# TF-05 — GDPR Consent Timestamps | | | |---|---| | **Feature** | GDPR consent and marketing consent timestamp capture | | **Test Page** | [`test-pages/02-sfae-source.html`](../test-pages/02-sfae-source.html) | | **Live URL** | https://sfae-forms.jjlo.app/test-pages/02-sfae-source.html | | **Status** | ✅ Ready | | **Last Verified** | 2026-05-24 | | **Regulation** | EU GDPR Art. 7 — Conditions for consent (demonstrable, timestamped) | | **Code Location** | `02-sfae-source.html` L3300–L3310 | --- ## What We're Testing dormakaba must be able to demonstrate **when** a prospect gave consent. Two separate timestamp fields record the exact moment each consent checkbox is checked. These timestamps are submitted with the form and stored in SFAE. ### Consent Fields & Their Timestamp Pairs | Checkbox field | Timestamp field | Purpose | |---|---|---| | Privacy Policy Acceptance | `CONS_registration_gdpr_timestamp` | Records when the prospect accepted the privacy policy | | Marketing Consent (commercial emails) | `CONS_registration_comercinal_emails_timestamp` | Records when the prospect opted in to marketing | > **Important:** These must be **separate unchecked checkboxes**. Pre-ticked consent is invalid under GDPR. --- ## Test Steps ### 1. Verify Both Checkboxes Are Unchecked on Load - [ ] Open `02-sfae-source.html` - [ ] Scroll to the consent section of the form - [ ] Privacy Policy checkbox: **unchecked** on load - [ ] Marketing Consent checkbox: **unchecked** on load - [ ] Neither checkbox has `checked` attribute in HTML source ### 2. Privacy Policy Timestamp - [ ] In DevTools console: `document.querySelector('.CONS_registration_gdpr_timestamp input').value` → empty - [ ] Note current time - [ ] Check the Privacy Policy checkbox - [ ] Re-run console query → ISO timestamp appears - [ ] Timestamp is within a few seconds of when you checked the box - [ ] Format: `YYYY-MM-DDTHH:MM:SS.sssZ` (UTC) ### 3. Marketing Consent Timestamp - [ ] DevTools: `document.querySelector('.CONS_registration_comercinal_emails_timestamp input').value` → empty - [ ] Check the Marketing Consent checkbox - [ ] Re-run → ISO timestamp appears - [ ] Timestamps for the two checkboxes can differ (prospect may check them at different times) ### 4. Uncheck Behavior - [ ] Check both boxes (timestamps filled) - [ ] Uncheck Privacy Policy - [ ] Timestamp field behavior (check whether it clears or retains): - Expected: field **clears** (timestamp should only reflect the last opt-in moment) - If it retains the old timestamp when unchecked — that is a bug to flag ### 5. Both Timestamps Present on Submit - [ ] Fill in all required form fields (First Name, Last Name, Email, etc.) - [ ] Check both consent boxes - [ ] Submit the form - [ ] In SFAE prospect record, verify both timestamp fields are populated ### 6. Timestamp Accuracy - [ ] Check a box at a known time (e.g. 14:30:05 UTC) - [ ] Verify the captured timestamp matches to within ±5 seconds --- ## Pass Criteria Both checkboxes unchecked on load. Timestamps auto-fill on checkbox check. Both values present in form submission. Timestamps are in ISO 8601 UTC format. ## GDPR Compliance Notes - These timestamps are **audit evidence** — they must be accurate and stored permanently. - Do not allow pre-ticking either checkbox in any form template. - The `CONS_registration_comercinal_emails_timestamp` field should **only** be filled if the prospect actively checks the marketing consent box — not as a side effect of privacy policy acceptance. - If a form is used in a country with stricter consent requirements (e.g. DE with double opt-in), additional fields may be needed. ## Related Docs - [`gdpr-consent.md`](../PDD/gdpr-consent.md) — Full consent rules by source - [`form-field-catalog.md`](../PDD/form-field-catalog.md) — CONS_ field definitions