18 March 2026 · Last reviewed 18 February 2026

What to Look for in a Marketing Consent Management Tool

You have read the ICO enforcement data. You have worked through the PECR compliance checklist. You know your consent records have gaps. Now you need a tool to fix it — and you are staring at a market that either ignores your problem or prices you out of solving it.

This guide covers what matters when evaluating consent management tools, what categories exist, and how to avoid paying enterprise prices for features you do not need.

The problem you are solving

PECR requires you to prove, for any subscriber on your list, that they gave valid consent to receive marketing from your organisation. That means documenting:

  • The exact consent wording shown at the point of signup
  • When and where they consented (timestamp, source URL, collection method)
  • What they consented to (which marketing categories, what channels)
  • Whether soft opt-in applies and, if so, evidence of the original transaction and the opt-out opportunity at collection
  • The provenance of third-party data — the consent wording those contacts originally saw from whoever collected their details

If you are unclear on any of those requirements, the PECR vs GDPR breakdown explains where standard ESP records fall short, and the soft opt-in guide covers the four conditions you must document.

Most businesses handle this with a combination of ESP subscription records and hope. That is the gap a consent management tool should fill.

What categories of tools exist

Spreadsheets and manual tracking

The cheapest option. You screenshot your forms, log wording changes, and maintain a spreadsheet mapping subscribers to consent versions. This works for small lists (under a few hundred contacts) when someone is disciplined enough to update it after every form change.

Where it breaks: no automated link between a subscriber and the consent wording they saw. When the ICO asks for evidence about a specific contact, you are cross-referencing dates against archived screenshots. That is fragile and does not scale.

ESP built-in compliance features

Mailchimp, HubSpot, and other platforms record subscription dates, double opt-in confirmations, and source tags. But ESPs record that someone subscribed, not what they were told. They do not version consent wording, document soft opt-in eligibility, or track third-party data provenance. Our Mailchimp PECR audit guide covers exactly what gets captured and what gets missed — the pattern is the same across platforms.

Enterprise consent platforms

Large platforms offer preference centres, multi-channel consent orchestration, and enterprise integrations. Pricing typically starts at £8,000 per year and scales with contact volume. For a business with 5,000 subscribers and one ESP, this is a sledgehammer for a nail.

Purpose-built SME consent audit tools

This category barely exists yet. The concept: a tool that connects to your ESP, pulls subscriber data, and provides a structured way to attach consent evidence — wording versions, collection sources, soft opt-in documentation, third-party provenance records — to individual contacts. Then exports that evidence in a format the ICO would accept.

This is the gap ConsentTrail is being built to fill — designed for UK SMEs that need PECR consent documentation without enterprise budgets. It is coming soon; you can join the waitlist to get notified at launch.

Features that actually matter

Here is what to prioritise, based on what the ICO asks for in investigations (covered in our consent records retention guide).

Must-haves

Consent wording versioning. The tool must record the exact text shown at each collection point and maintain a version history. Contacts who subscribed under March wording are still covered by it after you update the form in June.

ESP integration via API. The tool should pull subscriber data directly from your email platform. Manual CSV imports introduce errors and go stale within days.

Per-contact consent records. You need to pull up a specific subscriber and see the full consent chain: when, what wording, how, and what categories. The ICO investigates at the individual level.

Audit trail exports. Structured, readable evidence exports — not raw data dumps. When the ICO requests documentation, you need to produce it without explanation.

Soft opt-in documentation. If any contacts rely on the soft opt-in exemption, you need to record the original transaction, confirm similar product alignment, and prove an opt-out was offered at collection.

Important but secondary

Third-party data provenance tracking. If you acquire contacts from external sources, you need to store the original consent wording and show it named your organisation. If your list is entirely first-party, less critical. If you use any third-party data, essential.

Automated compliance alerts. Notifications when consent wording has not been reviewed, when form screenshots are missing, or when contacts lack complete records.

Skip these

Cookie consent management. That is PECR Regulation 6, not Regulation 22. Do not pay for cookie features in a marketing consent tool.

Preference centre hosting. Useful, but not core to the consent audit problem you are solving.

Questions to ask when evaluating a tool

Work through this before committing to any platform:

  • Does it record the actual consent wording, or just that consent was given?
  • Can it version consent wording over time — historical records, not just the current version?
  • Does it integrate with your ESP via API, or require manual imports?
  • Can you retrieve a complete consent record for a single contact in under five minutes?
  • Does it support soft opt-in documentation?
  • Can you export audit-ready evidence? Ask to see a sample export.
  • What does pricing look like at your actual contact volume?
  • Does it handle third-party data provenance?
  • Where is data stored, and is the provider UK GDPR-compliant?
  • What happens to your records if you cancel?

Pricing reality check

The market breaks into three tiers:

Enterprise (£8,000–£50,000+/year). Full-featured platforms with dedicated onboarding and multi-brand support. Built for compliance teams with large martech stacks.

Mid-market (£2,000–£8,000/year). Some enterprise tools offer stripped-down tiers, but they are often limited in ways that undermine the core value — capped integrations, limited contacts, or missing soft opt-in features.

SME-affordable (under £1,000/year). Almost nothing exists here that specifically addresses PECR marketing consent. This is the price point where most UK small businesses operate, and the tier that is most underserved.

ConsentTrail is being built for that third tier — PECR consent audit tooling priced for a business with one ESP, one marketing person, and a few thousand subscribers. Join the waitlist to be notified at launch.

What to do right now

If nothing on the market fits your budget today, start with the manual approach:

  1. Run the PECR compliance checker to identify your specific gaps.
  2. Screenshot every consent collection point on your site. Date and file them.
  3. Export your subscriber list and identify which contacts have complete consent records and which do not.
  4. For contacts relying on soft opt-in, document the transaction evidence now.
  5. Review your consent records retention approach to confirm you are keeping records long enough.

A spreadsheet with disciplined upkeep is better than no system at all. A dedicated tool is better than a spreadsheet. But either is vastly better than the current industry default: hoping your ESP records will be enough if the ICO calls.

They will not be.