How to keep audit trails for opt-in and opt-out events?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
If a regulator ever asks you to prove that a subscriber opted in three years ago, or that you honored their unsubscribe request within 10 days, your audit trail is the only thing standing between you and a compliance headache. Building one properly takes about an afternoon. Maintaining it takes almost nothing, as long as you set it up right from the start.
Here's what to actually do, step by step.
Step 1: Decide where your audit logs will live
Your audit trail should be separate from your main subscriber database. A dedicated database table works well. So does a logging service like a write-only data store. The key requirement is that records can be added but not edited or deleted. If someone on your team can overwrite a log entry, it's not an audit trail, it's just a spreadsheet.
Step 2: Log every opt-in event
Every time someone subscribes, write a record that includes the email address, a timestamp (use UTC), the source of the opt-in (form URL, API call, manual import), the IP address of the subscriber, and the exact consent language they saw at the time. That last one matters. If you update your sign-up form copy in six months, you need to know which version each subscriber agreed to.
Step 3: Log every opt-out event
And when someone unsubscribes, log the email address, timestamp, the method used (unsubscribe link, preference center, complaint, or reply), and IP address where available. Never delete the original opt-in record. The two events should sit together in the timeline, not replace each other. That sequential history is what proves you behaved correctly.
Step 4: Log preference changes too
If a subscriber updates their frequency, topic preferences, or contact details, log what changed, what the previous value was, what the new value is, and where the change came from. These mid-lifecycle events come up more often than you'd think during audits.
Step 5: Check what your ESP already captures
Still most modern ESPs do some of this for you. Mailchimp stores subscribe and unsubscribe history at the contact level. Klaviyo logs profile events with timestamps. HubSpot keeps a full contact activity timeline. ActiveCampaign and Brevo both log subscription events you can export. The issue is that this data lives inside the ESP, and if you ever migrate platforms or if the ESP purges old records, your history goes with it. Export your consent logs regularly (monthly or quarterly) and store them somewhere you control.
Step 6: Restrict and log access to audit data
Knowing who viewed or exported consent records is itself a compliance requirement under some frameworks. Limit access to the people who actually need it, and keep a log of who accessed what and when. This sounds bureaucratic, but it's a simple permission setting in most database tools.
Step 7: Set a retention period and stick to it
Audit trails typically need to be kept for 5 to 7 years after the subscriber relationship ends, depending on the regulations that apply to you (GDPR, CASL, CCPA, and others each have their own requirements). Whatever period you choose, document it in your data retention policy and set automated deletion or archiving when the window closes.
Step 8: Test your retrieval process before you need it
Pull a sample record for a specific email address. Can you produce a clear timeline of their consent history in under five minutes? If not, your logging structure needs work. You don't want to discover that problem during a real audit or a subject access request.
One thing regulators notice quickly is whether your records look assembled after the fact or genuinely written at the time of the event. Timestamps, IP addresses, and consent language versions are the details that make logs look real, because they are real, as long as you capture them at the moment they happen.
If you're not sure your current setup covers what's required, or you want to talk through how to structure this for your specific stack, drop us a message on the SOS line. No pitch, just honest help.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.