Can you rely on third-party data providers for consent proof?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

A vendor tells you the list is "fully consented" and hands over a spreadsheet. You take their word for it, hit send, and a month later a regulator comes knocking. Whose problem is it? Yours. Not the vendor's.

Under GDPR, CAN-SPAM, and CASL, responsibility for proving consent sits with whoever is sending the email. A vendor claiming consent did everything right is not documentation. It's a sales pitch.

What "valid consent" actually means

Under GDPR, consent has to be freely given, specific, informed, and unambiguous. That means the person ticked a box (or took an equivalent positive action) that clearly named your organisation as a future sender. Under CAN-SPAM the bar is lower, but consent still has to be real. Under CASL (Canada), express consent is required for commercial messages, and the burden of proof is firmly on the sender.

Red flags to watch for with data vendors

  • They can't tell you exactly where, when, or how consent was collected. Vague answers like "from partner networks" are a warning sign.
  • They can't produce a copy of the opt-in form or consent language the subscriber actually saw at the time of sign-up.
  • The consent language mentioned a broad category like "trusted partners" but didn't name you specifically. Under GDPR that often won't hold up.
  • They have no timestamps or records linking each email address to a specific consent event.
  • They push back on due diligence requests or say their contract covers your liability. It doesn't.

What to actually ask for before using third-party data

Request a sample of the consent records. Each record should show the subscriber's email, the date and time of the consent event, the exact opt-in language shown to the subscriber, the URL or source where consent was captured, and the IP address where possible. If the vendor can't produce this per-record, the data isn't compliant for GDPR purposes, full stop.

Also ask whether you are named as a data controller in their privacy notice, or just covered under a vague "partners" clause. GDPR's rules on consent require that the specific controller be identifiable at the point of collection. If your name wasn't there when the subscriber signed up, that consent doesn't extend to you.

What happens if their claims fall apart

Under GDPR you can face fines up to €20 million or 4% of global annual turnover, whichever is higher. The fact that a vendor misled you is a mitigating factor, not a full defence. Regulators have fined companies for using third-party lists even when the company genuinely believed consent existed. The ICO (UK), the CNIL (France), and the DPC (Ireland) have all published enforcement decisions on exactly this scenario.

Beyond fines, spam complaints from cold contacts damage your sender reputation fast. People who didn't genuinely sign up for your emails will mark them as spam, and mailbox providers notice.

The honest answer on whether third-party data is worth it

Rarely, for GDPR-covered audiences. For B2B cold outreach in some jurisdictions there's more flexibility, but even then the quality of third-party lists tends to be poor, engagement is low, and complaint rates are high. If you're seriously considering it, run any list through validation first to remove dead addresses and spam traps before anything else touches your sender reputation. You can do that with RME Clean, or if you're unsure where to start, just reach out via the SOS hotline and we'll tell you honestly whether the list is worth using at all.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Get a vendor due diligence checklist

A data vendor is offering me a list of list size contacts in industry/region and says consent is fully documented. Based on the question about third-party consent proof, give me: 1) A ranked list of the 5 most important documents to request from this vendor before I use the list, 2) The top 4 red flags that would tell me this data isn't actually compliant, 3) A plain-English summary of my legal exposure under GDPR if the vendor's consent claims turn out to be false.

Edit the yellow boxes, then send to the AI of your choice.