InboxEagle
Blog Email Compliance Consent Documentation
Evergreen Resource · Updated 2026

Email Consent Documentation:
The Audit Trail That Protects Legal Standing and Deliverability

Consent documentation is your legal evidence that every email you sent was authorized. Under GDPR you must demonstrate consent on request. Under CASL the burden of proof is on you. This guide covers what to record, where to store it, and how to use consent data to make better deliverability decisions.

Monitor My Deliverability Free Free Deliverability Check

What Consent Records Must Include

Consent documentation is your legal evidence that every email you send was authorized by the recipient. Under GDPR, you must be able to demonstrate consent on request from a data subject or regulatory authority. Under CASL, the burden of proof rests entirely on you — if you cannot prove consent when challenged, you are presumed to be in violation. Under CAN-SPAM, consent documentation is not legally required, but becomes critical evidence if the FTC investigates.

A complete consent record for a single subscriber must include all of the following:

Email Address

The exact email address that was subscribed. This seems obvious, but consent records must be tied to the specific address — not just a subscriber name or customer record. If a subscriber later changes their email address, both the original and current addresses should be linked to the same consent record.

Consent Timestamp

The exact date and time the subscription occurred, in UTC or with timezone specified. "Some time in Q3 2023" is not a consent timestamp. You need a precise datetime that can be matched against server logs if challenged.

IP Address at Time of Consent

The IP address from which the subscription form was submitted. This is one of the primary pieces of evidence that the consent was submitted by a real person at a specific device and location, rather than added programmatically or in bulk. Required for strong GDPR compliance; strongly recommended for CASL.

Consent Source

The URL, form identifier, or source description of where the subscriber opted in. Examples: the full URL of the signup page (https://yoursite.com/newsletter), a form name or ID from your CMS, or a description like "tradeshow signup form — ExpoName 2024" for offline signups. The source record allows you to verify the consent text that was presented to the subscriber.

Consent Text

The exact text of the consent statement that was displayed to the subscriber at time of signup — the wording of the checkbox, the subscription statement, or the terms they agreed to. This is critical: if the consent text was "Sign up for our newsletter" but you're now sending promotional offers, the consent may not cover that content. Store the actual text, not a summary.

Subscription Type

What the subscriber consented to receive: marketing email, newsletter, product updates, promotional offers, SMS marketing (separate consent), third-party sharing, etc. If you later want to add a new type of communication, you need consent for that specific type — or you need to obtain new consent if the original consent didn't cover it.

Double Opt-In Confirmation (Where Applicable)

If you use double opt-in, record a second consent event: the timestamp and IP address of the confirmation click. This second record is your strongest evidence of active, unambiguous consent. Store the confirmation token used and the confirmation timestamp separately from the initial subscription event.

Where and How to Store Consent Records

Consent records are legally significant documents. They should be stored with the same care as financial records — securely, with backups, in a format that can be retrieved and exported for regulatory requests.

What Your ESP Stores Automatically

Most major ESPs automatically capture and store some consent data:

  • Klaviyo — stores subscribe date, source (Klaviyo form name or API), and opt-in type. Does not capture IP address by default; requires custom implementation via form metadata.
  • Mailchimp — stores signup timestamp, signup IP, and signup source URL. Double opt-in confirmation timestamp also stored.
  • ActiveCampaign — stores contact creation date, source, and form name. IP address requires custom field or form configuration.
  • HubSpot — comprehensive consent data with GDPR legal basis tracking, consent reason, and timestamp stored natively when GDPR features are enabled.

What You Likely Need to Add

For full GDPR and CASL compliance, most senders need to augment what their ESP stores automatically. The gaps are typically:

  • IP address at time of consent — requires logging this at the web form layer and storing it as a contact property in your ESP or CRM
  • Exact consent text shown — requires versioning your consent language and recording which version each subscriber saw
  • CASL implied consent type and acquisition date — requires custom fields and a system to track consent window expiry

Supplementary Storage Options

For organizations that need more complete consent documentation than their ESP provides natively:

  • Consent management platforms — tools like OneTrust, Cookiebot, or Osano specialize in consent documentation and can integrate with most ESPs via API
  • CRM-level tracking — store consent records in Salesforce, HubSpot CRM, or a similar system alongside customer data, with custom fields for each consent data point
  • Custom logging — log form submissions server-side with all consent fields to your own database or a log management system

Backup and Retention

Export your consent records monthly. Store backups in a location separate from your ESP — if you migrate ESPs, you need your consent records to survive the migration. Consent records are legally significant documents; retain them for at least as long as you retain customer data, and ideally for the full period during which you may be subject to regulatory inquiry (typically 3–7 years depending on jurisdiction).

Consent records must survive ESP migrations

When switching ESPs, your suppression list and consent records must transfer. Export both before your final send from your old ESP. Import your suppression list into your new ESP before your first send — failing to transfer suppressions will result in mailing people who have previously unsubscribed, violating CAN-SPAM, GDPR, and CASL simultaneously.

Suppression List Management as a Compliance Requirement

Your suppression list — the list of email addresses that should never receive commercial email from you — is not just a deliverability tool. It is a compliance requirement under every major email marketing law.

CAN-SPAM requires you to honor unsubscribes within 10 business days. CASL requires unsubscribes within 10 business days. GDPR requires immediate processing of consent withdrawal. Gmail requires processing within 2 days for bulk senders. All of these requirements converge on one operational need: a suppression list that is accurate, complete, current, and respected by every send.

Categories of Suppressed Addresses

Every suppressed address should be categorized by the reason for suppression:

  • Unsubscribed — subscriber used your unsubscribe mechanism
  • Hard bounced — email address is invalid or permanently non-deliverable
  • Spam complaint — subscriber clicked "Report Spam" and the feedback loop reported it to you
  • GDPR erasure request — subscriber requested data deletion; retain suppression record, delete all other personal data
  • CASL consent expired — implied consent window lapsed without renewal
  • Manual suppression — internal decision to suppress specific address

Maintaining suppression categories matters when you review the list or audit your program. An address suppressed due to GDPR erasure is in a different legal category than an address suppressed due to a hard bounce — and the retention rules for the data differ accordingly.

Suppression List Integrity

Suppression list integrity failures are one of the most common causes of compliance violations and deliverability problems:

  • Re-importing a list that includes previously suppressed addresses — common when importing from a CRM that doesn't track suppression status
  • Migrating to a new ESP without importing the suppression list first
  • Using a segmentation filter that accidentally excludes the suppression check
  • Having multiple ESPs with separate suppression lists that don't sync — sending from ESP B to an address that unsubscribed from ESP A

Before any list import, cross-reference the import file against your current suppression list and remove any matches. Build this as an automated step in your list import workflow rather than a manual check. Treat your suppression list as a mandatory exclusion list for every send, from every tool.

Consent data is not just legal documentation — it is some of the most predictive data you have about subscriber quality and expected engagement. Used well, consent data can drive segmentation, suppression, and send frequency decisions that measurably improve deliverability.

Segment by Consent Quality

Create a consent quality tier for your active subscribers:

  • Tier 1: Double opt-in — confirmed active consent, highest predicted engagement quality
  • Tier 2: Single opt-in — clear opt-in checkbox, solid consent, moderate engagement quality
  • Tier 3: Implied consent (CASL) — active business relationship, lower engagement quality than explicit opt-in
  • Tier 4: Legacy / undocumented consent — subscribers added before current documentation practices, unknown consent quality

Apply different suppression rules to each tier. Suppress Tier 4 subscribers more aggressively on engagement: if they haven't opened an email in 90 days, move them to a re-permission flow. For Tier 1 and 2, allow longer engagement windows before re-permission. Monitor inbox placement rates per tier using seed list testing — the engagement quality difference between tiers is typically measurable and actionable.

Consent Age as a Deliverability Signal

The age of consent — how long ago a subscriber first opted in — correlates with engagement for most email programs. Subscribers who joined 3 years ago and haven't opened an email in 18 months are unlikely to engage with future sends and are increasingly likely to generate spam complaints. Their continued presence on your active list suppresses your engagement rate and contributes to ongoing low-engagement signals at Gmail.

Use consent age in combination with last engagement date to define your win-back and suppression triggers. A subscriber who joined 1 year ago but hasn't opened in 6 months is a win-back candidate. A subscriber who joined 4 years ago and hasn't opened in 2 years is a suppression candidate.

Consent Source Quality

Different opt-in sources produce subscribers of different quality. Organic blog subscribers typically engage better than contest entrants. Product signup subscribers typically engage better than co-registration leads. Measure open rates, click rates, complaint rates, and spam report rates by consent source and adjust your list acquisition strategy toward the sources that produce the most deliverable subscribers.

Measure inbox placement by consent tier

InboxEagle's seed list testing lets you measure inbox placement rates per segment — quantify the deliverability difference between your consent tiers and prioritize re-permission campaigns where it matters.

See Feature →

Re-permission Campaigns: Refreshing Consent at Scale

A re-permission campaign asks existing subscribers to actively confirm they want to continue receiving your email. It's used in three situations: before CASL implied consent windows expire, for legacy subscribers whose consent documentation is incomplete or missing, and as part of engagement-based list cleaning for chronically disengaged subscribers.

When to Run a Re-permission Campaign

  • CASL implied consent approaching expiry — 60–90 days before the 24-month purchase window or 6-month inquiry window closes
  • Legacy list with undocumented consent — subscribers added before you implemented proper consent documentation
  • Post-ESP migration — after migrating to a new ESP, running a re-permission campaign for the imported list documents consent in the new system
  • Extended inactivity — subscribers who haven't opened or clicked in 12–18 months, as part of a broader engagement-based suppression strategy

Campaign Structure

The most effective re-permission campaigns are simple and direct. Don't try to make it a marketing opportunity — the goal is consent renewal, not revenue. Keep the email brief, focused, and easy to act on:

  • Subject line: "Please confirm you'd like to stay subscribed" or "We need to confirm your email preferences" — direct and specific
  • Body: One or two sentences explaining you're confirming they want to continue receiving email from you, and what they'll receive
  • CTA: A single, prominent button: "Yes, keep me subscribed" — one action, no ambiguity
  • No penalty: Make clear that if they don't confirm, they'll be removed — but frame this neutrally, not as a threat

Processing Results

Run the re-permission campaign and wait 14–30 days for responses. Subscribers who click "Confirm" are tagged with a new express consent record including the timestamp and source. Subscribers who don't respond within the window are moved to your suppression list before their consent window closes.

The resulting list after a re-permission campaign is smaller but healthier: it contains only subscribers who actively want your email. Monitor inbox placement before and after the campaign using seed list testing — most email programs see measurable inbox placement improvement after a well-executed re-permission campaign.

Re-permission campaigns reduce list size — that's the point

A re-permission campaign will typically result in 30–60% of targeted subscribers not responding and being suppressed. This is not a campaign failure — it's the discovery that a large portion of your list wasn't going to engage anyway. Suppressing them before they generate spam complaints or suppress your engagement rate is a deliverability win.

A consent audit is a systematic review of your email program's consent documentation, suppression practices, and authentication status. Conduct a full audit annually, or after any significant change to your email program (new ESP, major list import, new opt-in sources).

Audit Checklist: Consent Documentation

  • ☐ What percentage of active subscribers have a recorded consent timestamp?
  • ☐ What percentage have a recorded consent source URL or form identifier?
  • ☐ What percentage have the consent text stored alongside their record?
  • ☐ For GDPR: are IP addresses recorded for EU subscribers?
  • ☐ For CASL: are implied consent acquisition dates tracked for Canadian subscribers?
  • ☐ Are CASL implied consent windows monitored and alerts configured for upcoming expiry?
  • ☐ Are consent records backed up outside your ESP?
  • ☐ When was the last consent record export performed?

Audit Checklist: Suppression List Integrity

  • ☐ Does your suppression list include all unsubscribes, hard bounces, and spam complaints?
  • ☐ Are GDPR erasure requests logged in the suppression list (with personal data deleted)?
  • ☐ Have suppression records survived any ESP migrations or list imports?
  • ☐ Are suppressions from all sending systems (multiple ESPs, transactional systems) consolidated?
  • ☐ Is every list import cross-referenced against the suppression list before send?

Audit Checklist: Authentication Compliance

  • ☐ SPF record published and valid for all sending domains — SPF Generator
  • ☐ DKIM signing configured for all sending domains
  • ☐ DMARC policy published — monitor failures via DMARC Monitoring
  • ☐ Gmail spam complaint rate below 0.05% — monitor via Google Postmaster
  • ☐ Yahoo spam complaint rate monitored via Yahoo Sender Hub
  • ☐ Sending domain not on any major blacklists
  • ☐ One-click unsubscribe (RFC 8058) verified for all bulk sends to Gmail

Audit Checklist: Consent Quality Review

  • ☐ What percentage of your list is Tier 1 (double opt-in) vs. lower tiers?
  • ☐ Are there consent sources producing high complaint rates or low engagement? Consider eliminating them.
  • ☐ What is the engagement rate of subscribers older than 24 months? Consider a re-permission campaign for this segment.
  • ☐ Are there legacy subscribers with no consent documentation? Schedule a re-permission campaign.
  • ☐ Has inbox placement been measured by consent tier in the last quarter?

The consent audit is not a one-time exercise. Email programs change: new opt-in forms go live, list imports happen, ESPs get migrated, marketing team members change. An annual audit ensures that documented practices match actual practices — and that legal exposure hasn't accumulated silently while the business grew.

14-day free trial · No credit card required

Complete Your Compliance Picture with Authentication Monitoring

Consent documentation protects your legal standing. InboxEagle completes the picture by monitoring DMARC authentication, complaint rates, blacklist status, and inbox placement — the technical compliance layer that works alongside your consent practices.

Start Free Trial ← Back to Email Compliance