Almost every lead form has a consent checkbox. Yet consent rarely fails on the checkbox itself: it fails on the evidence behind it. Under the GDPR, consent is not a one-off click but a state you as a lead generator must be able to demonstrate at any moment. This article explains when consent is valid, exactly what you need to store, and how to capture it in your own intake so it holds up.
What valid consent is
The GDPR names consent as one of the possible legal bases for processing personal data. But not every “yes” counts. The law sets four conditions, and they all apply at once. Miss one, and the consent is contestable, and with it the entire processing that rests on it, including every lead you deliver on that basis.
1. Freely given
The data subject must have a genuine choice. Consent is not free if it is required to obtain a service, if a checkbox is pre-ticked, or if refusing carries a downside. Submitting and agreeing should be separate actions.
2. Specific
Consent applies only to the concrete purpose for which it was requested. One general checkbox for “everything at once” does not qualify. If you ask consent for multiple purposes, ask separately for each one, each with its own traceable legal basis.
3. Informed
The data subject must know who processes the data, for what purpose, and to whom it is passed on, before they agree. That means an understandable consent statement in plain language, not tucked away in a reference to a lengthy privacy document.
4. Unambiguous
Consent requires a clear, active action: a deliberate click or a ticked box. Silence, a pre-ticked box, or simply continuing on a page does not count as consent.
Together these four criteria set the bar. The tricky part is that you must be able to show afterwards that you met it: that the choice was free, the purpose was specific, the data subject was sufficiently informed, and the agreement was an active action. That burden of proof sits with you as the data controller, not with the data subject, and not with the publisher who supplied the request.
Exactly what you need to record
A field with the value agreed = yes proves little. It does not say which text the data subject saw, when the agreement was given, or through which channel the request arrived. That context is exactly what separates consent that holds up from consent you have to reconstruct after the fact, with a buyer on the phone asking for proof. So at the moment of agreement, record at least these five elements:
The consent text as shown: Not a summary, but the exact wording the data subject saw on screen at the moment of agreeing.
The form version: A version number or hash of the form, so a later text change never muddies your evidence.
The timestamp: Date and time of the agreement, down to the second, recorded at the moment itself and unchangeable afterwards.
Source & channel: Which landing page, campaign and channel the request arrived through: the provenance of the consent.
The legal basis: The legal basis for the processing, tied to the specific purpose for which consent was requested.
The common thread: record it at the moment itself, not afterwards. Whoever looks up the consent text later or infers the timestamp from a log line is filling gaps. And a filled-in gap is exactly what fails to convince a regulator or a buyer, especially once you run multiple publishers and channels at once and cannot manually reconstruct what was shown for every single request.
What a consent record looks like
A good consent record is not a yes-or-no, but a complete mini-dossier per request. This is what a record for a single lead request could look like:
Consent record · request #LD-29184
Valid
Consent text
“Yes, I consent to sharing my details with an affiliated energy advisor for free, no-obligation savings advice.”
Form version
energy-request · v3.2
Timestamp
14 March 2026, 09:41:07 (CET)
Source / channel
landing page /save-now · campaign spring-2026
Partner ID
PRT-0481 (verified)
Legal basis
Consent (Art. 6(1)(a) GDPR)
Double opt-in
Confirmed on 14 March 2026, 09:48
The difference from a bare “agreed” value is clear: each field is independently verifiable, and together they substantiate that all four GDPR criteria were met, per request, per publisher, per campaign.
Double opt-in
With double opt-in, the first agreement is followed by a confirmation step: the data subject receives an email or SMS and actively confirms that they really did make the request. Only after that confirmation is the consent treated as final and the lead delivered to a buyer.
The GDPR does not explicitly mandate double opt-in, but in practice it strengthens your position considerably. It shows that the contact address provided genuinely belongs to the data subject, it filters out typing errors and malicious sign-ups, and it delivers a second, independent piece of evidence: exactly the kind of substantiation a critical buyer expects before accepting a lead. Record that confirmation too: the timestamp, the confirmed channel and the fact that it was confirmed all belong in the same consent record.
Withdrawing consent
The GDPR states that withdrawing consent must be as easy as giving it. A data subject does not need to give a reason, and the withdrawal takes effect from the moment it is made: processing that relied on valid consent before that point remains lawful.
What makes a withdrawal tricky in practice is the chain that follows it. A request you have already delivered continues to live on with one or more buyers. A withdrawal therefore needs to do more than flip a checkbox: further delivery stops, buyers who already received it get a withdrawal signal, and the original consent record is kept as proof that valid consent once existed, with the moment of withdrawal appended to it. You do not delete the consent; you close it off in a traceable way. Without a system that notifies buyers automatically, you have to call around and handle this manually case by case: error-prone and unsustainable once your volume grows.
Retention periods
The GDPR does not prescribe a fixed period for how long you may keep a lead or a consent record. Instead, the principle of storage limitation applies: you do not keep personal data longer than necessary for the purpose for which you process it. What that period is, you as the data controller decide, but you must be able to justify that choice.
A useful distinction is between the lead data itself and the proof of consent. Once the purpose has been achieved or lapsed, you can often keep the substantive data for a shorter period, while you still need the proof that the processing was lawful at the time for a while longer, for instance as long as a complaint or claim could still follow. Set a retention period per data type, automate the clean-up, and make sure that clean-up itself also lands in your audit trail.
How you organise this watertight in your own platform
The theory above is clear; the manual work is not. Build this yourself at form level, and you rely on discipline from every publisher and every form individually, and one forgotten setting undermines your entire evidence trail. OXIAE is the operating system that handles this centrally and automatically, no matter how many publishers or channels come in: the consent checkbox can never be pre-ticked and is separated from the submit button, so the choice always stays free and unambiguous. The exact consent text shown and the form version are recorded verbatim, together with the timestamp down to the second, for every request, on every connected form.
At the same time, the platform verifies provenance: channel, landing page and partner ID are checked and recorded on arrival, and requests from unknown or unverified sources can be rejected automatically. Double opt-in, withdrawals and expiring retention periods are added to the audit trail as separate, traceable events: records are never overwritten, only appended. That way every lead you deliver under your own brand carries its own proof, exportable the moment a buyer or regulator asks for it.
Please note: this article is intended as general explanation and does not constitute legal advice. The GDPR leaves room for judgement on many points depending on your specific situation. Have your processing and retention periods reviewed by a qualified lawyer or data protection officer before putting them into production.
Necessary cookies keep the site working. We place analytics and marketing cookies only with your consent. You choose per category, and we record your choice with a timestamp.