Alan Ballany
Written by

Are you aware that 'opt-out'-style consent systems is going to become illegal under the new GDPR law? We guide you through the changes coming in May 2018.

There’s a fair chance that a blog about marketing consent is not the most thrilling reading material you’ve come across today. But changes are coming and it’s time to get up to speed with your obligations – which really aren’t as daunting as they first appear.

As of May 2018, a host of data protection guidelines become legally enforceable by the ICO, under the General Data Protection Regulation (GDPR).  Marketing consent currently falls under the Privacy and Electronic Communications Regulations (PECR).  This is currently being reviewed by the EU and will form new legislation called the ePrivacy Regulation (ePR) due to come into effect in May 2018 alongside GDPR. Brexit won’t make a shred of difference – the law will become enforceable before we’ve left and will very likely be integrated into UK law afterwards.

Here’s some quick guidance on how to navigate these new regulations:


The GDPR specifies that customers must ‘opt-in’ to marketing services, usually by a tick-box. This means an individual actively chooses to receive marketing information from you in the future, rather than choose not to.

Here are some of the details that organisations need to follow:

  • If using tick-boxes, the boxes must be un-ticked as default
  • The individual should be allowed to select the different channels (post, phone or e-mail) they would like, or not like, to be communicated with through
  • Individuals should not be required to consent to their data being used in order to receive a product or service
  • If someone declines consent, don’t send them an e-mail asking them to ‘clarify their advertising preferences’

Sending e-mails to determine whether people want to receive marketing without the right consent is still marketing and it is against the law.

Read some real-world examples of potentially problematic approaches to opt-in on eConsultancy.

Privacy notices

Privacy notices communicate all the relevant information a customer needs to know in order to opt-in. You should make it clear to them how you plan to use their information, for how long you intend to keep it, and with whom you plan to share it. It is best practice to summarise this information in plain English at the point consent is requested along with a link to your full privacy policy.

If you make significant changes to your policy you may need to inform your data subjects and seek new consent. Best practice is to inform users in your policy that policy changes may occur at any time.

For a full list of regulations, consult the ICO guide to the GDPR regulations. 

Using it to your advantage

It may seem like these regulations make it next to impossible for organisations and businesses to get access to people’s data for marketing purposes. But there are a few things you can do to increase the uptake of people opting-in.

Being more open and transparent about how you use information is always a good thing. Phrases like ‘are you happy for us to share information with trusted parties’, while perfectly legal, are unlikely to inspire trust from customers. Being bold and honest is the best way. Try: ‘Are you happy for us to share your details with touring theatre companies who are performing at our theatre?’

It’s much more transparent, states exactly what you plan to do with the data and is more likely to garner a positive response.

Main image credit: test test test by Vera (Public Domain 1.0)