What data should be logged at opt-in for future verification?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
If somebody complains to a mailbox provider, a spam trap operator, or a data protection authority that they never signed up, you need a record that proves they did. That record has to be specific enough that a stranger reading it months later can reconstruct the moment of consent. A vague "yes they opted in" note will not hold up.
Here is the minimum set of fields to log at the moment somebody hits submit on your form.
Identity and timing
- Email address, exactly as submitted (do not lowercase or normalise before logging - log the raw input and the normalised version separately if you need both).
- Timestamp in UTC, ISO 8601 format, with seconds. "2026-06-05T14:23:11Z" is fine. "June 5, 2026" is not.
- IP address of the device that submitted the form.
- User agent string from the browser.
Where the signup happened
- Form ID or form name (you may have ten different forms - log which one).
- Page URL the form was on, including query string.
- Referrer URL if the visitor arrived from somewhere else.
- UTM parameters (utm_source, utm_medium, utm_campaign, utm_content, utm_term) if present.
- Signup source bucket (organic search, paid social, partner co-reg, in-person event, etc.). This is the human-readable label you will sort by later when you check which acquisition sources produce clean subscribers.
What the person actually agreed to
- The exact consent checkbox text shown at the time (store the string, not a reference to it - your copy will change).
- Whether the checkbox was pre-ticked or required an explicit tick (under GDPR it must be unticked by default, per Article 7 and the EDPB consent guidelines).
- The privacy policy version or URL that was linked on the form.
- Which lists or purposes they consented to (newsletter, product updates, partner offers - each one separately).
- Double opt-in confirmation timestamp and IP, if you use double opt-in.
Provenance for the audit trail
- A unique signup event ID.
- The hash of the form HTML or a snapshot of the form copy at the time of submission. This is the part most people skip and regret. If you redesign your signup form in 2027 and a complaint surfaces from 2026, you need to be able to show what the form actually looked like on the day. A screenshot in a Drive folder works. A versioned snapshot in your database works better.
Why each field earns its place
IP + timestamp + form snapshot is the trio that demonstrates non-repudiation - the legal term for "this person cannot credibly deny doing this." Without all three, you have a database row that says "trust us." With them, you have a reconstructible event.
UTM and source data is not about lawyers, it is about list quality. When complaint rates spike, you want to be able to query by acquisition source and find that 90% of the complaints came from one paid placement. That is impossible if you logged "web signup" and nothing else. The same data feeds how you measure list quality over time.
Double opt-in confirmation is the strongest single piece of evidence you can have. Both the M3AAWG sender best practices and Google's bulk sender guidelines treat confirmed opt-in as the gold standard. If you can log it, log it.
Retention
Keep these records for as long as the subscriber is on your list, plus a buffer after they unsubscribe (we keep three years post-unsubscribe). GDPR complaints and CAN-SPAM disputes do not always surface immediately. If you delete the consent record the day someone unsubscribes, you have no defence if a complaint shows up six months later.
What this is not
This is not a substitute for understanding where your subscribers come from in the first place. Perfect logging on a purchased or scraped list does not make that list legal or deliverable. Log discipline protects good acquisition. It does not rescue bad acquisition.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.