For medical applications, I just don't let users register until they've ticked all the "I've read the Ts & Cs and don't have contra-indications X Y and Z" boxes. If they have, then I store their data, if they haven't, I don't. Nothing more complicated than that. We record their IP address in the web server logs. We *don't* record all the details of their POST request, because - well, we record the results of it (that is, them signing up for a service) so there's no point. It's not like anyone else will have recorded the POST either so we wouldn't be able to compare it to anything anyway, so recording it would be useless.