You need specific, granular, freely-given consent for: (1) being contacted by phone/SMS, (2) email marketing, (3) processing sensitive data (health, financial). Store consent timestamp, IP, user-agent and exact text shown. Unlimited retention requires separate basis.
Required consents 1. **Marketing calls/SMS:** explicit, separate checkbox. Check TPS/CTPS. 2. **Marketing email:** explicit, separate checkbox (soft opt-in narrow in regulated advice). 3. **Data processing:** lawful basis (contract, legitimate interest, consent). 4. **Special category data** (health for protection, ethnicity): explicit consent.
What to store - Consent text shown (verbatim). - Timestamp (ISO-8601). - IP address. - User-agent. - Landing-page URL. - Version of terms/privacy policy.
Retention - Prospect (no client relationship): 12 to 24 months typical. - Client: for life of relationship + 6 to 7 years after (FCA retention rules). - Declined-advice: 6 years.
Watch out - Pre-ticked consent boxes are not valid. - Bundled consent is not valid. - Use of third-party lead lists is almost always non-compliant.