≡ Menu

Getting GDPR consent & opt-in

Email marketing list growth is getting harder with GDPR consent and new ePrivacy regulation. But all is not lost, research points the way to getting the best of all worlds. Using the right method both GDPR compliance and continued strong email list growth are possible, as the test results and GDPR opt-in examples below show.

Article 4(11) of GDPR sets a high bar for consent. Specifically, it states:

any freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed;

and goes onto to clarify the meaning of clear affirmative action in Recital 25:

…Silence, pre-ticked boxes or inactivity should therefore not constitute consent.

The compliance officer at Communicator, Steve Henderson, puts it like this:

“The GDPR is raising the bar for consent. Marketers must explain more, be more transparent, but keep the language simple and concise. Under the GDPR consent can’t be bundled with any other agreement, can’t be a condition of a service and consent opt-in boxes can’t be pre-ticked.”

This has big implications for email list growth. But before I get into why and how to fix it, a little background is needed.

GDPR is not alone

To send email marketing requires compliance with both PECR and GDPR.

These are separate and distinct regulations. GDPR is a replacement for DPA (data protection act) but does not remove PECR. However, it’s now widely anticipated that at the same time as GDPR, that PECR will be replaced with new EU ePrivacy regulation.

Soft opt-in, which is sufficient for consent under PECR (privacy and electronic communications regulation) is not sufficient for GDPR consent, although the current draft of the new ePrivacy regulation does give limited provision for email marketing to be sent to existing customers. More on that later.

In summary

  • GDPR is replacing DPA
  • ePrivacy is replacing PECR
  • Old world, compliance means meeting the needs of both PECR and DPA.
  • New world, compliance means meeting the needs of both ePrivacy and GDPR

Think of it as you need permission for marketing (ePrivacy regulation) and a legal basis to process personal data (GDPR).

One of the best sources of email addresses for both quality and quantity is to capture marketing permission from customers during online checkout. Or similar processes such as setting up an account, during quote forms and requests for information.

Email opt-in examples

Many brands use a pre-checked ticked box to gain consent for the simple reason that it captures permission from more customers than using a box that must be proactively ticked. Here’s just a few examples.

Virgin Giving making a charity donation

Email opt-in example

ADSA account creation

ASDA Create Account Optout Consent example

Lancome checkout

Lancome checkout email consent optout

These will not cut the mustard coming May 2018. Silent or soft opt-in is no longer acceptable for GDPR consent.

At first sight the answer is to change the sense of the box, meaning that the box is not pre-ticked, and use the sentiment “tick if you wish to receive marketing” – albeit with copy writing to provide a clear benefit and make it persuasive.

Here’s an opt-in example of this approach from Jimmy Choo

Jimmy Choo Checkout Email Consent example Optin Permission

What will happen to email list growth if silent opt-in becomes a silent opt-out?

The Jimmy Choo copy can be improved to emphasize the benefit; “Please send me special offers and new product emails”.

Persuasive copy is a good start to maximising opt-in under GDPR, but it won’t be enough to reverse the fortunes of list growth. Something more is needed.

Because people tend to accept defaults as a recommendation, effectively choosing not to choose, then switching to boxes that need to be ticked will radically reduce list growth.

In Sunstain’s 2015 book ‘Choosing Not to Choose: Understanding the Value of Choice’ he documents many instances of where switching the sense of defaults has had dramatic effects. Rutgers University changed the default print settings from print on a single page to print on front and back.

The result? In the first 3 years paper usage reduced by 44% saving over 55 million sheets and 4,650 trees. People just stuck with the default.

Or the example in the USA of company pension plans being changed to a default opt-in. The number of people with a retirement plan increased by 30 percentage points.

It’s because of how our brains work.

The study by Stephen Fleming ‘Overcoming Status Quo Bias in the Human Brain’ used fMRI brain scans. The finding was that as options become harder to evaluate people are more likely to stay with a default choice. The do nothing choice.

Actively choosing not only requires more thought, but people shy away from taking the responsibility of making a choice and the risk of regret – “I wish I hadn’t signed up to that brand”.

Opt-in example test results

Eric Johnson’s study “Defaults, Framing, Privacy: Why Opting In-Opting Out” tested the results of offering opt in and out.

In the study four different ways of getting permission were tested. Here are the results.

Opt-in test results

The percent participating column means the number of people giving permission.

The worrying and not unexpected result is the silent opt-in, (2) and (3) captures substantially more permission than when the sense is reversed in (1) and (4).

In the case of (1) & (2) using unchecked boxes and simply changing the message sense, ‘notify’ to ‘do not notify’, meant the number of times consent is gained is halved.

The obvious implication is that getting valid GDPR consent will halve list growth.

Doing more to sell the reason to opt-in will help reduce the impact.

  • Provide visual focus. Whilst pre-ticked opt-ins are often in small font, with light colours and placed so they are easily overlooked, do the opposite. Use large fonts, draw people’s attention to the option with icons, arrows or other elements that attract and guide the eye.
  • Use benefit based language, rather than focus on function, ‘notify me’, give the benefit of getting the notifications.

But there is something better to get GDPR consent and opt-in

Don’t provide any default option so the customer must make a conscious choice. In the same way people sleep walk into being opted-in currently, in the new world they may well sleep walk into being opted-out.

Don’t provide a single tick box, provide both a yes and no choice, with neither pre-checked.

Johnson’s study also considered exactly this option with the results below.

Opt-in and opt-out test with no default choice


Encouragingly the result for (5), the version with a yes and no option neither of which was a pre-selected, meant 88.5% gave permission. In version (5) the customer had to answer to complete the form, continuing with neither selected was not an option.

The result for (5) is only fractionally behind the silent opt-in default of (6). That implies GDPR compliant consent can be gained with the same amount of success as silent opt-in.

There are more potential benefits to going the route of no default choice.

In the study by Jeffrey Brown “The Downside of Defaults” he makes the point that a passive choice will, almost by definition, decrease people’s feelings of identification with the outcome.

When people make an active choice the outcome is authentically theirs. Remember that commitment and Consistency are one of Cialdini’s six principles.

This has behavioural consequences, an active choice to opt-in is likely to give a more engaged subscriber than a default opted-in subscriber. Even if the same person was very happy to be default opted-in, letting them decide makes them more engaged!

Sainsbury’s have adopted this approach as part of their account registration

Sainsburys account compliant GDPR consent

So do Readers Digest in their checkout process.

GDPR consent marketing opt-in example

Requiring people to make a yes / no choice has been used in popups, providing further evidence validating this method.

In the popup example below from Copy Hackers they note that adding this popup, using a yes / no, to their website brought in 4x as many subscribers from this one popup as all other list growth activity across the site combined.

Popup example using yes no options

Copy Hackers make the point that this approach means people understand the no choice more clearly. The negative consequence makes them consider more carefully, as opposed to the no pain clicking of an innocent looking ‘X’ to exit a popup.

Though they advise you don’t have to be, or shouldn’t be, mean with the no choice. Rather than “I’m too foolish to want discounts” it’s more appropriate to say “No, I’m not into discounts”.

Is consent a must under GDPR?

Using consent as legal grounds for data processing is just one option available under GDPR compliance. There are seven different options, brands can decide the most appropriate.

You may have read about legitimate interest. This is a very helpful approach for brands to consider when deciding if they need GDPR consent as their legal basis. For paying customers with whom there is a clear relationship then legitimate interest may suffice. But that’s just the GDPR hurdle. You must clear the PECR/ePrivacy hurdle too.

Specifically, the new ePrivacy draft uses the phrase “existing customer relationship”. Contacting customers may be acceptable, even when consent is not given by an affirmative action. However, this leaves a big question mark over how long someone is a customer. A month from their last purchase, a year, longer? Exactly how long do you have permission to market?

The gold standard is one of affirmative consent. A positive action that gives you permission.

Steve Henderson recommends that “If you email customers under soft-opt-in or the new ‘existing customer relationship’, you should use every touchpoint to upgrade to consent while they are active customers”. Without doing this you are at risk of losing permission to contact for lapsing customers.

And for prospects rather than customers there seems to be little alternative to consent using a positive action, valid GDPR consent.

Using the no default choice approach to getting consent is also appropriate for marketing to people in Canada, as the requirement exists for explicit consent in CASL. As with GDPR, silent opt-in can’t be used to get CASL explicit consent.

Currently the CAN-SPAM regulation in the USA means silent opt-in is still perfectly acceptable. The EU has since 2003 required opt-in permission, in contrast to the USA. Email marketing is just as effective both sides of the Atlantic. It will be interesting to see if no default becomes more common in the USA as brands unify approach or find that it’s a better method full stop.

GDPR and ePrivacy are more than getting consent

Using the above approach should give good results and be GDPR/EU ePrivacy compliant in terms of consent capture. There are several more aspects to GDPR, such as deletion of data, keeping of records. Make sure you get all the GDPR boxes ticked. The DMA have published many helpful articles and the ICO have published guides and self-assessment toolkit.

Comments on this entry are closed.

  • Sean Duffy

    Great post Tim, really useful. I’m sure there are other techniques we will start to see as well. This reminds me of an accidental great opt-in strategy from a client years ago where the person signing up would be asked ‘How would you like your email newsletters?’ or similar. Radio options were HTML, Text or None. 80% would select HTML. The client only realised there was an issue after a UX ‘expert’ re-designed the form to fit best practice and net list growth after unsubscribes, bounces and engagement filters went negative.

    • Nice story thanks Sean. Signing up with a none option is an interesting choice. Agreed, I’m sure there will be innovation in UX for requesting and capture a consent when silent opt-in is no longer a choice.

    • Nicolai Pedersen

      I love that the first thing you do with GDPR is to look for new ways to
      ‘trick’ consumers into giving consent… The entire point is that you
      should not do that…

  • Stuart James Isbister

    AS i understand it Soft opt in WILL be allowed post May 2018 if collected during the course of an order and certain conditions are complied with.

    • You are right, in terms of GDPR legitimate interest may be used as the legal basis rather than consent in some situations. Perhaps that’s what you are thinking? We’re still waiting to understand how ePrivacy affects things, it has a concept of ‘existing customer relationship’ which may allow marketing. But gives rise to the question of when is a buyer no longer a customer.

      Consent via a positive action is very clear cut and I feel the strongest basis you can have to show legal grounds for processing and marketing. Both now and in the future.

  • Pingback: Email marketing trends 2018 – James Gould's Blog()

  • What I found interesting is that
    the pre-checked Do Not notify me of more health surveys, got more consent that the unchecked Notify me of more health surveys.

    I wonder if people understand the double negative in an unchecked do not notify me.

Free Email Marketing

Strategy Tips & Advice

  • Actionable strategy advice
  • Quick win tactics proven to work
  • Actual results and case studies

We won't share your email address