How to maintain evidence logs for compliance investigations?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

If someone ever files a complaint under CAN-SPAM, GDPR, or CASL, the question you'll face is simple: can you prove you did the right thing? That proof lives in your evidence logs. Without them, you're arguing from memory, and memory doesn't hold up well in a regulatory review.

Here's what you actually need to be logging and how specific to get.

Consent records are your most important asset. Log the exact timestamp, the source (which form, landing page, or sign-up flow), and the precise consent language the subscriber saw at the time. A screenshot or archived version of the form is genuinely useful here. If your consent language has changed over time, keep a dated history of every version. "We had a checkbox" isn't good enough. You need to show exactly what that checkbox said.

Sending logs should capture what you sent, to whom, and when. Include the campaign or message ID, the sending domain, and the sending IP. Your ESP will usually store most of this for a window of time, but don't assume they'll keep it as long as you need. Export and store your own copies. Retention requirements vary by regulation and jurisdiction, but three years is a common working floor for most frameworks (check with your legal team for your specific situation).

Complaint and unsubscribe logs need to record when a complaint or opt-out arrived, which address triggered it, and what action you took in response. Regulators want to see that you acted promptly. Under CAN-SPAM, opt-outs must be honored within ten business days. Under GDPR, the standard is much tighter. Logging the date you received the request and the date you suppressed the address gives you a clear audit trail.

Suppression history deserves its own record. Keep a log of every address on your suppression list along with why it was added (hard bounce, complaint, manual unsubscribe) and when. This matters because regulators sometimes ask you to demonstrate that you didn't re-add suppressed addresses by accident.

On format: indexed and searchable beats everything else. A spreadsheet might work for small senders, but if you're running serious volume, you want database-backed logs where you can pull every record tied to a specific email address in under a minute. Investigations move fast. You don't want to be doing manual searches under pressure.

One thing to note: this answer covers general best practices. The specific retention periods and log formats required of you depend on your jurisdiction, your industry, and which regulations apply to your list. If you're not sure what applies, that's worth a real conversation with a privacy lawyer, not a guess.

Want help figuring out how your current setup holds up? The SOS hotline is free and we're happy to think through it with you.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Build my compliance log checklist

I'm building a compliance documentation system for our email program. Based on the regulations most likely to apply to our sending (CAN-SPAM, GDPR, CASL), what specific evidence logs should we maintain? Please give me: (1) the top 3-4 log categories ranked by regulatory importance, (2) the minimum data fields each log should capture, (3) the recommended retention period for each, and (4) any format or storage recommendations that help during an actual investigation.

Edit the yellow boxes, then send to the AI of your choice.