Land in the inbox — not the spam folder. ENFR
Home/GDPR/GDPR Email Consent: How to Collect It the Right Way
GDPR

GDPR Email Consent: How to Collect It the Right Way

GDPR Email Consent: How to Collect It the Right Way

Getting email consent right under the GDPR isn’t about adding a checkbox and hoping for the best — it’s about being able to prove, later, that a person genuinely agreed to hear from you. Done well, it protects you legally and builds a list of people who actually want your email, which is the single biggest favor you can do your deliverability. This guide is practical and plain-English. It is not legal advice — for your specific situation, talk to a qualified professional.

A quick note on who this applies to: the GDPR covers people in the EU and EEA regardless of where your business sits. If you email anyone in that region, these rules are in play.

Under the GDPR, consent has to clear a specific bar. Regulators describe valid consent as freely given, specific, informed, and unambiguous, given by a clear affirmative action. Break that down:

  • Freely given — the person has a real choice. You can’t make email marketing consent a condition of buying a product or accessing a service they came for.
  • Specific — consent covers a defined purpose. “Sign up for our newsletter” is specific; “agree to everything” buried in a wall of terms is not.
  • Informed — before they agree, they know who you are and what they’re signing up for.
  • Unambiguous — it’s a deliberate yes. A clear affirmative action, like ticking an unchecked box or clicking a clearly labeled subscribe button.

The practical takeaway: no pre-ticked boxes, no consent bundled into unrelated terms, no silence-equals-yes. The person has to actively opt in.

Opt-in vs. opt-out (and why opt-in wins)

Opt-out — assuming consent until someone unsubscribes — does not meet the GDPR’s affirmative-action standard for marketing email. You need opt-in: the person takes a positive step to join.

There are two flavors:

  • Single opt-in — the person submits the form and they’re on the list.
  • Confirmed (double) opt-in — the person submits the form, then clicks a link in a confirmation email to verify.

The GDPR doesn’t mandate double opt-in by name, but confirmed opt-in is widely treated as a best practice because it does two jobs at once: it strengthens your proof of consent and it filters out typos, fake addresses, and disposable inboxes. That second benefit is pure deliverability gold — you start with a clean, real, engaged list. For the bigger picture on how list quality affects the inbox, see our email deliverability guide.

What a compliant signup form looks like

You don’t need a legal team to get the basics right. A compliant form generally does the following:

  1. Asks for a clear affirmative action. An unchecked, optional checkbox, or an unmistakable “Subscribe” submission where the purpose is obvious.
  2. States who’s collecting the data — your organization’s name.
  3. Explains what they’ll get — e.g., “marketing emails about new products and offers,” not just a vague “updates.”
  4. Links to your privacy policy so the “informed” requirement is met.
  5. Separates marketing consent from other actions. If someone is creating an account or checking out, the marketing opt-in is its own distinct, optional choice — not riveted to the purchase.
  6. Makes opting out as easy as opting in. Every email needs a working, one-click-ish unsubscribe, and you must honor it promptly.

If you run e-commerce, watch the bundling trap especially closely: a checkout that auto-subscribes buyers, or hides the opt-in inside “I agree to the terms,” is the classic mistake.

The GDPR puts the burden on you to show consent was given. So record it. For each subscriber, it’s wise to log:

  • Who consented (the email address / identifier),
  • When they consented (timestamp),
  • How — which form or source,
  • What they agreed to — the exact wording shown at the time.

Most reputable email platforms capture this automatically when people subscribe through their hosted forms, which is one practical reason to collect signups through your ESP rather than dumping addresses in manually. Our best email marketing software comparison covers tools that handle consent logging and confirmed opt-in out of the box.

  • Pre-ticked boxes. A perennial favorite of regulators — and not valid consent.
  • Buying or scraping lists. Those people never gave you consent. Beyond the legal exposure, cold lists tank your engagement and reputation fast.
  • Treating old consent as forever. Consent can become stale. If a contact hasn’t engaged in a very long time, re-permission campaigns or a sunset policy keep you both compliant and deliverable.
  • Making unsubscribe hard. Hiding the link or requiring a login to leave undermines “freely given” and frustrates people into hitting “spam” instead.
  • One consent for everything. Email, SMS, and profiling are different purposes. Don’t lump them into a single tick.

For how consent fits into your wider compliance picture, see our pillar on GDPR email marketing.

Before you launch a signup form, confirm:

  • Opt-in is an active, affirmative choice (no pre-checked boxes)
  • Marketing consent is separate from purchases or account creation
  • You name your organization and describe what subscribers will receive
  • A privacy policy is linked
  • You record who/when/how/what for every consent
  • Unsubscribe is easy and honored promptly
  • (Recommended) Confirmed opt-in is enabled

FAQ

Does the GDPR require double opt-in? Not by name. The law requires consent to be freely given, specific, informed, and unambiguous. Confirmed (double) opt-in isn’t strictly mandatory, but it’s a strong best practice because it improves both your proof of consent and your list quality.

Are pre-ticked consent boxes allowed? No. Consent must come from a clear affirmative action, and a pre-ticked box doesn’t qualify. The subscriber has to do the ticking.

How long does email consent last? The GDPR doesn’t set a fixed expiry, but consent can grow stale if a contact stops engaging. Many marketers re-confirm or sunset long-inactive subscribers to stay both compliant and deliverable.

Can I email people who bought from me without separate consent? Rules around existing-customer “soft opt-in” vary by country and situation and have specific conditions. Don’t assume — keep marketing consent explicit and separate, and check the rules that apply to your audience.

Consent done right means Vaillant only flies to people who put their hand up and asked for the mail. That’s better for the law, and far better for the inbox.

Get the inbox playbook.

Join our newsletter for practical email marketing & deliverability tips. No spam — we'd be embarrassed.

One email a week. Unsubscribe anytime.