL-0014 — legacy v3.0 banner consent EXPIRED (12-month cap), re-prompted on return
    • CL-0020 — California GPP signal honored (no consent prompt shown — opt-out signal already received)
    • CL-0029 — RFC 8058 one-click List-Unsubscribe
    • CL-0031 — DSAR-09142 erasure; consent records preserved for audit but downstream processing terminated

Why this shape

GDPR Art 7(1): “Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented.” Art 4(11) defines consent as “freely given, specific, informed and unambiguous indication.” Most consent platforms ship a UI, not an evidence ledger. ConsentLedger prototypes the layer that defends Art 7(1) in front of a supervisory authority.

How it ships

Single HTML file, ~25KB. Zero dependencies. 32 chained events + tamper-evident hash function + signed envelope JSON in 220 lines of vanilla JavaScript.

Open the tool →