GDPR requires that organizations have a lawful basis for processing data. One such basis is consent, which according to the GDPR has to be explicit and freely given. This means that the mechanism for acquiring consent must be unambiguous and involve a clear affirmative action.
While you shouldn’t ask for it if you’re carrying out a core service or process personal data by law, you should ask for consent when you’re offering a non-essential service, like sending marketing emails and newsletters.
Here’s a breakdown of the most important things you must know about email consent under GDPR – with plenty of templates and examples of how to put them into action.
Avoid complex phrasing when explaining reasons for consent: specify why you want the data and what you’re going to do with it in “plain English”. Also, don’t forget to clearly name your organization and any third parties relying on the user’s consent.
Ask users to positively opt-in, because under the GDPR pre-ticked checkboxes (or any other type of consent by default) are not allowed.
While not required by the GDPR, the safest way to handle a mailing list is the double opt-in, a process that includes two steps:
This method of registration is considered best practice in many countries, especially Germany and in the EU.
Checkboxes are necessary when you are trying to get GDPR consent for separate things, but they’re not required where the purpose of the sign-up mechanism is unequivocal.
In a scenario where your site has a pop-up window that invites users to sign up to your newsletter using a clear phrase such as: “Subscribe to our newsletter for access to discount vouchers and product updates!“, the affirmative action that the user performs by typing in their email address would be considered valid consent.
In short, soft opt-in can occur when your user has provided their email address while purchasing a product or service from you.
Under some countries’ laws, you may use the details collected to send future promotional emails without obtaining prior consent if:
Note that this exception does not apply if the user has previously opted out (e.g. by unsubscribing from your newsletter).
Under the GDPR, email consent needs to be separate.
For example, never bundle consent with your terms and conditions: agreeing to terms and conditions and giving consent to various activities (such as subscribing to a newsletter) are not the same thing. Make them easily distinguishable from each other and provide individual opt-ins for consent.
Your forms should allow customers to consent to independent processing operations. Help users to have full control of their consents and permissions by creating an overview of each activity you need.
Users have the right to withdraw their consent at any time and you should clearly tell them where and how to do it without detriment. As a consequence, consent doesn’t have to be a precondition of a service.
Include an option to opt-out from receiving emails in the footer of every promotional email you send. Ideally, users should also have the ability to manage their email preferences from within their account.
A permission reminder is a short paragraph in an email (usually in the footer) that helps recipients remember how you got their email address. It can help reduce spam complaints and unsubscribe requests.
An appropriate permission message is something like: “You are receiving this email because you’re a customer, or signed up via our [source]”.
GDPR not only sets the rules for how to collect consent, but also requires companies to keep a record of these consents. It means that you must be able to provide proof of:
Our Consent Database simplifies the process of making your forms GDPR compliant by helping you to:
With our Consent Database, you can look at each individual subscriber, see when they opted in, and which form they used to do so.
Compliance solutions for websites, apps and organizations: collect GDPR consent, document opt-ins and CCPA opt-outs via your web forms.