What are best practices for proof of consent storage?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
Imagine a subscriber emails you saying they never signed up for your list. What do you show them? If your answer is "I don't know" or "we just imported them from our old system," that's a problem. Consent proof isn't just a legal formality. It's the paper trail that protects you in a dispute.
Here's what a solid consent record looks like for a single subscriber:
- Timestamp (date and time, including timezone)
- Source (which form, landing page, or integration captured the signup)
- Method (single opt-in, double opt-in, or checkbox at checkout)
- IP address (when available and legally permissible in your region)
- Exact consent language shown at the time (the actual text of the checkbox or form copy, not a summary)
- Confirmation action (did they click a confirmation email? Log that click with its own timestamp)
That last point trips people up. "We used the language: 'I agree to receive marketing emails from Anchor & Bloom.'" is very different from "I think it said something about emails." Screenshot or store the exact form copy as it appeared on the signup date. If you update that copy later, version it. Don't overwrite the original.
Records need to be retrievable per subscriber, not just in aggregate. If someone asks "how did I end up on your list?", your team should be able to pull that individual's consent record in under two minutes. (If you can't, you probably can't prove consent at all.)
How long to keep it? A safe rule of thumb is the full duration of the subscriber relationship, plus a buffer after they unsubscribe. Regulations like GDPR have specific requirements and vary by jurisdiction, so check with a local legal advisor for your exact obligations. The main thing is not to delete consent records the moment someone opts out.
On the technical side, most senders store consent data in one of three places: directly in their ESP's custom fields, in their CRM, or in a separate database table linked to the subscriber record. Tools like HubSpot, Klaviyo, and ActiveCampaign have built-in consent logging fields. If yours doesn't, a custom field with a structured format (source | method | timestamp | form version) works fine.
One last thing: access control matters. Consent records contain personal data. Not everyone on your team needs write access to that data, and audit logs (who viewed or edited a record) are worth enabling if your platform supports them.
Now if you're building this system from scratch or trying to backfill consent records for an old list, that's a different challenge. Check out how to verify consent when importing old lists for that scenario.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.