Re-permissioning ideas for GDPR compliance

77 days to go before the General Data Protection Regulation (GDPR) comes into force. Advertisers all over the world will need to make adjustments to their data processing strategies when targeting Europeans. This also applies to many email senders, from whom I therefore expect re-permissioning campaigns.

Permission as the legal basis

For most email advertising, the necessary processing of personal data will be based on a permission (opt-in). However, the work is not done by just obtaining permissions – let it be on your website or via a Facebook Lead Ad. Article 7(1) GDPR states clearly that senders

shall be able to demonstrate that the data subject has consented to processing of his or her personal data”.

To demonstrate permission, one has to keep records about what a person has consented to, including wordings, time, location and exact processes.

Now, what if you haven’t documented this properly for each and every record? “Properly” meaning to be able to show the exact opt-in text, URL, the maybe BCC’ed double opt-in mail in your archive, timestamps, IP adresses, privacy policy and so on for a website opt-in dating back to – say – 2015. I you haven’t got these, then you are probably not using your email list in a GDPR-compliant manner, which can be sanctioned from 25 May.

However, in that case you would not be alone. It is safe to assume that many advertisers around the globe haven’t got their permissions documented for all of their European newsletter recipients. Thus, and in view of the potentially heavy penalties, re-permissioning campaigns – also known as re-opt-in or re-consenting – are to be expected within the next weeks. That is campaigns, that try to obtain a fresh consent that fully complies with the new requirements.

Re-permissioning in Germany

As an aside, I’m from Germany – things like double-opt-in and documentation requirements for permissions are nothing new here. Seven years ago, the Federal Supreme Court ruled that “in order to prove consent, it is necessary for the advertiser to document in full the specific declaration of consent of each individual consumer, which, in the case of an electronically transmitted declaration of consent, presupposes their storage and the possibility of printing at any time” (freely translated). So data protection laws have always been farily stringent.

I remember that when the German Federal Data Protection Act was reformed from 2009 to 2012, it grew even tougher in some respects, and several advertisers sent re-permissioning campaigns to email recipients in order to secure compliance. As I can magine many folks looking examples before 25 May, I thought I’d share a few of them together with some ideas.

(Note that after May 25th, the GDPR cat will bite its tail. Why? Well, asking for permission to send newsletters is considered to be advertising. However, without a legal basis, such as the consent (or at least a legitimate interest in the era of the GDPR), an email address must not be used for such purposes. Ouch! Just a year ago, companies like Honda and Flybe had to learn this in the UK; in Germany, this legal observation has been made at least five and a half years ago, and it’s still some sort of a battleground in terms of double-opt-in checkmails to this day.)


It goes without saying that campaign such as the re-permissioning, which is so important, should be thoroughly tested and optimized in advance. That includes spam- and phishing filters. The latter trigger an alarm, for example, when a link text contains an URL-domain that does not match the one in the underlying hypertext reference URL. This seems to have happened in the above example. Also the subject line does not indicate that an action is urgently required; it says “Rossmann cleans up”. I personally like the brand, but sadly, I would not be too surprised if only a low percentage re-consented.

Speaking of which: The re-opt-in percentage of course depends on general list hygiene practices. If you got a healthy list, I’d aim for more than 50%. It will be diffucult to reach and convince them all. But if you make a a well-planned multi-stage campaign, it should be perfectly possible to get at least near that.


The above example uses a more visual approach. The subject line basically says “Confirm the Kabel Deutschland newsletter now” (“Jetzt”<=>”now”). The body copy explicity referes to data protection: “We are currently cleaning up and updating our newsletter database, because we are very concerned about data protection”.


Then third one is even more visual and elaborately designed. The subect line “Important: Be sure to confirm newsletter receipt!” urges to open the email, with strong keywords upfront. The content refers to the data protection reform that came into force in 2012. It says “New data protection laws came into force in Germany on 1 January 2012. In order to comply with the requirements of these laws, we have adapted the registration and deregistration procedure and data storage with regard to our newsletter”. And the call to action is something like “Re-confirm newsletter receipt for free” .

The picture by the way demonstrates the double-opt-in procedure. This may not been necessary here, because unlike when entering an address on the webpage, it is already ensured that only the inbox owner can submit the email address to a recipient list. However, it is still the best way to demonstrate consent has been given in a clear, conscious and unambiguous act, and not by an accidental click or even a bot click (anti-spam crawler for example).


Apart from that, many email advertisers, who re-permissioned,promoted a newsletter service that will be improved in the near future, and therefore they asked to update the users’ subscriptions:

“You have been subscribed to the newsletter for some time now. We have now improved our service for you. […] We attach great importance to the subject of data protection and therefore require your consent in order for you to continue receiving the newsletter. In order not to contact you unintentionally with emails, we ask you to confirm the receipt of the newsletter once more”.

These three are very similar:

Here’s another one:

“For our list to remain compliant with MailChimp’s policies, we need you to verify your subscription settings and expressly let us know you want to receive our emails. If you take no action, your address will be removed from our list and you won’t receive email from us again. To remain on our list, please confirm your subscription”.

And another one, posted from Jacques in the #Emailgeeks community on Slack:

The subject line was “We need your consent to keep sending you our updates”, and the privacy policy, which is an integral component of the consent, is located here.

Two final Tips

One could add more examples. However, just two final notes.

When a re-permissioning campaign is launched, it is important to ensure that all GDPR requirements are now met. For example, consider performing version management for all things that relate to the consent that a user gives you. Things can include the consent texts, confirmation mail as part of a double opt-in, data protection declarations and more. Speaking of pricacy policies: Don’t forget that data storage periods, the reasons for the collection of data and the respective legal basis must be specified, as well as the contact information of the data protection officer (if you need one). All in all, one should be able to reconstruct each consent exactly later on: Has the the subscription been incentivized and did it not unfairly penalise those who refused consent (permission must be given freely!), what was the form layout and the exact wording (was consent specific and informed?!), what data was collected beside the email address, has the right to withdraw at any time been mentioned etc.

Google for example uses version management to keep track of changes in the privacy policy and to make those transparent:

Finally, consider a crosschannel approach for your re-permissioning efforts. Facebook posts or tweets like “If you have GMAIL, please […] mark us not spam + add us to contacts”, which address deliverability problems, can easily be turned into “If you are subscribed to our newsletter, please resubscribe to update our records for the upcoming GDPR”. Don’t forget print. It might be expensive. But hey, if it is about loosing your most valuable subscribers, to which you got mailing addresses… The channel became very interesting and accessible through possibilities of automation and segmentation. At the same time, there is no need for prior consent.

Last but not least, check whether a video on your website makes sense, like in Manchester United’s “Stay United” campaign, which is a perfect example of communicating the what and the why in an easy to understand way:

Check out their privacy policy for details on which data is stored for what reason, and how Manchester UTD deals with child’s consent.

What do you think…

What do you think of the GDPR – just a job creation scheme for lawyers, or a necessary security framework for the digital future? 🙂 Do you have other examples for re-permissioning campaigns?

Enjoyed this one? Subscribe for my hand-picked list of the best email marketing tips. Get inspiring ideas from international email experts, every Friday: (archive♞)
Yes, I accept the Privacy Policy
Delivery on Fridays, 5 pm CET. You can always unsubscribe.
It's valuable, I promise. Subscribers rate it >8 out of 10 (!) on average.

Leave a Reply

All data is optional, you can post anonymously. Your email address will not be published. By submitting a comment you agree that your IP address will be spam-checked by Askimet in the USA.