Book a demo!

Book a no obligation demo with one of our email experts. Discover how e-shot™ can help you:

One of our team will call you for a brief chat so we can cater the demo to your specific requirements and show you the relevant tools and features that will deliver you the best results.



5 Things You Need to Know About Consent Under GDPR

26 Feb 2018 by Sadie Burgess

With the General Data Protection Regulation (GDPR), the European Union’s new privacy law, coming into effect on May 25th, 2018, now is the time for email marketers to ensure that their programs are compliant. (Not sure what GDPR is? see our article GDPR in a nutshell.)

One of the main areas of change compared to the current legislation is the way marketers need to collect and store consent. The new regulation requires that brands collect affirmative consent that is “freely given, specific, informed and unambiguous” to be compliant.

The Information Commissioner’s Office of the UK (ICO) has provided a comprehensive guide on consent under GDPR. If you don’t fancy wading through the full 39-page guide just yet, here’s a breakdown of the five most important things you must know about email consent under GDPR

5 Things You Need to Know About Consent Under GDPR

1. Consent requires a positive opt in – you can’t use pre-ticked boxes

For consent to be valid under GDPR a customer must actively confirm their consent, as consent cannot be assumed.  So the positive action of ticking a box is required and a pre-ticked box is not allowed.

Recital 32:
“Silence, pre-ticked boxes or inactivity should not constitute consent.”

2. Keep consent separate from other terms and conditions

Email consent must be freely given—and that’s only the case if a person truly has a choice of whether or not they’d like to subscribe to marketing messages. If subscribing to a newsletter is required in order to download a whitepaper, for example, then that consent is not freely given.

Under GDPR, email consent needs to be separate. Never bundle consent with your terms and conditions, privacy notices, or any of your services, unless email consent is necessary to complete that service.

Article 7(4):
“When assessing whether consent is freely given, utmost account shall be taken of whether… the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.”

3. Make it simple for people to withdraw their consent at any time and tell them how

This is an easy one if you are already following the law as offering the option to unsubscribe in each promotional email is already part of the email legal landscape, so you may not need to change much. But it is still the perfect time to review your text to make sure that you are following best practice.

Article 7(3):
“The data subject shall have the right to withdraw his or her consent at any time. (…) It shall be as easy to withdraw as to give consent.”

5 critical things to know about collecting and storing consent under the new GDPR.

Click to tweet

4. Keep evidence of consent - who, when and how

GDPR not only sets the rules for how to collect consent, but also requires companies to keep a record of these consents.

Article 7 (1):
“Where processing is based on the data subject’s consent, the controller should be able to demonstrate that the data subject has given consent to the processing operation.”

Keeping evidence of consent means that you must be able to provide proof of:
• Who consented
• When they consented
• What they were told at the time of consent
• How they consented (e.g., during checkout, via Facebook form, etc.)
• Whether they have withdrawn consent

5. Check your consent practices and your existing consents

GDPR applies to all existing EU subscribers on your email list regardless of when they gave the consent. If your existing subscribers have given you consent in a way that’s already compliant with GDPR—and if you kept record of those consents—there’s no need for you to re-collect consent from those subscribers. If your existing records don’t meet GDPR requirements, however, you have to take action.

Recital 171:
“Where processing is based on consent pursuant to Directive 95/46/EC, it is not necessary for the data subject to give his or her consent again if the manner in which the consent has been given is in line with the conditions of this Regulation.”

Re-permission campaigns are a powerful way to update existing records to ensure GDPR compliant consent, but they do require detailed planning and execution. Remember: If you require an updated consent for GDPR compliance but your subscriber fails to engage with your re-permission campaign, you’ll have to remove them from your mailing list.

If you want to know more about how e-shot™ can help you ensure compliance to GDPR contact our team on 020 3320 8777 or view some of our other GDPR posts for more information.

More like this...

Want to speak to someone about GDPR?

Request a no-obligation GDPR Consultation with one of our email specialists

Tags: GDPR consent

e-shot™ Insights