<img alt="" src="https://secure.leadforensics.com/107353.png" style="display:none;">

GDPR & Marketing Consent: No Means No

Cheryl Evans

  • 03 Nov

Inbound, GDPR

 Learn what consent for businesses looks like for GDPR

The General Data Protection Regulation (GDPR) has made waves across numerous sectors, and its vibrations will continue to echo around the offices and breakrooms of marketing agencies across the UK.

Given that GDPR will control and govern how businesses use data, the methods businesses use to market themselves are a prime target for the new law.

In essence: consent is the name of the game. So let's have a look at GDPR marketing consent in more detail and understand what it will look like come 25 May 2018.

What is GDPR consent?

Here’s exactly what consent looks like for GDPR. It must be:

  • Freely given, without being forced or with any undue threat of penalisation. If consent is a condition of a subscription, consent must be demonstrable.
  • Relevant to the type of communication in question, and the organisation sending it.
  • Displayed clearly with no room for error - the person needs to know what they are agreeing to
  • Show a positive expression of choice, with a prominent statement signifying agreement. Opting in cannot be inferred by silence, pre-ticked boxes or inactivity.

The official definition of consent

Under the GDPR, consent is:

“Freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her” (Article 4(11)

Let's break this down into jargon free chunks.


Under the current Data Protection Act 1998, there is some room for ambiguity. Many companies employ 'opt-out' methods of consent or 'catch all' marketing consent. The aim of GDPR is to do away with this ambiguity and many of these techniques of gaining consent will become obselete. As it says on the tin it must now be ambiguous so there has to be a clear 'opt-in' method only.

“Freely given”

Fairly standard, here. It is both unethical and illegal for companies to force, coerce or otherwise acquire consent against an individual’s will.

In fact, the GDPR now clarifies that consent will not be freely given if:

- The data subject has no genuine and free choice or is unable to refuse or withdraw consent without detriment (Recital 42) and/or
- There is a clear imbalance between the data subject and the controller (Recital 43)


Consent must relate to specific processing operations. This means that different methods of contacting the data subject will need their own specific consent, so email will need consent, calls will need consent and they cannot be grouped together under a generic form of consent.


The new legislation clarifies that for consent to be informed, data subjects should understand the extent to which they are consenting, be aware of who the controller is ad the purposes of the relevant processing.

“Right to withdraw”

The subject of your data has the right, and they must be aware of this, to withdraw their consent at any time. They have to be informed of their right to do so at the time of consenting.

Note that it must be as easy to withdraw consent as it is to give. If, in any way, shape, or form it seems too troublesome a task then the subject is likely to not bother.

Make it easy for your subject!

“Formal requirements”

Consent may be in writing, or oral form too. However, we’d recommend you get it in writing to avoid any confusion or miscommunication.

What are some ways you can obtain consent?

There are a few different ways you can ask your customers for consent. The one we’d recommend is to simply ask your customers to tick an opt-in box to confirm they do want to receive marketing messages. You then document the specific channels you intend to use (whether that’s post, email or phone calls).

You can also implement a 'double opt-in' process for all marketing communication, which will allow visitors to confirm that they want to receive communication from your organisation. The visitor simply fills out a form, submits it then replies to an opt-in request email which they can then confirm.

You can also use other methods, such as; clicking an icon, sending an email, subscribing to a service or oral confirmation.

Some things to remember:

- The customer must know, without mistake, that they have consented, and what they consented to - no important details should be hidden with ‘small print’
- Businesses cannot email or text to ask for consent after having been denied, as the message itself is considered a ‘marketing’ message and will be in violation.
- There needs to be an easy, simple way of opting out.

Is there a time limit to consent?

While there is no fixed time limit as to when consent expires, it is best to assume that it does not remain valid forever. Furthermore, a person’s most recent indication of consent is paramount. If, for example, a customer agrees to marketing on three previous occasions but opts out the fourth time, it’s the last decision that counts.

In the grand scheme of things, GDPR considers consent to last ‘for the time being’, which has been interpreted to mean ‘until a time where there could be a significant change in circumstances’.

Will my organisation need to provide proof of consent?

In a word: yes. Your organisation needs to record and display clear proof of consent, complete with date, what exactly has been consented to and who obtained the consent.

In the event of a complaint, or a legal wrangle of any description this evidence will definitely come in handy.


Where GDPR is concerned, ‘consent’ is the word on everyone’s lips. It must be taken seriously, handled with care and utmost professionalism. Ensure that GDPR-relevant training is given throughout your workforce, so that awareness is spread across all departments.

We’ll finish this blog with a brief description of what requirements must be met by consent.

- Unbundled

Consent requests must be separate from other terms and conditions. As such, consent should not be a precondition of signing up to a service unless necessary for that service.

- Active opt-in

Now, pre-ticked opt in boxes are invalid. Instead, use unticked opt-in boxes or similar active opt-in methods.

- Granular

Give granular options to consent separately to different types of processing wherever appropriate.

- Named

Name your organisation and any third parties who will be relying on consent - even precisely defined categories of third party organisations will not be acceptable under the GDPR.

- Documented

Remember to keep records! So you can demonstrate what the individual has consented to. This includes what they were told, and when and how they consented.

- Easy to withdraw

Individuals have the right to withdraw their consent, and doing so must be made as easy as possible.

We hope you found this helpful! Take a look at our GDPR series - it’s full of handy insights for GDPR.

Download your all-in-one toolkit to prepare for the upcoming GDPR changes.

Resources and Insights | Luminate Digital