How long should consent evidence be kept?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

Consent evidence should outlive the subscription itself. The general principle: keep it for the duration of the relationship plus enough time to defend any complaint or enforcement action that might come afterward.

What that means in practice by jurisdiction:

  • GDPR (EU/UK): No specific retention period stated, but regulators expect you to be able to demonstrate consent for any active marketing relationship, and to respond to challenges. In practice, most compliance teams keep consent records for the life of the subscription plus three to five years after the last communication.
  • CASL (Canada): The statute of limitations for certain enforcement actions is three years. That's a practical minimum for how long to keep consent evidence for Canadian subscribers.
  • CAN-SPAM (US): Doesn't mandate consent records at all, but if you're using consent as a basis for sends (and you should for good deliverability), keeping records for at least two to three years is defensible practice.

What consent evidence should include:

  • When the opt-in happened (timestamp)
  • Where it happened (form URL, API, import source)
  • What consent language was shown (version or screenshot of the form)
  • The IP address at signup
  • For double opt-in: the confirmation click timestamp and IP

After a subscriber unsubscribes or is deleted, keep a minimal suppression record but also retain the consent history for the period above. you might need to show that you had valid consent during the time you were sending.

For how to actually store and retrieve this in your system, see proving consent during an audit. See also what consent records should contain.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Help me set my consent evidence retention period

I want to set a retention period for consent evidence in my email program. I send to audiences in regions. My consent records currently include describe what you capture. Help me figure out the right retention period and whether my records are comprehensive enough to be defensible.

Edit the yellow boxes, then send to the AI of your choice.