GDPR Email Consent: How can my Business Lawfully Process Personal Data for Direct Marketing by email? 

You might already be bored of hearing about this, but here goes…because the more you read about it (from credible sources), the more it all makes sense and clarity is a good thing!


Under Article 6 of the GDPR, there are 6 reasons why a business may be able to process personal data summarised as follows (with the three underlined tending to be the most popular for general business):

CONSENT from the Data Subject for processing;

Performance of a CONTRACT where the processing is necessary to perform the contract and the Data Subject is party to the contract OR the Data Subject requests the processing in order to enter a contract;

LEGAL OBLIGATION compliance to which the Data Controller is subject;

► Protection of VITAL INTERESTS of the Data Subject or other natural person (emergency);


As necessary for the LEGITIMATE INTERESTS of the Data Controller or a third party unless overridden by the interests, rights and freedoms of the Data Subject.

The two lawful basis that pertain to direct marketing are:

  • Consent; and
  • Legitimate Interests (being a non-consent based ground for data processing);

Let’s look at each in turn…


Consent from a Data Subject provides the Data Controller with permission to process the individual’s personal data for a specific purpose.

Article 4(11) states:

Consent of the Data Subject means any freely given, specific, informed and unambiguous indication of the Data Subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of Personal Data.”

Recital 32 further states:

Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the Data Subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the Data Subject’s acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the Data Subject’s consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.

If we take each element of the 4 essential (Article 4(11)) ingredients in bold, we can look further at what the GDPR says:

Ingredient of Consent GDPR References Key Takeaways
freely given:




Article 7(3): Withdrawing consent should be as easy as giving it

Recital 43: Consent shall not be used/ valid where there is a clear imbalance between the Data Controller and Data Subject to ensure the Data Subject has a choice.

Article 7(4): A service or the performance of a contract shall not be conditional upon consent.

Easy to withdraw: Tell people they have the right to withdraw their consent at any time, and how to do this.






Recital 43: Data Subject must be informed at all intended purposes at the time of giving consent. If another purpose arises, additional consent may need to be sought.


Incremental: Insert incremental or granular options to consent separately for different methods/ types of processing e.g. email, SMS, post etc.


informed Recital 39 and Recital 42: inform Data Subject of Data Controller’s identity and purpose and info about how the processing may impact a Data Subject. Data Controller must demonstrate that the Data Subject was informed prior to consenting Article 7(3).


Active opt-in: use unticked opt-in boxes or similar active opt-in methods. Pre-ticked opt-in boxes are invalid.




Recital 32: consent must be given by a positive, affirmative act. Silence, pre-ticked boxes or inactivity do not qualify.


Article 7(2) if the Data Subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language…


Unbundled: Consent requests must be separate from other Ts and Cs.




ALSO, if consent is to be in relation to any other party, then consider:

  • Specifically Named: If other parties are going to be e.g. a joint Data Controller i.e. if any third parties will be relying on consent to direct market to the Data Subject these parties should be named (or specific categories of parties must be named e.g. insurance companies – currently under debate as specifically name is onerous and could have a significant impact by giving competitors an advantage if disclosure lists of providers/ affiliates need to be listed individually e.g. the scenario where an insurance company shares customer data with a local independent surveyor. “Surveyors” as a category is more useful than having to know every up-to-date list of surveyors) – so permission to market to a third party IS required and a business must be transparent about who these third parties are at the point of collection. Third party data processors (who carry out services on behalf of the Data Controller and who do not direct market to the Data Subject in their own right) must also be notified to the Data Subject but for website members/ customers, this third party data processor information can simply be inserted in to the Privacy Notice.



This is the other option for the processing of Personal Data for direct marketing purposes. Note that the GDPR does not differentiate between different methods/ forms of communications e.g. post, telephone, email etc

Article 6(1)(f) states that:

“processing is necessary for the purposes of the Legitimate Interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the Data Subject which require protection of personal data.”

The GDPR acknowledges that direct marketing will often be a ‘legitimate interest’ of a business and therefore consent to direct market is not always required under the GDPR.

Recital 47 states that:

“The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.”

…so, it follows that if a business wishes to send electronic marketing i.e. marketing sent over electronic communication channels such as phone, fax, e-mail and SMS about a new product to its customer base, it can do so in reliance on this PROVIDED THAT it complies with the UK’s Privacy and Electronic Communications Regulations (PECR) that contains supplemental rules governing consent requirements.

Let’s look at email marketing as this is the most commonly used…

PECR require Opt-In consent for email and SMS marketing, unless the Soft-Opt-In exception applies which will mean that first party e-mail marketing is possible on an Opt-Out basis. However, third party e-mail marketing still requires Opt-In.

We know that PECR are going through revisions presently but the bulk in respect of direct marketing seems to be staying intact. If you are not currently compliant with these old PECR originating from 2003, then good luck as you are 15 years behind! Here is a bit more info…

Basic Rule (PECR): You must not send electronic marketing mail to individuals without specific consent i.e. the prior consent rule.

Exception to Basic Rule: There is a limited exception for your own previous customers, often called the ‘Soft Opt-In’ which has 4 basic criteria that must ALL be satisfied:

  1. Details were obtained in course of / negotiations for*, a sale;
  2. Content relates to similar products and services;
  3. Identity of Sender is not concealed;
  4. Opt-out opportunity is provided at the time of data capture and in every subsequent direct marketing communication

* note that the part in underline at 1 is in the current PECR but it is likely to be removed once the UK have implemented the replacement Regulations planned for 2019.

The Soft Opt-In is an opt-out and it is a statement rather than a request. Some direct marketing that businesses send out today is indeed sent lawfully because they have satisfied all of the above. Further, there is no need to seek fresh consents as there was no Opt-In consent in the first place. A business can continue to market to Soft-Opt-In legacy customers on this basis known as the “Soft-Opt-In Opt-Out” PROVIDED THAT:

► the Data Subjects know that the business is relying on Legitimate Interests (evidenced by the Soft-Opt-In Opt-Out at the time of data collection in addition to there being active and passive notifications in e.g. the Privacy Notice); and,

► (as standard) the business must continue to provide the option to Opt-Out in every subsequent direct marketing communication sent.

The part in bold and underline in the 4th element of the Soft-Opt-In is key and is the death knell in the coffin for many whose data processing activities would otherwise have passed the Soft-Opt-In Opt-Out test. Such failure will in turn mean that the business cannot rely on Legitimate Interests under GDPR to continue to direct market by email.

Which route should you choose to base your direct marketing on going forwards?

Which route you choose may depend on your type of target market, your style and approach to your marketing campaigns as well as your relationship with your customers.

Asking for consent may result in a lower conversion rate but they are warm leads i.e. these are the people who want you to market to them. You may find however that cleansing your database will result in higher click rates and transaction rates. If you don’t bother cleansing your database, not even to cull those who are inactive and you always rely on the Soft-Opt-In Opt-Out/ Legitimate Interests route to direct market to existing customers by email, many of the recipients may not actually want to receive direct marketing from you. The former consent approach lends itself to more targeted/ quality/ tailored marketing, the latter to more low touch/ generalised marketing.

For consent, you will need to keep verifiable consent records under the GDPR (not a requirement for Legitimate Interests). However, relying on Legitimate Interests is subject to meeting the stringent Soft-Opt-In Opt-Out tests above under PECR for email marketing and if you are therefore relying on Legitimate Interests under the GDPR, you have an obligation to state your reliance and explain e.g.

“how your right to send them marketing is a Legitimate Interest of your business and why that right overrides their rights as a Data Subject not to receive this marketing material”.

The right and proper place to do this in the world of ecommerce and/ or websites would be in your Privacy Notice/ Statement. As this document is a contractual document, it follows that it will need to be reissued and accepted by the Data Subject concerned. The Data Subject has the right to object and the business may have to stop the processing.


There has been quite a bit of discussion around this topic of lawful direct marketing to existing customer databases and the different groups that could exist and I summarise a part from a fine piece written by Mark Roebuck which states:

  • REVIEW your pool of Data Subjects and look at the proof you have around consent. You may find up to 3 groups:

GROUP 1. Data Subjects where you can prove consent was legal under GDPR terms e.g. an affirmative action was taken and the consent statement was clear in terms of purpose and methods.

GROUP 2. Data Subjects where you have assumed consent (e.g. by having a pre-ticked box etc).

GROUP 3. Data Subjects where consent was refused or withdrawn.


GROUP 1. Good data; warm leads i.e. the Data Subjects should not be surprised by your actions. They chose to hear from you. No re-consenting needed!

GROUP 2. Data is not so good! Honesty was lacking at the outset. Unless a soft-opt-in overrides the dishonesty, then you cannot market post 25th May 2018. You can contact them and inform them that previously you assumed that they wanted marketing and now they must confirm that they do want to remain on your mailing lists in order to continue receiving your offers. When doing this, you should not use any enticements or competitions etc. as this would not be giving them a free choice.

GROUP 3. Bad data; cold leads. You cannot contact these Data Subjects. Remove the data.

I am tempted to add two more groups to this around legacy Soft-Opt-Inners who I have been discussing in text higher up. For the purposes of direct marketing by email, if you have a database in respect of which you never provided a Soft-Opt-In Opt-Out at the time of data capture (which many have omitted to do), the Soft-Opt-In exception will not be applicable. Your position is as good (or as bad as) Group 2 above (but let’s refer to these customers as a Group 4 for ease of reference).

Further, where you did provide a Soft-Opt-In Opt-Out at the time of data capture, then these customers would be more akin to Group 1 insofar as the fact that you can lawfully continue to direct market on an Soft-Opt-In Opt-Out basis provided that you continue to meet the Soft-Opt-In criteria…but all the same, Legitimate Interests is very different to ‘consent’ (so let’s refer to these customers as a Group 5). There are probably more permutations but these are the main ones I am being presented with.

Upon a strict interpretation of the law, a business will consequently be unable to lawfully direct market to Group 4 Data Subjects without fresh consents. To actively seek these fresh consents would be to serve up further marketing in itself (which would constitute a breach along the lines of the Honda breach) so a business in this position will have two main options:

  1. risk non-compliance; or,
  2. delete the database and allow for nature to take its course by waiting for fresh sign-ups supported by a lawful consent box.

On the risk of non-compliance for seeking fresh consents, people should be reasonable and one interpretation of the ICO’s guidance is that consent for direct mailing should actually be sought if you don’t have specific GDPR standard consent now. Many businesses have extensive mailing lists built up over years and feel justified in seeking more robust consents in order to comply going forwards e.g. maybe the consents have aged or they are implementing new consent technology, or they want to convert their valid Soft-Opt-In database in to a consent based database…sounds plausible!?

I recommend a read of a piece written by Carl Gottlieb around this which inter alia brings the stringent Soft-Opt-In Opt-Out criteria back in to the limelight where it should be as it plays a very key role in determining whether the Soft-Opt-In Opt-Out is valid under PECR and therefore whether Legitimate Interests under the GDPR can be relied upon as a lawful basis for processing for direct marketing purposes:



Review and assess the current state of play i.e. assess whether your email direct marketing was/ is conducted on an Opt-Out basis or, on an Opt-In basis.

Opt-In consent today is not always required and neither the GDPR nor PECR change this. In fact, the GDPR acknowledges that direct marketing can be carried out on the basis of Legitimate Interests and the GDPR (and PECR to date) generally do not affect a business’ ability to direct market by email to their Soft-Opt-In legacy customers on the basis of meeting the stringent lawful Soft-Opt-In Opt-Out criteria. However, in reality, how many businesses really have provided a timely Soft-Opt-In Opt-Out opportunity at the time of data capture? Not many I suspect so in practice, these customers will slip in to the not so useful Group 4.

With regards to direct marketing ‘consents’ for email, ironically, those businesses who actually used best practice Opt-In consent tick boxes under the DPA in the past may need to seek fresh consents anyway because the consents garnered may not meet the GDPR standard i.e. the consent must have been “unambiguous” and “demonstrable” in line with the requirements of Article 7.

The obvious problem with seeking fresh consents is that many customers simply won’t re-consent (and the communication in itself will be a marketing communication). Many businesses may choose to risk non-compliance with regards to their Group 2 and 4 databases rather than lose their valuable marketing database.

Make your choices and implement your strategy without delay.


Let us know if we can help you!

Author: Yvonne Morris



twitter: @CloudLegals


CloudLegal is a tech-enabled legal support consultancy which promises practical commercial and jargon-free advice. We support all company matters, commercial contracts/ Ts & Cs (including software and IT), employment & HR as well as data protection matters. We have various services including: