A marketing team couldn't answer a simple question from their legal department: "Can you prove these 50,000 subscribers actually consented to receive marketing emails?" They had email addresses, but no records of when or how people signed up. Some addresses were years old, imported from various sources, with no documentation. The compliance audit that followed was painful and expensive.
Consent management isn't just bureaucratic overhead. It's the foundation of legitimate email marketing. Without proper consent records, you can't prove compliance with GDPR, CASL, or other regulations. You can't defend yourself against spam complaints. You can't confidently send email knowing your recipients actually want it.
What consent records should include
A complete consent record documents everything about how someone joined your list.
The email address itself, obviously. But also when they subscribed—the exact timestamp. How they subscribed—which form, page, or process. What they consented to—which types of emails, from which senders.
The source of the signup matters. Did they fill out a form on your website? Check a box during checkout? Get added by a sales rep? Import from a partner list? Each source has different consent implications.
The consent language they saw should be recorded. What exactly did the checkbox or form say? If you change your signup language over time, you need to know what each subscriber actually agreed to.
IP address and user agent can help verify consent wasn't fraudulent. They're not required but can be useful if consent is disputed.
For double opt-in, record both the initial signup and the confirmation click. The confirmation is what validates the consent.
Single vs double opt-in
The opt-in method affects both consent quality and legal compliance.
Single opt-in means someone provides their email address and is immediately subscribed. It's simpler and captures more subscribers, but consent quality is lower. Typos, fake addresses, and malicious signups all get through.
Double opt-in (confirmed opt-in) requires clicking a confirmation link in a verification email. Only confirmed addresses get subscribed. This proves the email address is valid and the owner actually wants to subscribe.
GDPR doesn't explicitly require double opt-in, but it does require demonstrable consent. Double opt-in provides clear evidence that the email owner consented. Single opt-in makes consent harder to prove.
CASL effectively requires something close to double opt-in through its express consent requirements. The consent must be clear and documented.
For most email programs, double opt-in is worth the slight reduction in signup completion. The list quality improvement and compliance protection outweigh the friction.
Consent for different email types
Different types of email may require different consent.
Marketing emails require explicit consent under most regulations. Promotional content, newsletters, and sales communications need clear opt-in.
Transactional emails related to a purchase or account generally don't require marketing consent. Order confirmations, shipping notifications, and account alerts are expected communications.
Service communications about your product or service occupy a gray area. Product updates, feature announcements, and tips might be considered necessary service communications or might be marketing, depending on content and jurisdiction.
Third-party marketing—sending on behalf of partners or sharing data with others—requires specific consent. Generic "we may share your information" language often isn't sufficient.
Best practice is to get specific consent for each type of communication and let subscribers choose what they want to receive.
Managing consent changes
Consent isn't static. People change their minds, and you need to track those changes.
Unsubscribes withdraw consent for the specific communication type. Record when someone unsubscribes and from what. Don't delete their record entirely—you need to know not to email them.
Preference updates change what someone consents to. If they switch from daily to weekly emails, or opt out of promotions but keep newsletters, record the change with timestamp.
Re-consent may be needed if you significantly change how you use data or what you send. If you start sending different types of content or sharing data with new partners, existing consent may not cover it.
Consent expiration is required in some contexts. CASL's implied consent expires after defined periods. Even where not legally required, very old consent with no engagement might warrant re-confirmation.
Maintain a complete history, not just current state. You might need to prove what someone consented to at a specific point in time.
Consent management systems
As your list grows, manual consent tracking becomes impossible.
Your email platform likely tracks basic consent data—when addresses were added and through which method. But platform data may not capture everything you need.
CRM systems can store richer consent records, including source details, consent language versions, and preference history. Integration between CRM and email platform keeps data synchronized.
Dedicated consent management platforms exist for organizations with complex requirements. They handle consent across multiple channels, track granular preferences, and generate compliance reports.
Whatever system you use, ensure it captures the data you need, maintains history, and can produce records on demand. If you can't quickly answer "when and how did this person consent?" your system isn't adequate.
Handling consent disputes
Sometimes people claim they never signed up. How you handle this matters.
Check your records first. When did they subscribe? Through what method? What IP address? This information often resolves disputes—people forget they signed up years ago.
If records show valid consent, you can demonstrate it. Share the signup date, method, and confirmation (if double opt-in). Most disputes end when people see the evidence.
If records are unclear or missing, err on the side of the subscriber. Unsubscribe them, apologize for any confusion, and improve your consent tracking going forward.
Document dispute resolution. If someone claims they didn't consent and you have evidence they did, keep records of the dispute and resolution. This protects you if they escalate.
Spam complaints are a form of consent dispute. When someone marks your email as spam, they're saying they don't want it. Honor that signal even if you have consent records.
Consent and deliverability
Good consent practices directly improve deliverability.
Confirmed subscribers engage more. Double opt-in lists have higher open and click rates because everyone on the list actually wanted to be there.
Fewer spam complaints result from proper consent. People who knowingly signed up rarely mark you as spam. Complaints typically come from people who don't remember signing up or never actually did.
Better list quality means fewer bounces. Confirmed addresses are valid addresses. You're not sending to typos, fake addresses, or abandoned accounts.
ISPs can tell the difference. Engagement patterns from properly consented lists look different from purchased or scraped lists. Good consent contributes to good sender reputation.
Auditing your consent practices
Regular audits ensure your consent management stays healthy.
Review signup flows periodically. Is consent language clear? Are you capturing all required data? Has anything changed that might affect consent validity?
Sample your consent records. Pick random subscribers and verify you have complete consent documentation. Gaps indicate process problems.
Check for orphan addresses. Are there subscribers with no consent records? How did they get on your list? This often reveals process breakdowns or unauthorized imports.
Test your ability to respond to requests. Can you quickly produce consent records for a specific subscriber? If an audit or legal request came tomorrow, could you respond?
Frequently asked questions
How long should I keep consent records?
Keep consent records as long as you're sending to that address, plus additional time for potential disputes or audits. Many organizations keep consent records for 3-7 years after the last send. Check regulations specific to your jurisdiction.
Can I email someone who unsubscribed if they sign up again?
Yes, if they provide new, valid consent. A new signup creates new consent. But ensure the new signup is genuine—don't re-add people who unsubscribed just because their address appears in a new import.
What if I can't prove consent for old subscribers?
Consider a re-permission campaign asking them to confirm they want to continue receiving emails. Those who confirm give you fresh consent records. Those who don't should probably be removed anyway—they're not engaged.
Is a pre-checked checkbox valid consent?
Under GDPR and CASL, no. Consent must be affirmative—the user must take action to opt in. Pre-checked boxes that users must uncheck don't constitute valid consent in most jurisdictions.