Getting GDPR Consent & Opt-in

Email marketing list growth is getting harder with GDPR consent and forthcoming ePrivacy regulation. But all is not lost, research points the way to getting the best of all worlds. Using the right method both GDPR consent compliance and continued strong email list growth are possible, as the test results and GDPR consent examples below show.

Article 4(11) of GDPR sets a high bar for opt-in consent. Specifically, it states:

any freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed;

and goes onto to clarify the meaning of clear affirmative action in Recital 25:

…Silence, pre-ticked boxes or inactivity should therefore not constitute consent.

The compliance officer at Communicator, Steve Henderson, puts it like this:

“The GDPR is raising the bar for consent. Marketers must explain more, be more transparent, but keep the language simple and concise. Under the GDPR consent can’t be bundled with any other agreement, can’t be a condition of a service and consent opt-in boxes can’t be pre-ticked.”

This has big implications for email list growth. But before I get into why and how to fix it with some GDPR consent examples, a little background is needed.

GDPR is not alone

To send email marketing requires compliance with both PECR and GDPR.

These are separate regulations. GDPR is a replacement for DPA (data protection act) but does not remove PECR. PECR will be replaced with new EU ePrivacy regulation but that is not expected until 2019 currently.

Soft email opt-in, which is sufficient for marketing permission under PECR (privacy and electronic communications regulation) to customers is not sufficient for GDPR consent. The current draft of the new ePrivacy regulation does give limited provision for email marketing to be sent to existing customers. More on that later.

In summary

  • GDPR is replacing DPA
  • ePrivacy is replacing PECR (likely in 2019)
  • Old world, compliance means meeting the needs of both PECR and DPA.
  • New world (25th May 2018), compliance means meeting the needs of both PECR and GDPR
  • Future world (2019?), compliance means meeting the needs of both ePrivacy and GDPR

Think of it as you need permission for marketing (PECR/ePrivacy regulation) and a legal basis to process personal data (GDPR).

In the new world soft email opt-in may be sufficient for PECR but a legal basis is needed for GDPR. As soft opt-in does not meet the standard needed for GDPR then an alternative is needed. For email marketing the most likely of which to consider is legitimate interest. More on that later, but first I’ll deal with getting affirmative consent that meets PECR and GDPR standards.

A quick side note for B2B, this article is largely aimed at B2C. The GDPR applies to personally identifiable business email addresses, whereas PECR is not applicable to some categories of businesses. So not all of the following information applies for B2B.

One of the best sources of email addresses for both quality and quantity is to capture marketing permission from customers during online checkout. Or similar processes such as setting up an account, during quote forms and requests for information.

Email opt-in form examples

Many brands use a pre-checked ticked box to gain consent for the simple reason that it captures permission from more customers than using a box that must be proactively ticked. Here’s just a few form examples.

Virgin Giving making a charity donation

Email opt-in example

ASDA account creation form

ASDA Create Account Optout Consent example

Lancome checkout opt-in form

Lancome checkout email consent optout

These will not cut the mustard coming May 2018. Silent or soft opt-in is not acceptable for GDPR consent. To continue using soft opt-in for customers and email addresses provided during negotiation of a sale means considering use of legitimate interest rather than consent as the legal GDPR basis.

At first sight the answer to gaining affirmative consent is to change the sense of the box, meaning that the box is not pre-ticked, and use the sentiment “tick if you wish to receive marketing” – albeit with copy writing to provide a clear benefit and make it persuasive.

Here’s an opt-in example of this approach from Jimmy Choo

Jimmy Choo Checkout Email Consent example Optin Permission

What will happen to email list growth if silent opt-in becomes a silent opt-out?

The Jimmy Choo copy can be improved to emphasize the benefit; “Please send me special offers and new product emails”.

Persuasive copy is a good start to maximising opt-in under GDPR, but it won’t be enough to reverse the fortunes of list growth. Something more is needed.

Because people tend to accept defaults as a recommendation, effectively choosing not to choose, then switching to boxes that need to be ticked will radically reduce list growth.

In Sunstain’s 2015 book ‘Choosing Not to Choose: Understanding the Value of Choice’ he documents many instances of where switching the sense of defaults has had dramatic effects. Rutgers University changed the default print settings from print on a single page to print on front and back.

The result? In the first 3 years paper usage reduced by 44% saving over 55 million sheets and 4,650 trees. People just stuck with the default.

Or the example in the USA of company pension plans being changed to a default opt-in. The number of people with a retirement plan increased by 30 percentage points.

It’s because of how our brains work.

The study by Stephen Fleming ‘Overcoming Status Quo Bias in the Human Brain’ used fMRI brain scans. The finding was that as options become harder to evaluate people are more likely to stay with a default choice. The do nothing choice.

Actively choosing not only requires more thought, but people shy away from taking the responsibility of making a choice and the risk of regret – “I wish I hadn’t signed up to that brand”.

Opt-in consent example test results

Eric Johnson’s study “Defaults, Framing, Privacy: Why Opting In-Opting Out” tested the results of offering opt in and out.

In the study four different ways of getting permission were tested. Here are the results.

Opt-in test results

The percent participating column means the number of people giving permission.

The worrying and not unexpected result is the silent opt-in, (2) and (3) captures substantially more permission than when the sense is reversed in (1) and (4).

In the case of (1) & (2) using unchecked boxes and simply changing the message sense, ‘notify’ to ‘do not notify’, meant the number of times consent is gained is halved.

The obvious implication is that getting valid GDPR consent will halve list growth.

Doing more to sell the reason to opt-in will help reduce the impact.

  • Provide visual focus. Whilst pre-ticked opt-ins are often in small font, with light colours and placed so they are easily overlooked, do the opposite. Use large fonts, draw people’s attention to the option with icons, arrows or other elements that attract and guide the eye.
  • Use benefit based language, rather than focus on function, ‘notify me’, give the benefit of getting the notifications.

But there is something better to get GDPR consent and opt-in

Don’t provide any default option so the customer must make a conscious choice. In the same way people sleep walk into being opted-in currently, in the new world they may well sleep walk into being opted-out.

Don’t provide a single tick box, provide both a yes and no choice, with neither pre-checked.

Johnson’s study also considered exactly this option with the results below.

Opt-in and opt-out test with no default choice


Encouragingly the result for (5), the version with a yes and no option neither of which was a pre-selected, meant 88.5% gave permission. In version (5) the customer had to answer to complete the form, continuing with neither selected was not an option.

The result for (5) is only fractionally behind the silent opt-in default of (6). That implies GDPR compliant consent can be gained with the same amount of success as silent opt-in.

There are more potential benefits to going the route of no default choice.

In the study by Jeffrey Brown “The Downside of Defaults” he makes the point that a passive choice will, almost by definition, decrease people’s feelings of identification with the outcome.

When people make an active choice the outcome is authentically theirs. Remember that commitment and consistency are one of Cialdini’s six principles.

This has behavioural consequences, an active choice to opt-in is likely to give a more engaged subscriber than a default opted-in subscriber. Even if the same person was very happy to be default opted-in, letting them decide makes them more engaged!

Sainsbury’s have adopted this approach as part of their account registration

Sainsburys account compliant GDPR consent

So do Readers Digest in their checkout process.

GDPR consent marketing opt-in example

Requiring people to make a yes / no choice has been used in popups, providing further evidence validating this method.

In the popup example below from Copy Hackers they note that adding this popup, using a yes / no, to their website brought in 4x as many subscribers from this one popup as all other list growth activity across the site combined.

Popup example using yes no options

Copy Hackers make the point that this approach means people understand the no choice more clearly. The negative consequence makes them consider more carefully, as opposed to the no pain clicking of an innocent looking ‘X’ to exit a popup.

Though they advise you don’t have to be, nor should be, mean or rude with the no choice. Rather than “I’m too foolish to want discounts” it’s more appropriate to say “No, I’m not into discounts”.

Checklist for getting consent on opt-in forms

The ICO have published an at a glance checklist for items to consider on the opt-in form and signup process. The checklist includes the following items.

  • We have checked that consent is the most appropriate lawful basis for processing.
  • We have made the request for consent prominent and separate from our terms and conditions.
  • We ask people to positively opt in.
  • We don’t use pre-ticked boxes or any other type of default consent.
  • We use clear, plain language that is easy to understand.
  • We specify why we want the data and what we’re going to do with it.
  • We give individual (‘granular’) options to consent separately to different purposes and types of processing.
  • We name our organisation and any third party controllers who will be relying on the consent.
  • We tell individuals they can withdraw their consent.
  • We ensure that individuals can refuse to consent without detriment.
  • We avoid making consent a precondition of a service.
  • If we offer online services directly to children, we only seek consent if we have age-verification measures (and parental-consent measures for younger children) in place.

Is consent a must under GDPR?

Using consent as legal grounds for data processing is just one option available under GDPR compliance. There are seven different options, brands can decide the most appropriate.

You may have read about legitimate interest. This is a very helpful approach for brands to consider when deciding if they need GDPR consent as their legal basis to store and process data. For paying customers with whom there is a clear relationship then legitimate interest may suffice. But that’s just the GDPR hurdle, remember you need PECR/ePrivacy compliance too.

A very good guide to use of legitimate interest is available from the data protection network. A key part of which is to carry out a balancing test.

Legitimate interest leaves some question marks:

  • How long someone is a customer. A month from their last purchase, a year, longer? For exactly how long can you store and process their data?
  • The use of legitimate interest is ultimately subjective. There is the risk your view is not the view of the law enforcers.

The attraction of affirmative consent is the clear cut nature. If the consent was freely given and informed you are on safe grounds for PECR and GDPR.

Steve Henderson recommends that “If you email customers under soft-opt-in’, you should use every touchpoint to upgrade to consent while they are active customers”. Without doing this you are at risk of losing the ability to store and process data for lapsing customers.

And for prospects rather than customers there seems to be little alternative to consent using a positive action, valid GDPR consent.

Using the no default choice approach to getting consent is also appropriate for marketing to people in Canada, as the requirement exists for explicit consent in CASL. As with GDPR, silent opt-in can’t be used to get CASL explicit consent.

Currently the CAN-SPAM regulation in the USA means opt-out basis is acceptable. The EU has since 2003 required opt-in permission, in contrast to the USA. Email marketing is just as effective both sides of the Atlantic. It will be interesting to see if ‘no default’ basis of gaining consent becomes more common in the USA as brands unify approach or find that it’s a better method full stop.

GDPR is more than getting consent

Using the above approach should give good results and be GDPR compliant in terms of consent capture. There are several more aspects to GDPR, such as deletion of data, keeping of records. Make sure you get all the GDPR boxes ticked. The DMA have published many helpful articles and the ICO have published guides and self-assessment toolkit.

Next year should see PECR replaced with ePrivacy. This has been written to work alongside GDPR which means (hopefully) no further big changes. The current PECR notion of soft opt-in for permission to send marketing changes to ‘existing customer relationship’. There is a possible difference here as PECR soft opt-in can apply during negotiation for a sale. Whereas ‘existing customer relationship’ appears to exclude prospects in negotiation for a sale.  Keep an eye out over the coming months and I’ll publish any helpful advice as it becomes clear.