How do you prove consent in case of an audit?

Proving consent during an audit requires presenting comprehensive records that demonstrate the full consent chain. Start with the consent record itself: when the subscriber opted in, through what mechanism (form URL, API, import), from what IP address, and what consent language they agreed to. For double opt-in processes, include records of the confirmation email sent and the verification click. This chain of evidence shows that consent was not just collected but confirmed by the actual email address owner.

Supplement consent records with contextual documentation. Maintain version histories of your signup forms, including screenshots or archived HTML showing exactly what was displayed at any given time. If your consent language has changed over time, you should be able to match each subscriber's consent record to the specific form version they used. Document your consent collection processes-how forms are configured, what validation is performed, how data flows into your ESP or CRM. This procedural documentation demonstrates that your consent practices are systematic, not ad hoc.

Organize your evidence to be readily accessible and exportable. Auditors may request consent evidence for specific subscribers, random samples, or your entire list. Your systems should support queries that retrieve consent records by email address, date range, or source. Export capabilities should produce clear, readable outputs that don't require specialized software to interpret. Consider preparing a consent evidence summary document that explains your overall practices and points to where specific records can be found. The best time to prepare for a consent audit is before you need one-build evidence collection into your processes so you're always ready to demonstrate compliance.