Quick Answer
Every marketing CSV export is, at minimum, a partial consent database. Under GDPR, consent must be freely given, specific, informed, and unambiguous — and you must be able to demonstrate it. Under CCPA (effective January 1, 2026), businesses must visibly confirm that opt-out preference signals — including Global Privacy Control — were processed. According to the California AG's February 2026 announcement, Disney settled for $2.75 million for failing to honor GPC signals properly across its streaming services. Sephora paid $1.2 million in 2022 for the same failure. A marketing CSV that doesn't include consent status, consent date, and consent method for each contact cannot support these compliance requirements.
Fast Fix (2 Minutes)
If you're preparing a marketing CSV for a campaign or CRM import right now:
- Check whether your CSV has a consent column — not just an unsubscribe flag. A column tracking consent_granted (boolean), consent_date, and consent_method (web form, double opt-in, etc.).
- Filter out any contact without documented consent before the campaign or import. Under GDPR, "we think they consented" is not consent.
- Filter out GPC opt-outs — any contact who has sent a Global Privacy Control signal must be treated as having opted out of the sale and sharing of their personal information under CCPA.
- Check your suppression list — contacts who have previously unsubscribed must not be emailed, regardless of how they were added to the new list.
- Use SplitForge Data Cleaner to clean, deduplicate, and filter the file locally before any upload to an email platform.
Consent CSV Schema Reference Table — the minimum fields every marketing CSV should carry:
| Field Name | Type | Example | Purpose / Legal Basis |
|---|---|---|---|
consent_granted | boolean | TRUE | Primary consent indicator — GDPR Art 7(1): controller must demonstrate consent was given |
consent_date | ISO 8601 date | 2024-11-14 | Timestamp of consent event — required for Art 7(1) documentation; establishes validity period |
consent_method | string | double_opt_in | Mechanism used — distinguishes freely given consent from pre-checked boxes; GDPR Art 7 requirement |
consent_scope | string | email_marketing | What the contact consented to — prevents use beyond original purpose (Art 5(1)(b) purpose limitation) |
lawful_basis | string | consent | GDPR Art 6 basis — identifies whether processing relies on consent, contract, or legitimate interest |
gpc_optout | boolean | FALSE | GPC signal received — CCPA 11 CCR §7015: must honor as opt-out of sale and sharing |
unsubscribed | boolean | FALSE | Platform-level unsubscribe status — suppression list compliance; must be filtered before any send |
unsubscribe_date | ISO 8601 date | 2025-03-02 | When unsubscribe occurred — evidence for suppression compliance and consent withdrawal timing |
Use this schema as your go-to template. A marketing contact who has consent_granted = TRUE but gpc_optout = TRUE must be excluded from any CCPA-governed sending. Both columns must exist and be checked before export.
TL;DR: Consent is not a checkbox event — it's an ongoing data management obligation. A contact who consented in 2021 may have withdrawn via GPC, unsubscribed, or reached the end of a legitimate interest period. Your CSV must reflect current consent status, not historical opt-in. The 2026 California rules require visible confirmation that opt-out signals were processed. According to the California AG, Disney paid $2.75 million for not doing this correctly.
The central argument of this post: Consent compliance isn't a legal document problem — it's an operational data problem. The consent you collected correctly in 2022 may be non-compliant in 2026 because of what happened to it afterward: a GPC signal that wasn't propagated, a suppression list that wasn't checked, an export that didn't filter withdrawn consent. The Disney settlement wasn't a failure of consent policy. It was a failure of consent infrastructure — specifically, what happened to opt-out signals in the data pipeline after they were received.
Most marketing teams think about consent at the point of collection — the signup form, the double opt-in email, the cookie banner. Few think about consent at the point of use — when a contact list is exported to CSV, segmented, shared with an email platform, or imported into a CRM.
The consent captured at collection has a lifecycle. It can be withdrawn. It can expire. It can be superseded by an opt-out signal from a browser. A marketing CSV that was fully compliant when the contacts joined may be non-compliant by the time you export it for a campaign — if you haven't tracked what has happened to consent in between.
On February 11, 2026, the California Attorney General announced a $2.75 million settlement with The Walt Disney Company for CCPA violations including failure to honor Global Privacy Control signals across its streaming services — reported as the largest CCPA settlement to date at the time of the announcement. The failures were operational: Disney processed GPC signals only at the device level, not at the account level — meaning an opt-out on one browser didn't carry over to other devices on the same account.
This is a consent management failure. And it starts with what's in — or missing from — the marketing data.
Each requirement in this post was assessed against GDPR Articles 6, 7, and 21; CCPA 11 CCR § 7013 and § 7015; and GPC enforcement actions referenced above, March 2026.
Table of Contents
- What Consent Data Must Live in Your Marketing CSV
- GDPR Consent: What "Valid Consent" Requires in Practice
- CCPA 2026: GPC Opt-Out Confirmation is Now Mandatory
- The Consent Lifecycle: When Consent Decays
- Suppression Lists: The Consent Infrastructure Most Teams Miss
- Consent Management in CRM Imports
- Operator Rules: Consent Management for CSV Data
- Additional Resources
- FAQ
What Consent Data Must Live in Your Marketing CSV
A marketing contact list that contains only email, name, and campaign flags is not a consent-aware dataset. Before any campaign, import, or sharing, the following fields must be present or verifiable for each contact:
| Field | Why Required | Framework |
|---|---|---|
consent_granted | Did this contact provide valid consent? | GDPR Art 6/7 |
consent_date | When was consent given? (Enables staleness check) | GDPR Art 7(1) |
consent_method | How was consent obtained? (Web form, double opt-in, etc.) | GDPR Art 7(1) |
consent_scope | What did they consent to? (Email marketing, data sharing, etc.) | GDPR Art 6(1)(a) |
gpc_optout | Has this contact sent a GPC signal? | CCPA (California) |
unsubscribed | Has this contact previously opted out? | All frameworks |
unsubscribe_date | When did they opt out? | CAN-SPAM, GDPR |
lawful_basis | If not consent: what alternative basis? (Legitimate interest, contract) | GDPR Art 6 |
❌ CONSENT-BLIND MARKETING CSV (common):
email,first_name,campaign_flag,segment
[email protected],Alice,reactivation,lapsed_customer
[email protected],Bob,promo,high_value
[email protected],Carol,reactivation,lapsed_customer
No consent information. No opt-out information. No GPC status.
Sending a campaign to this list is sending blind.
GDPR: cannot demonstrate consent or lawful basis.
CCPA: cannot confirm GPC status was checked.
CONSENT-AWARE CSV (compliant):
email,first_name,campaign_flag,consent_granted,consent_date,
consent_method,gpc_optout,unsubscribed,lawful_basis
[email protected],Alice,reactivation,TRUE,2024-11-03,
web_form_double_optIn,FALSE,FALSE,consent
[email protected],Bob,promo,FALSE,,,,FALSE,legitimate_interest
[email protected],Carol,reactivation,FALSE,,,FALSE,TRUE,
Carol is unsubscribed → EXCLUDE before campaign
Bob has no consent but legitimate interest as basis → check scope
Alice has valid documented consent → INCLUDE
Required Consent Columns Schema — save this as your marketing CSV standard:
| Column | Data Type | Example Values | Purpose |
|---|---|---|---|
consent_granted | Boolean | TRUE / FALSE | Evidence of consent under GDPR Art 7 |
consent_date | Date (YYYY-MM-DD) | 2024-11-03 | Demonstrates when consent was obtained |
consent_method | String | web_form, double_optIn, phone, event | How consent was obtained (Art 7 record) |
consent_scope | String | email_marketing, data_sharing, both | What the contact consented to — prevents purpose creep |
lawful_basis | String | consent, legitimate_interest, contract | Basis for processing if not consent |
gpc_optout | Boolean | TRUE / FALSE | GPC signal received — tracks CCPA opt-out status |
unsubscribed | Boolean | TRUE / FALSE | Any opt-out action — suppression required |
unsubscribe_date | Date (YYYY-MM-DD) | 2025-08-14 | When opt-out occurred — supports audit trail |
Screenshot this table. Paste it into your marketing ops wiki. Every marketing CSV should be built against this schema before any campaign or import.
Consent System Flow — how consent status moves from collection to campaign:
User submits opt-in form
↓
Consent stored: consent_granted=TRUE, consent_date=YYYY-MM-DD,
consent_method=web_form_double_optIn
↓
Synced to CRM (with consent fields)
↓
Weekly: GPC signals checked against contact list
→ gpc_optout=TRUE for any matching GPC signal
↓
Campaign export (CSV)
↓
Filter before upload:
→ EXCLUDE: unsubscribed=TRUE
→ EXCLUDE: gpc_optout=TRUE (for ad targeting / data sharing)
→ EXCLUDE: consent_granted=FALSE AND lawful_basis empty
↓
Upload clean, consent-verified list to email platform
This flow ensures suppression happens before upload — not inside the platform after personal data has already been transmitted.
GDPR Consent: What "Valid Consent" Requires in Practice
GDPR Article 7 and Recital 32 establish the conditions for valid consent. For marketing CSVs, the practical implications are:
Freely given: Consent cannot be bundled with other terms. A checkbox in signup terms that says "I agree to the terms and receive marketing" is not freely given consent for marketing — these are separate decisions requiring separate actions.
Specific: Consent must be specific to the purpose. Consent to receive "product updates" does not cover promotional campaigns. Consent to "email marketing from Company X" does not cover sharing the email address with a partner for joint marketing.
Informed: The data subject must know who is collecting the data, for what purpose, and their right to withdraw.
Unambiguous: A pre-ticked checkbox is not valid consent. Silence is not valid consent. Inactivity is not valid consent.
Demonstrable (Article 7(1)): You must be able to demonstrate that consent was given. This means: the consent record must exist with date, method, and scope. A CSV contact without a consent record is a contact whose consent cannot be demonstrated.
The consent decay problem:
GDPR doesn't set an explicit expiry period for consent. But consent that was given years ago for a specific purpose may no longer be valid if:
- The processing has expanded beyond the original scope
- The relationship has become inactive (the contact hasn't engaged in 3+ years)
- The consent was obtained before GDPR and wasn't re-confirmed to GDPR standards
- The contact has withdrawn through any mechanism (unsubscribe, GPC, direct request)
Many marketing teams use contacts who "opted in at some point" without checking whether that opt-in still meets current standards. This is where most consent compliance gaps live — not in the collection, but in the ongoing use.
What this means for your CSV workflow: Before any campaign, filter your export to include only contacts with a documented consent record (consent_granted=TRUE, consent_date populated, lawful_basis confirmed). Every contact without this data should be excluded or verified before the campaign.
CCPA 2026: GPC Opt-Out Confirmation is Now Mandatory
The Global Privacy Control is a browser-level signal that automatically communicates a user's choice to opt out of the sale or sharing of their personal information. Under CCPA, businesses that sell or share personal information must honor GPC signals as valid opt-out requests.
What changed on January 1, 2026:
As of January 1, 2026, California businesses must not only honor GPC signals — they must visibly confirm that the opt-out was processed. A visible "Opt-Out Request Honored" indicator is required when a user with a GPC signal visits the site. Silent backend processing is no longer sufficient.
The Disney enforcement case (February 2026):
The California Attorney General settled with The Walt Disney Company for $2.75 million after finding that Disney:
- Processed GPC signals only at the device level — an opt-out on one browser didn't apply to the same account on other devices
- Had opt-out toggles within streaming apps that applied only to that specific service — opting out of Disney+ didn't apply to Hulu or ESPN+ even within the same Disney account
- Failed to make opt-out mechanisms accessible within TV streaming apps
The AG's guidance from this settlement: opt-out controls must be universal (all devices and services tied to a consumer account), accessible (clear and easy-to-find), and technology-agnostic (GPC honored consistently across platforms).
What this means for your CSV data:
GPC opt-out status needs to propagate from your web infrastructure into your marketing database — and therefore into your marketing CSVs. A contact who sent a GPC signal must be:
- Excluded from campaigns involving the sale or sharing of their data
- Excluded from ad targeting that constitutes "sharing" under CCPA
- Not exported to third-party platforms for targeting
GPC propagation in marketing CSV:
email,gpc_optout,gpc_optout_date,ccpa_do_not_sell
[email protected],FALSE,,FALSE
[email protected],TRUE,2026-01-15,TRUE
[email protected],FALSE,,FALSE
Bob sent a GPC signal on January 15, 2026.
Bob must not be included in any list shared with ad platforms.
Bob must not be included in any targeted advertising segment.
This exclusion must persist until Bob withdraws the signal.
The 12-state spread:
As of January 1, 2026, twelve US states require or are implementing enforcement of universal opt-out signals including GPC: California, Colorado, Connecticut, Montana, Nebraska, New Hampshire, New Jersey, Minnesota, Maryland, Delaware, Oregon, and Texas. Enforcement nuance varies by state — but the trend is clear. A marketing list used nationally should check GPC status against applicable state laws, not just California.
The Consent Lifecycle: When Consent Decays
Consent doesn't last forever. These are the events that invalidate previously valid consent and must be reflected in your marketing CSV:
Unsubscribe: Any unsubscribe action — clicking the unsubscribe link in an email, requesting removal by reply, completing a webform — must be processed immediately and reflected in the CSV. Sending a campaign to a known unsubscribe is a CAN-SPAM violation (US), a GDPR violation (EU), and a CASL violation (Canada) simultaneously.
GPC signal (California): A GPC signal from a California resident must be treated as an opt-out of sale and sharing. This doesn't necessarily suppress all email — it suppresses data sharing and targeted advertising. Know what your campaigns involve and suppress accordingly.
Right to erasure (GDPR Article 17): A valid erasure request removes the contact from all marketing lists. The contact must not only be unsubscribed but deleted from the database. Keeping a "suppressed" record for suppression management is acceptable (under legitimate interest to prevent re-subscribing them accidentally) — but this record should contain only the minimum needed for that purpose.
Consent withdrawal (GDPR Article 7(3)): Under GDPR, data subjects have the right to withdraw consent at any time — and withdrawal must be as easy as giving consent. If a contact withdraws, all processing based on consent must stop immediately. If you have no alternative lawful basis, remove them from all lists.
Purpose limitation: Consent given for one purpose (receiving product updates) doesn't transfer to a new purpose (being added to a remarketing audience). New purpose = new consent required, or alternative lawful basis.
Suppression Lists: The Consent Infrastructure Most Teams Miss
A suppression list is a record of contacts who must not be included in future campaigns — regardless of how they appear in new data sources.
The typical problem:
❌ SUPPRESSION LIST FAILURE:
January: Contact opts out of email list.
February: Marketing team purchases a new contact list from data broker.
The contact appears in the purchased list.
March: Marketing team imports purchased list into CRM.
CRM deduplication doesn't match on all email variants.
April: Contact receives campaign email.
This is a GDPR violation (consent withdrawn, no alternative basis)
and CAN-SPAM violation (unsubscribe not honored).
Both carry fines.
Before any new list import, suppress against:
- Your master unsubscribe list
- Any GDPR erasure records (email hash is sufficient if the email has been deleted)
- Your GPC opt-out registry (for California contacts)
- Any existing contacts in your CRM who have opted out
Many email marketing platforms maintain internal suppression lists — but these only work if the new import goes through the platform's deduplication. Direct database imports, CSV uploads to CRMs, and multi-system environments frequently bypass suppression lists entirely.
The suppression-before-upload workflow:
Before uploading any new contact list to any platform:
- Export your master suppression list (unsubscribes, erasure records, GPC opt-outs)
- Run deduplication between the new list and the suppression list locally
- Remove all matches from the new list
- Upload only the clean, suppressed list
SplitForge Data Cleaner removes matching rows between two CSV files locally — the new contact list never gets uploaded containing suppressed contacts.
Consent Management in CRM Imports
When importing contacts into a CRM from a CSV, consent data must travel with the contact. A contact without a consent record in the CRM is a compliance gap.
Required fields in any CRM import involving consent-based contacts:
Minimum consent fields for CRM import:
email, first_name, last_name,
consent_email (boolean),
consent_date (YYYY-MM-DD),
consent_method (web_form / double_optIn / phone / event),
consent_scope (email_marketing / data_sharing / both),
gpc_optout (boolean, California contacts),
unsubscribed (boolean),
lawful_basis (consent / legitimate_interest / contract)
CRM-specific consent considerations:
- Salesforce: Consent fields should be mapped to standard or custom Contact fields. Salesforce's Einstein features may use contact data for scoring — if this constitutes automated processing for significant decisions, GDPR Article 22 considerations apply.
- HubSpot: HubSpot has built-in subscription management — use it. But suppression in HubSpot doesn't automatically suppress in connected apps (Salesforce sync, LinkedIn matching, etc.).
- Zoho: Consent tracking requires custom fields if not using Zoho's built-in GDPR tools. Ensure consent fields are populated in the import.
Many CRM import tools process the full contact CSV on cloud servers before displaying the field mapping screen. If your CSV contains consent fields alongside the contact data, that entire CSV — including sensitive consent history — is uploaded before you've mapped anything. Preparing and minimizing the file locally before upload means the CRM only receives what you've decided to give it.
For the GDPR-specific angle on CRM import minimization, see our GDPR-compliant CRM import guide.
For a complete overview of privacy frameworks, see our privacy-first data processing guide.
Operator Rules: Consent Management for CSV Data
Short. Non-negotiable. Reference before any marketing campaign or list import.
- No consent record = no campaign — "we think they consented" is not evidence of consent
- GPC opt-outs must be in your marketing CSV — not just in your web analytics
- Suppression must happen before upload — not after the platform deduplicates
- Consent for one purpose doesn't transfer to a new purpose — new purpose = new consent
- A contact who unsubscribed from one list is not re-subscribed by being on a new list
- Twelve US states now require GPC signal recognition — not just California
- Visible opt-out confirmation is now mandatory in California — silent processing is not sufficient
Additional Resources
GDPR Primary Sources:
- GDPR Article 7 — Conditions for Consent — What valid consent requires and how to demonstrate it
- GDPR Article 21 — Right to Object — Right to object to processing based on legitimate interest
CCPA / GPC:
- California AG: Global Privacy Control — Official CA DOJ position on GPC as valid opt-out
- CPPA: GPC Opt-Out Confirmation Requirement — January 1, 2026 rule requiring visible opt-out confirmation
- Global Privacy Control Specification — Technical standard and supported browsers
Enforcement:
- California AG: Disney $2.75M Settlement — February 2026 — GPC failure case analysis
Disclaimer: This post is for informational purposes only and does not constitute legal advice. Consent obligations depend on your specific data types, processing activities, and jurisdiction. Consult qualified legal counsel before drawing compliance conclusions.