First of all, sorry for the long text. Second, I decided to ask this on Stack Overflow rather than somewhere like Law Stack Exchange because the reason for the question is GDPR but the question itself is about software architecture.
I've been trying to pay attention regarding what one must do concerning GDPR and everything I find always seems to assume that one is working with user accounts, i.e. that users register on your website and that everything or almost everything you need to care about GDPR in terms of safeguarding your users' data starts here. It is also my understanding that one must be able to prove that their users gave their consent to you using their data as per in a privacy policy and even to which version of the privacy policy they consented to (since these sometimes get updated). This necessarily means that the data regarding this proof of consent must be stored server-side. This is easy to do when you have a user account to bind this data to but what about when you work with non-registered or guest users?
Let me give you a little background for my actual question: as a personal project I'm currently building a small website which will allow users to add comments to certain pages and even submit photos. The thing is, this is the only interaction users can do at all, so I don't want nor need them to have an account, making it also one less thing to worry about and allowing for easier engagement with the site. For the comments the only thing that's really needed is the comment text itself and some user name (which can be anything from their real name to some alias, it doesn't really matter). I'll also add an optional field for the user to state where they're from -- say, "Paris, France" -- if they so wish to share that.
Anyway, all of this just begs for spam to come my way, so I was thinking of integrating Akismet and Google's reCAPTCHA, since that has worked very well for me in the past. The problem is that Akismet requires an email address to also be passed on to it in order for it to check if the comment is spam, so I would also need to ask users for their email address on the comments form. Since I literally only need their email while checking for spam and would never make it public anyway, I would save it in the database and get rid of it after a few days or so and communicate this on the site's privacy policy.
So, here comes the question. I think email addresses together with the other info above count as PII and since I'm storing email address and sharing them with a third party, it seems clear to me that I have to ask users for their consent to do so, and not allow for their comment to be submitted if they don't give their consent, of course. But there are no actual user accounts in place here so there's no central location for such consent to be stored as proof. So how does one go about this? The only thing I can think of is having a checkbox on the comment form and storing its value together with the comment. Of course, with proper validation in place the stored value will always be 1, but still, it needs to be explicitly stored for it to be GDPR-compliant. I don't love the idea of a user having to check a checkbox agreeing with the privacy policy everytime they want to comment on something, but I don't think I see another way around this. Do you?
Many thanks in advance and, again, sorry for the long text.