How do you prove consent in case of an audit?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
An audit requires you to show the full chain: not just that someone is on your list, but how they got there, when they agreed, and what they agreed to. If your records can't tell that story, you have a gap.
What a defensible consent record looks like:
- Opt-in timestamp: When did the signup happen? To the second is better than to the day.
- Source: Which form, landing page, or API call collected this address? Keep the URL or endpoint identifier.
- Consent language: What exactly did the subscriber agree to? Keep a versioned archive of your signup form copy, not just a current screenshot. If you changed your consent language six months after this person signed up, you need to show what it said at the time they signed up.
- IP address: At signup and, for double opt-in, at confirmation click.
- Confirmation click (for DOI): Timestamp and IP of the click that completed the opt-in. This is the strongest piece of consent evidence you have.
If you can pull all five data points for a given subscriber, you're in a strong position. If you can only show "they're subscribed," you're not.
The practical challenge: most ESPs store subscriber records, but not always the consent language that was displayed at signup. You may need to maintain a separate archive of your form versions with effective dates. This is worth doing deliberately. retroactively reconstructing what your form said in 2021 is much harder than keeping a record of it as you make changes.
For how long to keep these records, see consent evidence retention periods. For the full picture of what records to maintain, see what records to keep.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.