Go to content
Under GDPR sending marketing emails is considered processing personal data, you need to make sure you have consent from your users to send marketing emails.

Also see: Studio 24’s practical guide to GDPR

This requires a few changes to how we collect people’s data and what information you need to communicate to users. Depending on your past setup you may choose not to ‘reconfirm’ your email lists, but you may still need to make some simple changes to your sign up forms online.

Website forms checklist:

  • What you are using data for
  • Consent
  • Granular permissions
  • How long you keep data
  • How to opt-out
  • Link to your privacy policy

What you are using data for

Explain what their information will be used for, simply explaining why you would like to keep in touch is enough.


You need to provide a ‘clear affirmative action’ for users to sign up to your mailing list.

“This could include ticking a box when visiting an Internet website, choosing technical settings for information society services or by any other statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of their personal data” (Recital 32).

Asking users to click a button or check a box are both positive actions, these should both count as consent. For example, if a web form is only used to signup to a newsletter and you meet the other requirements of this checklist on the form, then the act of filling the form in and submitting it OK for consent.

If you have a longer form that combines a different purpose to newsletter signup, for example, a contact form, then you need to add a checkbox, which is not ticked by default, to allow users to sign up to your newsletter.

What we need to avoid is inactivity, such as a pre-checked box.

Granular permissions

Under GDPR permission should be granular and not just all-in.

As an example Age UK has a very extensive sign-up form, users can fine-tune content to exactly what they want to hear about.

‘My newsletter subscriptions’ allows the users’ choices dedicated to professional learning, updates and general charity supporters. You can choose areas of interest and the sign-up form allows you to select localised content, so users get updates specifically for their area, you can even choose your overall communication preference i.e. phone, post, email and text messages from this form.

The above is an example of some very granular permissions and we don’t recommend this is something that everybody does. This example illustrates how far you can take your sign up forms though!

How long you keep data

Explain what, how and length of time user’s information is stored, this can be within your privacy policy which should be linked to all web forms that submit personal data.

How to opt-out

Options available to the user should they wish to opt out, this might include a direct link to unsubscribe from your marketing emails and contact details should they wish to contact you directly.

Link to your privacy policy

It is good practice to include a link to your privacy policy.

What about consent for enquiry forms or business cards?

If the user is filling out a contact form to receive a quote, call back, advice, more information on your services, etc, then the consent is implied and it is clearly needed to fulfil the users request, so you don’t need any other consent apart from their positive action in filling out the form. You cannot, however, sign up users to other marketing communication (e.g. a newsletter) without permission.

It is still best practice to inform users how their data is stored and for how long. Age UK is doing this particularly well:

“We will use the information provided above to contact you in relation to your enquiry. You may contact us at any time to unsubscribe from our communications. For further details on how your data is used and stored, please see our privacy policy.” See this example in the wild.

The same principle applies to business card exchange and similar situations. You are free to contact users if they hand you their business card, but if you then wanted to add these details to your CRM or email list, you would then need the users’ explicit permission to store and used their information.

How about my existing customers?

If you want to send essential service announcements to existing customers, it’s fine to do so but a marketing email list is probably not the place to do this (since users can unsubscribe). Try to keep service announcements separate to optional marketing emails.

If you want to send marketing emails to existing customers, there are other options to consent (though clear consent is always best). The Privacy and Electronic Communications Regulations (PECR) law that regulates marketing emails states it’s OK to send marketing emails to existing customers and potential customers who enquired about your services. In addition, you should also give the user the opportunity to opt-out when you first collected details (e.g. a contact form) and in every message after that (e.g. unsubscribe links).

Gorvin’s Solicitors blogged about different ways to gain consent for marketing emails for existing customers and why reconfirmation emails are often ineffective.

Reconfirming your email database

If you believe that you may have collected data under slightly questionable circumstances, then it is likely that you’ll need to reconfirm those email addresses. GDPR applies to any data collected prior to the deadline of the 25th May 2018, it is therefore retroactive.

Having said this, reconfirmation emails are not particuarly effective so we don’t really recommend this approach unless you feel you really have to. As Gorvin’s blog post above notes, the majority of small businesses email lists are made up of current or prospective clients.

Be honest and ask yourself:

  • Has data been collected without the users’ consent?
  • Are users on your mailing list your current customers?
  • Can you demonstrate how and when you collected your users’ consent?
  • Are your lists purchased from a third-party?
  • Have you used confusing wording or pre-checked boxes in the past to coerce people into signing up for your newsletter?

Tools such as MailChimp offer ways to send reconfirmation emails to your users. If you want to reconfirm users you may also want to consider sending more personal emails to important clients, rather than a more generic email to all users.

You should also avoid sending reconfirmation emails to users who have previously unsubscribed or opted out from marketing communication.

It’s hard knowing that you’ll potentially lose a portion of your email subscribers, but on the bright side users who have been signed up to your emails in any of the above ways are not likely to be very engaged and therefore not that valuable to your business.

You’ll come away with a cleaned list, filled with lots of juicy, engaged subscribers who really want to receive your communications. Just watch those open rates soar!

What did we do?

For Studio 24, we redesigned our contact form to keep it simpler and ensure any newsletter signup has clear user consent. We are using MailChimp’s GDPR tools to help communicate privacy to our users on newsletter signup. We audited the mailing list data we had and decided to throw away a subset which we couldn’t clearly prove we had consent for (most of this was very old data). When we moved to MailChimp from another email platform we ensured we imported the supression list (unsubscribes) to ensure we respect users’ unsubscribes from our old email platform. We’ll continue to email current customers we have relationships with, and will always send clear unsubscribe links in all emails.