How long should consent evidence be kept?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
Consent evidence should outlive the subscription itself. The general principle: keep it for the duration of the relationship plus enough time to defend any complaint or enforcement action that might come afterward.
What that means in practice by jurisdiction:
- GDPR (EU/UK): No specific retention period stated, but regulators expect you to be able to demonstrate consent for any active marketing relationship, and to respond to challenges. In practice, most compliance teams keep consent records for the life of the subscription plus three to five years after the last communication.
- CASL (Canada): The statute of limitations for certain enforcement actions is three years. That's a practical minimum for how long to keep consent evidence for Canadian subscribers.
- CAN-SPAM (US): Doesn't mandate consent records at all, but if you're using consent as a basis for sends (and you should for good deliverability), keeping records for at least two to three years is defensible practice.
What consent evidence should include:
- When the opt-in happened (timestamp)
- Where it happened (form URL, API, import source)
- What consent language was shown (version or screenshot of the form)
- The IP address at signup
- For double opt-in: the confirmation click timestamp and IP
After a subscriber unsubscribes or is deleted, keep a minimal suppression record but also retain the consent history for the period above. you might need to show that you had valid consent during the time you were sending.
For how to actually store and retrieve this in your system, see proving consent during an audit. See also what consent records should contain.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.