What consent records should be stored?

Consent records should capture everything necessary to prove valid consent was obtained if ever challenged. At minimum, store: the email address that consented, the timestamp of consent, the source or method of consent (which form, which page, which campaign), and the IP address from which consent was submitted. This core data establishes who consented, when, and through what mechanism. For double opt-in, also record when the confirmation email was sent and when the confirmation link was clicked, creating a complete chain of evidence.

Beyond the basics, store contextual information that demonstrates informed consent. Record the specific language or notice the subscriber saw at the time of consent-what they were agreeing to receive. If your signup form explains "We'll send weekly marketing emails about product updates and promotions," capture that text as part of the consent record. This proves the subscriber knew what they were consenting to, not just that they clicked something. Screenshots or version histories of signup forms serve this purpose for web-based consent. For offline or verbal consent, document the script or process used to obtain consent.

Structure your consent records to track changes over time. If a subscriber modifies their preferences, record the new preferences with their own timestamp and source. If they withdraw consent for certain types of email while maintaining others, the record should reflect this evolution. For re-subscriptions after unsubscribe, capture the new consent separately from the historical record. This comprehensive history enables you to answer questions like "What exactly did this subscriber consent to, and when?" at any point in the relationship. Consent records aren't just checkboxes-they're timestamped evidence of an informed agreement that you may need to produce years later.