What is evidence of “reasonable compliance efforts”?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
If you ever face a compliance investigation, whether from a regulator or as part of a GDPR audit, what you've done to try to comply matters enormously. Here's what counts as demonstrable good-faith effort.
Documented consent records. Timestamps, sources, and the exact wording each subscriber agreed to. If you can show a regulator that every address on your list came through a clear opt-in process, that's the strongest possible evidence.
A working unsubscribe mechanism. Not just present but functional and honored within the required timeframe. CAN-SPAM requires processing within 10 business days. GDPR effectively requires it immediately. Keep records of unsubscribe requests and when they were processed.
Bounce and complaint handling. Remove hard bounces promptly, keep complaint rates low, and have records showing you do this. ESPs typically store this data, but export and archive it regularly.
A privacy notice that's accurate and accessible. It should describe your actual practices, be easy to find, and be updated when your practices change.
Staff training records. If people on your team handle subscriber data, documentation that they've been trained on relevant requirements is evidence of systemic compliance, not just individual practice.
The common thread: good compliance efforts are documented compliance efforts. Verbal explanations of what you meant to do aren't evidence. Written records, exported logs, and dated policy documents are. If you're not sure what documentation you currently have, now is a good time to take stock. Check our guide on lawful basis documentation and enforcement escalation stages.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.