GDPR and marketing: how to manage consent?

Publié le 5 March 2018

The use of personal data in marketing

The GDPR disrupts the habits of marketing departments by imposing new obligations on companies, particularly with regard to consent. There are 5 other legal bases for processing customer or prospect data. However, in marketing, consent will be the rule in most cases.

The idea is easy: individuals need to know what their data are being collected for, in other words, what the company will do with them.

How can we comply with these new requirements in an environment where data represents the very core of business activity?

On one hand, personal data are aggregated and analysed in order to establish statistics to forecast the needs of other consumers. On the other hand, it stimulates their eagerness to buy, thereby increasing the number of potential customers.

While the objective is to build a solid and massive database to reach as many people as possible, marketing professions will have to rethink their business and implement new practices.

What are the GDPR’s consent requirements?

Articles 4 and 7 of the GDPR largely reflect the requirements of the 1995 Directive but the GDPR goes further by imposing new standards in this area.

  1. Consent must be given by a clear positive act. Silence or lack of action by the data subject does not constitute consent. Similarly, pre-checked boxes (opt-out mechanism) are not considered a clear positive act. As the information is drowned among others, the user often does not pay attention to it and does not even know what he or she has consented to.

NB : in BtoB relationships, the question of the validity of the opt-out is not yet decided. Business email addresses are personal data. For the time being, the CNIL tolerates the opt-out mechanism provided that if the subject of the emailing is related to the recipient’s profession.

  1. Consent must be given for each purpose, in a dissociable manner. The implementation of this requirement involves a review of consent forms, which must present the different uses of the data in a clear and concise manner. Their wording must allow individuals to dissociate the purposes for which they agree to their data being used. For example, for commercial prospecting, the following 2 options must be proposed (in case the data is shared with partners):
  • If you wish to receive our commercial offers, please tick this box
  • If you wish to receive commercial offers from our partners, please tick this box

However, the following statement does not comply with the requirements of the GDPR:” By ticking this box, you agree to receive commercial offers from us and that we share your data with our partners

  1. Consent must not be subject to conditions. In other words, the performance of the contract must not depend on consent to receive commercial offers: unless the marketing operation in question is necessary for the performance of the contract, it cannot be made conditional on consent. For example, the following statement does not comply with the requirements of the GDPR : “By accepting our T&Cs, you agree to receive commercial proposals on your mailbox” Similarly, refusing third-party trackers or cookies must not result in the blocking of the service (provided that they are not necessary to access the service).


  1. It must be possible to prove that consent has been lawfully obtained. The CNIL and the G29 recommend the use of time-stamping by a click or a navigation act to prove this collection. In a simpler way, it can be a signature on a paper or electronic form. The practice of double opt-in, which is more expensive to implement, is also a good solution. It allows the data subject to confirm his or her agreement to receive offers or other solicitations by clicking on a link generated in the confirmation email (after a purchase on the Internet for example). For data acquired before the entry into force of the GDPR, it is not necessary to ask the data subject for his or her consent again if “the manner in which the consent was given complies with the conditions set out in this Regulation“. If it is not possible to prove this, it will indeed be necessary to go through the confirmation phase by the data subjects concerned: all “presumed” consent will have to be renewed.


  1. The data subject must be able to withdraw his or her consent at any time. The essence of marketing operations is to communicate with as many people as possible. But consumers can quickly become annoyed by emails they do not want to receive, which will then have the opposite effect to the one marketers want. The unsubscribe procedure must be simple and efficient. In concrete terms, several options are possible here:
  • Insert an unsubscribe link in an email ;
  • Create a dedicated interface to manage people’s rights (withdrawal of consent is one of many) ;
  • For an application, make this option available in the settings.

In practice, how will this impact marketing operations?

  1. Commercial prospecting

The first step here will be to distinguish between customers and prospects: if the data subject is already a customer of the company, consent is not necessarily necessary on the condition that the commercial offer concerns services or products similar to those already provided.

In a nutshell, the following rules should be followed:

  • For customers :
    • inform the data subject that their email address will be used for prospecting purpose;
    • allow him/her to object to this use at any time.
  • For prospects:
    • insert a checkbox to be ticked by the data subject to receive commercial proposals, or even a confirmation mechanism via a link in an e-mail (double opt-in) ;
    • avoid pre-checked boxes ;
    • avoid opt-out, ambiguous formulations of type: “If you do not wish to receive commercial proposals, tick this box

Tip: it might be better to manage your customers and prospects in two different files because the conditions for sending the prospecting are not the same. CRM will be reserved for customers and PRM for prospects.

  1. Contest

To participate in the contest, the data subject must fill out a contact form in which he/she gives a certain number of personal data. In this situation, the participant gives his or her consent to participate in the competition but not always to be solicited later.

In a nutshell, the following rules should be followed:

  • Give the participant the choice of whether or not to receive commercial prospecting offers (e.g.: checkbox)
  • Allow him/her to object to this use at any time
  1. Sponsorship

The company asks a data subject to provide the contact details of a third party who may be interested in a commercial offer, article or online ad. In this situation, personal data of a sponsored data subject who has never given his or her consent are processed.

The CNIL admits this breach of the principle of consent under certain conditions.

In a nutshell, the following rules should be followed:

  • The recipient must be informed of the identity of his/her sponsor;
  • The data of the sponsored data subject can only be used once: to send him/her the offer, article or advertisement suggested by the sponsor;
  • The sponsored data subject’s data can only be kept to send other messages to him/her if proper consent has been obtained.

What are the long-term impacts?

Today’s practice is based on quantity rather than quality: the larger the customer/prospect database, the more targets there are and the more important the conversion rate.

Of all the e-mails sent, a majority is placed in the trash without even having been opened and will only have caused annoyance toward the sending company.

The GDPR forces marketing to rethink and refocus on quality. The challenge will be to move beyond the constraint stage and turn these requirements into a new business strategy in order to generate interest among people who are really interested.

What should be remembered?

  • Always consider the need to obtain consent;
  • Record consents: it must be possible to prove that they have been lawfully collected;
  • Adopt the practice of opt-in: silence, inactivity and the default pre-checked box can no longer be considered as an agreement;
  • The question has not yet been decided for BtoB relations. Ideally, always obtain consent by opt-in;
  • Ensure that the person can easily withdraw consent.