Consent Management: GDPR requirements, what to track, and best practices
Consent management is about collecting, storing, and documenting consent correctly. Learn the GDPR requirements, what a consent record must contain, and best practices.
Consent management is the process of collecting, recording, storing, and administering consent from individuals for processing their personal data — typically in the context of email marketing, tracking, and profiling.
Under GDPR, consent is one of six lawful bases for data processing. For email marketing, it’s practically the only relevant basis for most companies (except existing customer relationships, which can be handled via “legitimate interest”).
What GDPR requires for valid consent
GDPR sets four requirements for valid consent:
1. Freely given
Consent must not be a condition for accessing a service (unless the data processing is necessary for the service). “Sign up for our newsletter to download this guide” is in a gray area.
2. Specific
You must request consent for each purpose separately. A single checkbox covering “newsletter + third-party partners + profiling” is invalid. Each purpose requires its own consent.
3. Informed
The person must know exactly what they’re saying yes to. Generic phrases like “we may contact you” are not sufficient. Specify: what you’ll send, how often, and who sends it.
4. Unambiguous
Consent requires an active action. Pre-checked boxes are prohibited, as the EU Court of Justice confirmed in the Planet49 ruling. Passivity (“if you don’t opt out…”) is not consent.
What a consent record must contain
When the data protection authority comes knocking, you need to produce documentation. Each consent record must contain at minimum:
- Who: Email address or other identifier
- When: Exact timestamp (date + time + timezone)
- How: Which form, page, or touchpoint
- What: The exact consent text the person accepted
- Source: IP address and user agent (browser/device)
- Version: Which version of your privacy policy was in effect
Never store consent as a simple boolean flag in your database. You need the full context.
Double opt-in: recommended but not required
GDPR doesn’t explicitly require double opt-in, but it’s best practice for two reasons:
- Evidence — double opt-in gives you documentation that the email address owner actively confirmed. Without it, someone can claim another person used their email.
- List quality — it eliminates typos, fake addresses, and bots, which reduces your bounce rate and improves deliverability.
The right to withdraw consent
GDPR gives individuals the right to withdraw consent at any time, and it must be as easy as giving it. In practice, this means:
- A clear unsubscribe link in every email
- The ability to manage preferences (e.g., opt out of certain communication types while keeping others)
- Processing withdrawal within a reasonable timeframe (ideally immediately, maximum 30 days)
When consent is withdrawn, you must stop processing but keep the consent record as documentation that you had consent during the period you were sending.
Audit trail
A complete audit trail logs not just the initial consent, but all changes:
- When consent was given
- When preferences were changed
- When consent was withdrawn
- Who/what initiated each change
This protects you during audits and gives you a clear picture of each contact’s consent history.
Practical implementation
- Build consent into your signup flow from day one — it’s significantly easier than retrofitting
- Use separate checkboxes for each purpose
- Store the complete consent record (not just a flag)
- Implement a preference center where contacts can manage their consent
- Automate withdrawal via unsubscribe links
Read more about GDPR-compliant email marketing in our GDPR guide to email marketing.