Regulations · GDPR · Article 7
// GDPR · ARTICLE 7 · CONSENT

Consent for marketing emails.

What “freely given, specific, informed, and unambiguous” actually requires in a signup form. The bar is higher than most growth teams build for — pre-ticked boxes, bundled consents, and consent-as-service-condition all fail.

Applies to: Any firm marketing to EU/EEA residents

The rule.

Article 7 sets the conditions for consent. The companion Article 4(11) defines what consent actually is.

// Regulation (EU) 2016/679 · Article 4(11)

“‘Consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”

// Regulation (EU) 2016/679 · Article 7(2)–(4)

“If the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters …

The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.

When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.”

The ePrivacy Directive layers on top: for email marketing specifically, prior consent is required (with a narrow soft-opt-in exemption for existing customers receiving similar product communications).

What it requires.

Five operational obligations.

Freely given. Consent has to be a real choice. If the consumer cannot complete signup without consenting to marketing, consent is not freely given.

Specific. Separate consents for separate purposes. One checkbox cannot cover “marketing emails, product analytics, third-party sharing, and SMS” all at once.

Informed. The consumer has to be told what they’re consenting to. Frequency of emails, types of content, identity of the controller, withdrawal mechanism.

Unambiguous. Active opt-in. Pre-ticked boxes fail. Inferring consent from inaction fails. Browser settings do not constitute consent.

Withdrawable as easily as given. Unsubscribe must be one click, no login required. The withdrawal mechanism has to be at least as easy as the consent mechanism.

Common violations.

// Violation pattern · bundled consent

Signup form: “[Checkbox] I agree to the Terms of Service, Privacy Policy, and to receive marketing emails about products and offers.”

One box covers Terms, Privacy, and marketing. Fails specificity. The marketing consent has to be separable.

// Violation pattern · pre-ticked

Signup form: marketing-consent checkbox is pre-checked by default.

Fails unambiguity. The Planet49 case (CJEU C-673/17) is the definitive authority: a pre-ticked box is not consent.

// Violation pattern · consent-as-condition

“To use [exchange], you must agree to receive marketing communications.”

Service performance conditional on marketing consent. Article 7(4) specifically prohibits this when the marketing consent is not necessary for the service.

// Violation pattern · login-required unsubscribe

Unsubscribe link: “Sign in to manage your preferences.”

Withdrawal harder than giving. Fails Article 7(3) “as easy to withdraw as to give.” The fix: one-click unsubscribe with token-authenticated URL.

How to comply.

// Fix 1 · separate the marketing checkbox

One checkbox for terms acceptance, a separate, unchecked checkbox for marketing consent. If you have multiple marketing channels (email, SMS, push), separate them or consolidate them under a single “product and offers email” checkbox.

// Fix 2 · ship empty

Default state of every marketing-consent checkbox: unchecked. The consumer has to actively tick to consent. This is non-negotiable since Planet49.

// Fix 3 · clear language

Replace “agree to receive communications” with “Send me product updates and offers by email. About 2–4 emails per month. You can unsubscribe with one click.” Informed consent requires specifics.

// Fix 4 · one-click unsubscribe

Every marketing email contains a List-Unsubscribe header (RFC 8058) and a footer unsubscribe link that works in one click, no login, no captcha, no preference centre.

// Fix 5 · audit trail per consent

For every consent, record: timestamp, source form/URL, IP, version of the consent text. If the regulator asks, you can produce the evidentiary record. Most ESPs (Customer.io, Iterable, Klaviyo) support this natively.

Related rules.