What consent records should be stored?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

Imagine a regulator or an angry subscriber asks you to prove you had permission to email them three years ago. What can you actually show them? That question is the entire reason consent records exist, and the answer shapes exactly what you need to capture at the moment someone subscribes.

At minimum, you'll want to record: the email address, the date and time of signup, the IP address the signup came from, the URL or form where they signed up, and the exact copy of the consent disclosure that was shown to them. That last one trips people up. Your signup form copy changes over time, and regulators care about what you actually promised when that specific subscriber signed up, not what your current form says. Screenshot or store the form text as a version alongside each batch of signups.

If you use double opt-in, store the confirmation timestamp separately from the initial signup timestamp. The confirmation is your cleaner legal record under GDPR because it proves the subscriber actively verified their address and confirmed their intent. Under CAN-SPAM, the standard is lower, but having the confirmation record doesn't hurt and it's useful for deliverability disputes too.

Preference changes need to be tracked as well. If someone visits your preference center and opts out of promotional emails while staying subscribed to transactional messages, that change should be timestamped and stored alongside their original consent record. A complete history means that if someone disputes a message they received, you can show exactly what permissions were active at the time it was sent.

How long do you keep these records? GDPR says you should keep consent records for as long as you're relying on that consent, plus enough time to defend a complaint. In practice, most senders retain records for three years after a subscriber goes inactive. Your legal counsel can give you jurisdiction-specific guidance, but erring longer rather than shorter is the safer move. The next article on proving consent in an audit walks through exactly how to present these records if you're ever asked.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Help me audit my consent record setup

I just read about consent record storage on the Email Almanac. Help me apply this to my situation. I need to: 1. Audit what consent data I'm currently capturing at signup 2. Identify any gaps (IP address, form version, confirmation timestamp) 3. Set up or improve my consent record storage process 4. Define a retention schedule for how long to keep these records My details (fill in what applies): - Email platform: Klaviyo / Mailchimp / HubSpot / other - Do I use double opt-in: yes / no / not sure - Subscriber locations: US / EU / Canada / global - Where I currently store consent records: ESP only / CRM / spreadsheet / not sure

Edit the yellow boxes, then send to the AI of your choice.