What records must you keep to prove consent?

Comprehensive consent records should capture: the email address subscribed, timestamp of subscription (exact date/time, timezone), IP address of the signup, source URL or form identifier showing where they subscribed, the exact consent language they saw at the time (including privacy policy version), and evidence of affirmative action (unchecked box that was checked, button click logged).

For double opt-in, additionally record: confirmation email sent timestamp, confirmation click timestamp, IP address of confirmation click, and link/token used. This creates an audit trail proving the subscriber actively confirmed their subscription from an address they controlled.

Store these records as long as you maintain the email relationship plus any legally required retention period afterward. If a regulator asks you to prove consent for a subscriber, you need to produce this documentation. Many ESPs store consent data automatically, but verify what's captured and ensure you can export it. If you can't prove consent was given, you can't prove you had it. Documentation isn't bureaucracy-it's your legal protection.