What consent records should be stored?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
Imagine a regulator or an angry subscriber asks you to prove you had permission to email them three years ago. What can you actually show them? That question is the entire reason consent records exist, and the answer shapes exactly what you need to capture at the moment someone subscribes.
At minimum, you'll want to record: the email address, the date and time of signup, the IP address the signup came from, the URL or form where they signed up, and the exact copy of the consent disclosure that was shown to them. That last one trips people up. Your signup form copy changes over time, and regulators care about what you actually promised when that specific subscriber signed up, not what your current form says. Screenshot or store the form text as a version alongside each batch of signups.
If you use double opt-in, store the confirmation timestamp separately from the initial signup timestamp. The confirmation is your cleaner legal record under GDPR because it proves the subscriber actively verified their address and confirmed their intent. Under CAN-SPAM, the standard is lower, but having the confirmation record doesn't hurt and it's useful for deliverability disputes too.
Preference changes need to be tracked as well. If someone visits your preference center and opts out of promotional emails while staying subscribed to transactional messages, that change should be timestamped and stored alongside their original consent record. A complete history means that if someone disputes a message they received, you can show exactly what permissions were active at the time it was sent.
How long do you keep these records? GDPR says you should keep consent records for as long as you're relying on that consent, plus enough time to defend a complaint. In practice, most senders retain records for three years after a subscriber goes inactive. Your legal counsel can give you jurisdiction-specific guidance, but erring longer rather than shorter is the safer move. The next article on proving consent in an audit walks through exactly how to present these records if you're ever asked.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.