What records must you keep to prove consent?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

If a regulator ever asks you to prove a subscriber consented, you need a paper trail that shows who opted in, when, from where, and what they agreed to. Without it, you can't prove you had permission to email them at all (and "they're on my list" won't cut it).

At minimum, capture these for every subscriber:

  • Email address
  • Timestamp of signup, including timezone
  • IP address at signup
  • Source URL or form identifier showing which page or widget they used
  • The exact consent language they saw at the time, including the privacy policy version
  • Evidence of affirmative action: the unchecked box they checked, the button click logged

If you're using double opt-in, also record the confirmation email timestamp, the click timestamp, the IP address of that click, and the specific token used. That creates an audit trail proving they confirmed from an address they actually control.

Keep these records for as long as the subscriber relationship is active, plus any legally required retention period after. Under GDPR, you hold personal data only as long as you have a legitimate reason. For consent records, that means keeping them until the subscriber is fully off your list and any limitations period has passed.

Most major ESPs capture some of this automatically. But not all of it. Check what your platform actually stores and whether you can export it. If you've never looked, now is a good time. Not sure what you're capturing? Our SOS line can help you map it out.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Audit your consent records for completeness.

I want to understand whether my consent documentation is adequate and what I might need to add. My situation: - ESP: name - What my ESP stores at signup: [timestamp only / full IP + timestamp / don't know / nothing I can access] - Signup method: SOI / DOI / both / different methods for different lists - Geographic audience: US only / EU / Canada / global - Privacy policy: yes, URL / no / working on it - Whether I've ever been challenged on consent: yes / no / worried about it happening - Laws I believe apply: GDPR / CAN-SPAM / CASL / unsure - How long I've been sending: under 1 year / 1-3 years / over 3 years

Edit the yellow boxes, then send to the AI of your choice.