What are acceptable formats (logs, screenshots, timestamps)?

Acceptable consent evidence formats should be tamper-evident, timestamped, and auditable. Database logs are the most common format, storing structured records with fields for email address, consent timestamp, source URL, IP address, and consent version. These logs should be protected against modification and backed up regularly. Screenshots of signup forms provide visual evidence of what users saw when consenting, documenting the specific language, checkbox positioning, and consent notice that was displayed at the time of opt-in.

Timestamps are essential across all formats and should be stored in a standardized format (ISO 8601 or Unix timestamps) with timezone information. Record both the server timestamp and, where possible, the client-side timestamp to establish a complete picture. For web-based consent, capture additional contextual data: the form URL, referrer, user agent, and any campaign parameters that identify how the subscriber arrived at the signup. This metadata helps reconstruct the consent context if questions arise later.

Consider implementing cryptographic verification for high-stakes consent records. Hash-based signatures or blockchain-anchored timestamps can prove that a consent record existed at a specific time and hasn't been altered since. While not required by most regulations, such techniques provide stronger evidence in disputed cases. Whatever format you use, ensure records are exportable in standard formats (CSV, JSON) for regulatory requests and portable if you change systems. The best consent evidence format is one that can survive scrutiny years later-readable, verifiable, and detailed enough to reconstruct exactly what the subscriber agreed to.