Email Marketing & GDPR: What Actions are Acceptable to Gain Consent?

Last Updated: 

March 13, 2023

Want to Close Bigger Deals?

In recent times, when there was an increased need for social distancing and cost-cutting, many businesses and brands experimented with email marketing for maintaining continuity and generating sales. At the same time, many businesses ended up paying penalties and facing legal issues because they could not maintain compliance with the GDPR. Since most businesses are still not aware of the various nuances of the GDPR and how they apply to email marketing, the demand for data protection services has been rising.

If you too are interested in understanding the GDPR and how it affects email marketing activities, you have come to the right page! In this article, we'll share with you what actions are considered acceptable when it comes to gaining consent for email marketing. But before we dive in, let's have a look at what marketing consent is and why it's important to obtain consent from your email recipients before sending them marketing communication.

Marketing consent and GDPR compliance

The UK GDPR act requires businesses to share the lawful basis through which they operate their marketing activities, including their email marketing activity. The two options when it comes to selecting a lawful basis for marketing activities are “valid consent” and “legitimate interest”. Businesses, in most cases, especially B2C businesses, need to specify “valid consent” as the chosen lawful basis for all their marketing activity. In other cases, “legitimate interest” can be used in place of valid consent. Having said this, keep in mind that if you are an email marketer and planning to send an email blast to your list of potential customers without recording their consent, it can get you in trouble with the law enforcement agencies and the Information Commissioner’s Office (ICO). Now that you understand the importance of gaining valid consent from your prospects before sending them marketing communication via email, let's have a look at what are some acceptable ways to gain consent, as per the GDPR.

What Actions are Acceptable to Gain Consent?

There are multiple regulations for data protection and data privacy that apply to organisations in the UK, and this includes the Privacy and Electronic Communications Regulations (PECR) and the UK Data Protection Act, apart from the UK GDPR. In order to comply with these regulations, you not only need to obtain consent from your data subjects before sending them marketing communication, but also ensure that it's considered valid consent as per these regulations. Below are some points to clarify what's meant by valid consent:

  • Consent should be provided freely by the users without forcing them to opt-in or making the opt-in a precondition for them to gain access to your products or services
  • The users should know exactly what they are consenting to and what they are agreeing to receive in the form of marketing communication in the future (and how frequently)
  • The users should have the option to withdraw their consent in a hassle-free manner, if they wish to stop receiving marketing communication from your end, at any point
  • The concern should not be bundled with any other clauses, terms or conditions and should be related to a single clause at a time
  • The users should take affirmative action on their part and the opt-in form should not have any checkboxes or fields that are prefilled

If the consent you have obtained fails to meet any of the above-mentioned criteria, it will be considered invalid, if your marketing activities come under the scrutiny of the Information Commissioner's Office (ICO). Now that you know how to gain consent for sending marketing emails let's have a look at a couple of examples to understand this better.

Example #1:

Email Marketing and GDPR

As you can see, this opt-in form uses a pre-ticked checkbox.Practices like these are a big no-no as per the GDPR, when it comes tocollecting consent for email marketing, because such anopt-in form doesn't allow the users to take affirmative action on their part,in order to confirm their consent.

Example #2:

GDPR Opt-in Box

As shared in the previous section, the opt-in form should request consent for a single specific purpose. However, in this example, there are two different clauses bundled together. You should avoid employing tactics like this, if you are serious about maintaining compliance with the GDPR.

Example #3:

A Further Example of a GDPR Opt-in


This opt-in form would be considered GDPR-compliant because it lets the users take affirmative action independently and tells them the exact purpose for which they are sharing the consent.

Final Thoughts

As a rule of thumb, always gain consent from your list before you start sending out marketing emails, avoid sending irrelevant content to the recipients, consider working with an outsourced DPO, and make sure your emails contain an unsubscribe link for your recipients to withdraw the consent if they would like to. Keep your email marketing list updated and regularly prune it for any recipients who have not been engaging with your emails actively.

People Also Like to Read...