What are acceptable formats (logs, screenshots, timestamps)?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

If you ever need to prove that someone opted in to your emails, to a regulator, in a dispute, or just for your own records, these are the formats that actually hold up.

Database logs (best option): Structured records stored in your system with these fields: email address, consent timestamp (ISO 8601 format: 2024-03-15T14:32:00Z), the URL of the signup form, IP address, and which version of the consent language was displayed. These are clean, searchable, and easy to export as CSV or JSON. Most ESPs can produce something close to this. Check your platform's audit trail or contact log exports.

Screenshots (supporting evidence): A screenshot of the signup form at the time of opt-in documents what the consent language actually said. This matters because forms change over time. Screenshots alone aren't sufficient, they don't prove who submitted the form, but they're valuable alongside the log record.

Timestamps: ISO 8601 format is the standard because it's unambiguous across time zones. "March 15 2024" is ambiguous. "2024-03-15T14:32:00Z" is not. If your logs don't use this format, it's worth fixing.

Under GDPR, you need to be able to demonstrate consent on request. Under CAN-SPAM, having proof of opt-in for every address on your list protects you in an FTC inquiry. Neither regulation specifies exactly which format to use. But "we have it in a spreadsheet somewhere" is not the same as "we can produce a structured audit log within 72 hours."

If you're not sure whether your current ESP captures all the fields you need, double opt-in adds a verification record that's hard to dispute.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Get a personalized explanation for your specific email setup.

I need to audit my consent records to make sure they meet regulatory standards. My setup: [describe your ESP, how you capture opt-ins, what data fields you currently store, and your primary audience locations]. What fields am I likely missing, and what's the fastest way to check if my current setup produces usable consent evidence?

Edit the yellow boxes, then send to the AI of your choice.