Consent Versioning

Consent disclosures change over time. Legal teams update TCPA language, marketing adds new partner names, and compliance adjusts wording for new regulations. When a consumer disputes their consent, the critical question is: which version of the disclosure did they actually see?

eConsent’s consent versioning system answers this question with cryptographic certainty by capturing a SHA-256 hash of the exact page content at the moment of consent.

How versioning works

Every time eConsent captures a consent event, it performs the following:

1. Captures the DOM --- the full page structure at the moment the consumer interacts with the consent element
2. Extracts the disclosure text --- the consent language visible to the consumer
3. Computes a SHA-256 hash --- a cryptographic fingerprint of the disclosure content
4. Stores the hash on the certificate --- permanently linking the consent event to the exact disclosure version
5. Stores the full DOM snapshot --- preserving the complete page for session replay

Note

The SHA-256 hash is computed from the rendered disclosure text content, not the raw HTML. This means that cosmetic HTML changes (like updating a CSS class name) that do not alter the visible text will produce the same hash. Changes to the actual disclosure wording will produce a different hash.

Creating and managing templates

Template registration

You can register consent templates in the eConsent dashboard to give your disclosure versions human-readable names and track changes over time:

1. Navigate to Settings > Consent Templates in your dashboard.
2. Click Create Template.
3. Enter a template name (e.g., “TCPA Disclosure v3.1 - Solar”).
4. Paste the disclosure text that will appear on your form.
5. eConsent computes and displays the SHA-256 hash.
6. Save the template.

When certificates are generated, eConsent automatically matches the captured disclosure hash against your registered templates. If a match is found, the template name and version are displayed on the certificate.

Version tracking

Each time you update a template’s text, a new version is created:

Version	Date	SHA-256 hash	Status
v3.2	2026-04-01	a1b2c3d4...	Active
v3.1	2026-02-15	e5f6g7h8...	Archived
v3.0	2025-11-01	i9j0k1l2...	Archived

Archived versions are never deleted. They remain available for matching against historical certificates.

Template matching via API

You can query which template version a certificate matched:

Node.js

async function getCertificateTemplate(certificateId) {
  const response = await fetch(
    `https://api.econsent.org/api/verify/certificate-info`,
    {
      method: 'POST',
      headers: {
        'Content-Type': 'application/json',
        'Authorization': `Bearer ${process.env.ECONSENT_API_TOKEN}`,
      },
      body: JSON.stringify({
        certificate_id: certificateId,
        company_id: process.env.ECONSENT_COMPANY_ID,
      }),
    }
  );

  const result = await response.json();

  return {
    templateName: result.template_name,
    templateVersion: result.template_version,
    disclosureHash: result.disclosure_hash,
    capturedAt: result.created_at,
  };
}

Python

import os
import requests

def get_certificate_template(certificate_id):
    response = requests.post(
        'https://api.econsent.org/api/verify/certificate-info',
        headers={
            'Content-Type': 'application/json',
            'Authorization': f'Bearer {os.getenv("ECONSENT_API_TOKEN")}',
        },
        json={
            'certificate_id': certificate_id,
            'company_id': os.getenv('ECONSENT_COMPANY_ID'),
        },
    )
    result = response.json()

    return {
        'template_name': result.get('template_name'),
        'template_version': result.get('template_version'),
        'disclosure_hash': result.get('disclosure_hash'),
        'captured_at': result.get('created_at'),
    }

SHA-256 hash matching

The SHA-256 hash is the core of the versioning system. It provides a tamper-proof link between a consent certificate and the exact disclosure text the consumer saw.

How hashes are computed

Input:  "By checking this box, I consent to receive calls and texts from
         Solar Corp and its partners at the number provided..."

SHA-256: a3f2b8c1d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1

If even a single character changes in the disclosure text, the hash changes completely:

Input:  "By checking this box, I consent to receive calls and texts from
         Solar Corp and its affiliates at the number provided..."
                                        ^^^^^^^^^^ changed word

SHA-256: 7d1e9f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5f6a7b8c9d0e1

This makes it impossible to retroactively alter the disclosure text without invalidating the hash stored on the certificate.

Verifying a hash

To verify that a specific disclosure text matches a certificate’s stored hash:

# Compute the hash of your current disclosure text
echo -n "By checking this box, I consent to receive calls..." | shasum -a 256

# Compare against the hash stored on the certificate
# If they match, the disclosure has not changed since consent was captured

Why auditors need this

During a TCPA audit or litigation discovery, auditors need to answer:

1. What did the consumer see? The SHA-256 hash proves which version of the disclosure was rendered.
2. Has the disclosure changed since then? Comparing the current hash to the certificate hash reveals any modifications.
3. Was the right version active? Template version history shows which disclosure was active on any given date.
4. Can you reproduce what was shown? The full DOM snapshot and session replay recreate the exact consumer experience.

Tip

When responding to legal discovery requests, export the certificate with its attestation data. The SHA-256 hash, paired with the session replay and DOM snapshot, provides a complete chain of evidence from the disclosure text to the consumer’s interaction.

Best practices

Name versions clearly

Use descriptive template names that include the regulation, product, and version number (e.g., “TCPA Disclosure v3.1 - Solar CA”).

Register before deploying

Register your consent template in eConsent before deploying it to your site. This ensures hash matching works from the first consent event.

Never delete old versions

eConsent archives old versions automatically. Never delete them --- historical certificates reference these hashes and the link must remain intact.

Review on legal changes

When your legal team updates disclosure language, create a new template version and verify the hash changes as expected before going live.

Next steps

• Consent Attestation. How the full attestation system works
• TCPA Compliance Guide. TCPA disclosure requirements
• Consent Certificates. Certificate format and contents
• Verification API. Query certificate details programmatically