What consent records does GDPR require?

GDPR requires you to demonstrate that consent was freely given, specific, informed, and unambiguous. You need records showing: who consented, when, what they were told, what they consented to, and how they consented. If you can't produce these records, you can't prove consent.

How long should I keep email consent records?

Keep consent records for as long as you're emailing the subscriber, plus your legal retention period after they unsubscribe. GDPR doesn't specify a duration, but most compliance frameworks recommend keeping records for 3-7 years. CASL recommends keeping them as long as the consent is being relied upon.

What if I can't prove consent for existing subscribers?

If you can't document consent for existing subscribers, run a re-permission campaign asking them to explicitly opt in. Under GDPR, undocumented consent is invalid consent. Under CAN-SPAM (opt-out law), prior consent documentation isn't required but is strongly recommended.

Email Consent Documentation: What to Record and How

Why Consent Documentation Matters

When a regulator or ISP asks "did this person consent to receive your emails?", you need to produce evidence. "They signed up on our website" without supporting data is not evidence.

Consent documentation is your legal defense. Without it, every subscriber dispute, regulatory inquiry, or spam complaint becomes your word against theirs.

What to Record for Every Subscriber

The Minimum Dataset

Field	Example	Why
Email address	[email protected]	Who consented
Timestamp	2026-04-01T14:30:00Z	When they consented
Source	Website signup form	How they consented
IP address	203.0.113.42	Verification of identity/location
Consent text	"I agree to receive weekly marketing emails from [Company]"	What they agreed to
Form URL	https://yourdomain.com/newsletter	Where the form was displayed
Opt-in method	Single opt-in / Double opt-in	Strength of consent

Enhanced Documentation

For stronger compliance, also record:

User agent (browser/device used to submit the form)
Page context (what page the form appeared on)
Form version (if you change consent language, track which version they agreed to)
Double opt-in confirmation (timestamp of confirmation click)
Related marketing permissions (what categories they opted into)

Practitioner note: The most common gap I find in email audits is missing consent text. Companies know when someone subscribed but can't reproduce what the form said at the time. Screenshot your signup forms, version your consent language, and log which version each subscriber agreed to.

Single vs Double Opt-In Documentation

Single opt-in records the form submission only. It proves someone submitted the form but doesn't prove the email address owner did it (someone else could have entered their address).

Double opt-in adds a confirmation email step. The subscriber must click a link in a confirmation email, proving they control the email address. This provides:

Proof the email address owner consented (not a third party)
A second timestamp confirming active engagement
Reduced risk of spam complaints and compliance challenges

Under GDPR, double opt-in is the gold standard. Under CAN-SPAM (opt-out law), it's best practice but not required.

Consent for Different Regulations

GDPR Consent Requirements

Consent must be:

Freely given: No pre-checked boxes, no consent bundled with terms of service
Specific: "Marketing emails about our products" not "we may contact you"
Informed: State who will email them and for what purpose
Unambiguous: Active affirmative action (checking a box, clicking a button)

Your records must demonstrate all four qualities.

CASL Consent Requirements

Express consent requires:

Clear identification of who is seeking consent
Purpose for which consent is sought
Contact information of the person seeking consent
Statement that consent can be withdrawn

Implied consent from business relationships must be documented with the transaction or relationship that creates the implication.

CAN-SPAM

CAN-SPAM is opt-out — consent documentation isn't technically required. But maintaining records protects you from false spam complaints and demonstrates good faith.

Practitioner note: Even US-only senders should document consent like they're under GDPR. It protects you from spam complaints, list bombing attacks, and ISP inquiries. The data costs nothing to collect and could save your sending reputation.

Building Your Consent System

At Form Submission

// Example consent data capture
{
  email: "[email protected]",
  timestamp: "2026-04-01T14:30:00Z",
  ip_address: "203.0.113.42",
  user_agent: "Mozilla/5.0...",
  form_url: "https://yourdomain.com/newsletter",
  consent_version: "v2.3",
  consent_text: "I want to receive weekly marketing emails...",
  method: "single_opt_in"
}

Storage Requirements

Store consent records separately from your email list (in case of data migration)
Make records immutable (append-only, no editing)
Include in your data backup and retention policy
Ensure records survive ESP migrations

Handling Legacy Lists

If you have subscribers without proper consent documentation:

Assess risk: How many subscribers lack documentation?
Segment: Separate documented from undocumented subscribers
Re-permission: Send a re-consent campaign to undocumented subscribers
Remove non-responders: Anyone who doesn't re-consent gets removed
Document going forward: Fix the collection process for new subscribers

This hurts short-term list size but protects long-term deliverability and compliance.

If you need help auditing your consent documentation or building a compliant collection system, schedule a consultation.

Sources

European Commission: GDPR — Conditions for Consent (Article 7)
ICO: Consent Guidance
Government of Canada: CASL Consent Requirements
FTC: CAN-SPAM Compliance Guide

v1.0 · April 2026