Compliance
Click's evidence system is built to support the consent and record-keeping requirements of major regulations. This page shows how Click's features map to those requirements, and includes checklists you can use to verify your implementation.
This is general guidance, not legal advice. Consult your legal counsel to confirm the obligations that apply to your organisation.
GDPR
| Requirement | How Click addresses it |
|---|---|
| Informed, specific consent | The Consent template type presents named categories users accept or decline individually |
| Record of consent | Every interaction produces a timestamped, tamper-proof Evidence Bundle |
| Version traceability | Evidence records always reference the exact content and policy version shown |
| Right to erasure | Evidence is deleted automatically at retention expiry |
| Consent withdrawal | Preferences can be updated at any time; current state is tracked separately from historical records → User Preferences |
Because evidence is stored in tamper-proof storage, individual records cannot be deleted before their expiry date — even on a user erasure request. Most data protection authorities recognise audit record preservation as a legitimate exemption. Confirm with your legal team.
CCPA
Click captures each user's specific opt-in and opt-out choices per consent category, with a timestamp and policy version reference. This makes it straightforward to honour data subject requests and demonstrate compliance.
→ Consent Categories · Viewing Evidence
ESIGN Act & UETA (United States)
| Legal requirement | How Click addresses it |
|---|---|
| Intent to agree | Users must actively click an acceptance control — passive interaction is not recorded as acceptance |
| Record association | The Evidence Bundle links user reference, IP, browser context, and document version in one record |
| Attribution | IP address, user agent, and the user ID from your application identify who took the action |
| Record retention | Tamper-proof storage preserves records for the full retention period |
Why records can't be altered
Every Evidence Bundle is sealed at creation using a combination of tamper-evident techniques. If any part of a record were modified after the fact, the seal would break — making the alteration detectable. Propper verifies this automatically; if a record appears in your dashboard, it's intact.
For regulators or counterparties who want to verify records independently, see Document Validity & Trust.
Compliance checklists
Use these to verify your Click implementation meets the technical requirements for each regulation. Have your legal team confirm the specific obligations that apply to your organisation.
GDPR
- Use the Consent Management template type for cookie banners and marketing opt-ins — Static and Generated templates record a single all-or-nothing acceptance and do not satisfy GDPR's granularity requirement → Template Types
- Each consent category is independently toggleable — bundled "accept all" without per-purpose choice is not valid consent under GDPR
- Pass a user ID when initialising the SDK so consent records are linkable to the individual → SDK Initialization
- Set your retention period to cover the active consent period plus a reasonable dispute window — many organisations use 3–7 years → Data Retention
- Users can update their preferences at any time through a preference center → User Preferences
- Templates are published before deployment — the exact version the user saw is locked into every Evidence Bundle → Version Management
CCPA
- Capture opt-out choices (e.g., "Do Not Sell My Personal Information") using the Consent Management template type → Consent Management
- Each category choice is recorded with a timestamp and policy version reference → Consent Tracking
- Retrieve the current consent state per user via the Evidence API for data subject requests → Viewing Evidence
- Evidence is searchable by user ID and date range to support access and deletion requests → Reporting
ESIGN Act & UETA
- The user takes an explicit action to accept — checkbox click, button click, or confirmed scroll. Passive interaction (e.g., simply viewing the page) is not recorded as acceptance
- Pass a user ID so the Evidence Bundle can attribute the action to a specific individual → SDK Initialization
- Set the retention period to at least 7 years — common practice for ESIGN/UETA contracts → Data Retention
- A downloadable PDF Certificate is available per acceptance for sharing with counterparties or courts → Viewing Evidence
- Templates are published before deployment so the exact document version presented is locked in the evidence record → Version Management