What are acceptable formats (logs, screenshots, timestamps)?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
If you ever need to prove that someone opted in to your emails, to a regulator, in a dispute, or just for your own records, these are the formats that actually hold up.
Database logs (best option): Structured records stored in your system with these fields: email address, consent timestamp (ISO 8601 format: 2024-03-15T14:32:00Z), the URL of the signup form, IP address, and which version of the consent language was displayed. These are clean, searchable, and easy to export as CSV or JSON. Most ESPs can produce something close to this. Check your platform's audit trail or contact log exports.
Screenshots (supporting evidence): A screenshot of the signup form at the time of opt-in documents what the consent language actually said. This matters because forms change over time. Screenshots alone aren't sufficient, they don't prove who submitted the form, but they're valuable alongside the log record.
Timestamps: ISO 8601 format is the standard because it's unambiguous across time zones. "March 15 2024" is ambiguous. "2024-03-15T14:32:00Z" is not. If your logs don't use this format, it's worth fixing.
Under GDPR, you need to be able to demonstrate consent on request. Under CAN-SPAM, having proof of opt-in for every address on your list protects you in an FTC inquiry. Neither regulation specifies exactly which format to use. But "we have it in a spreadsheet somewhere" is not the same as "we can produce a structured audit log within 72 hours."
If you're not sure whether your current ESP captures all the fields you need, double opt-in adds a verification record that's hard to dispute.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.