Email Consent Audit Scorecard
The ICO doesn't just ask whether you had consent — they ask you to prove it. This scorecard rates the quality of your consent documentation across 10 areas. Everything runs in your browser — no data leaves your device.
If a question doesn't apply (e.g., you don't use third-party data), answer "Yes" — it means you have no gap in that area.
Consent Timestamps · Question 1 of 10
Do you record a timestamp for when each contact gave marketing consent?
Consent Wording · Question 2 of 10
Do you store the exact consent wording that was shown to each subscriber when they opted in?
Record Retrieval · Question 3 of 10
Can you retrieve a complete consent record for a specific individual (name, timestamp, wording, source) within one business day?
Version Control · Question 4 of 10
Do you keep a version history of all consent form wording changes, with dates?
Collection Provenance · Question 5 of 10
Do your consent records include the collection method (web form, paper form, phone, event) and source URL or location for each contact?
Record Durability · Question 6 of 10
Would your consent records survive an ESP migration (e.g., moving from Mailchimp to HubSpot) without losing consent metadata?
Soft Opt-In Evidence · Question 7 of 10
If you use the soft opt-in, do you document the original purchase/transaction for each contact you market to under this exemption?
Ongoing Maintenance · Question 8 of 10
Do you run a documented consent audit at least every six months?
Third-Party Provenance · Question 9 of 10
For any third-party data on your list, can you produce the original consent wording from the data provider that specifically covers your marketing?
Record Independence · Question 10 of 10
Are your consent records stored independently from your ESP (e.g., in a separate database, spreadsheet, or compliance system)?