By now, you’ve probably received at least one email from a company asking you to confirm that you really do want to receive marketing emails.

These repermissioning campaigns are an attempt to bring consent up to the standard set by the GDPR, ahead of the regulation’s enforcement on 25th May 2018.

In this article, I’m going to look at 15 examples of repermissioning campaigns from brands both big and small. But first, let’s have a bit of background…

(And remember that Econsultancy provides face-to-face GDPR training for marketers, as well as online training, and an excellent Marketer’s Guide to the GDPR)

Do you have to refresh your consents?


Lots of companies will be confident that they already comply with the GDPR. Others, such as in the infamous case of Wetherspoons, have simply decided to delete email data, perhaps fearing non-compliance.

However, lots of companies are repermissioning – those that aren’t confident their consent process is up to the new standard, or don’t have the appropriate records (necessary for the GDPR’s burden of accountability) of who consented, when, where and to what.

A brief note here that consent is, of course, not the only legal basis for processing personal data, but as we’re dealing with marketing communications (which require consent under the PECR) there is no other legal basis to consider (we won’t touch the slightly warmer potato of ‘soft opt-ins’ in this article).

What constitutes consent?

According to the GDPR, consent is “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”

That phrase ‘clear affirmative action’ is arguably open to interpretation, and there is lots of debate about consent. But the ICO’s guidance is pretty clear – “Consent requires a positive opt-in. Don’t use pre-ticked boxes or any other method of default consent.”

How to refresh consents?

Fairly obviously, do not use email to repermission those who have not given some form of consent already. If individuals have opted out or unsubscribed already, you will likely be in breach of the PECR if you contact them by email again.

It’s worth pointing out that repermissioning doesn’t have to be done with a broad brush. You can take different approaches with different customers, for example you may want to segment your database before undertaking phased repermissioning.

A blog post by automation company Ometria advises segmenting customers for repermissioning along the following lines:

  • Opens emails and regularly buys
  • Opens emails and infrequently buys
  • Opens emails and clicks through to browse items
  • Opens emails – no activity
  • Receives email – no activity
  • No activity after 6 months
  • No activity after 12 months
  • No activity after 18 months

In this article we are mainly dealing with consent for email marketing, but marketers should think about what consents they want to refresh – cookies for example.

The most important things to consider when constructing an email campaign are whether your privacy policy is well written, whether the consent mechanism you choose conforms to the definition of consent in the GDPR, and how to keep a record of these new consents (when, how, what etc.).

On to the examples!

1. ASOS – bold and on-brand

As usual, ASOS’ approach is impressive. The subject line is simple and clear – “The law is changing. Are you set to get your ASOS emails?”

Take a look at the email content below. Lots of things stand out:

  • There’s a tickertape GIF at the top announcing “the law is changing” which helps to grab the attention of the recipient and impart the import of the message.
  • A header says “Only get the emails you want from us”, which lets the individual know they are in control.
  • Funnily enough, the next line says “You’re in control”.
  • There’s then a clear blue button and call to action – “opt me in”.
  • Next the email lets me know what I am already opted in for, a nice touch, with a bit of copy and some icons to make it extra clear.
  • Finally, there are three more calls to action in the footer – again the option to opt in, as well as to opt out and to update your preferences.

repermissioning emails

This email is by no means the only part of ASOS’ comms effort around the GDPR. The retailer also has excellent pages on it website, such as this one on contact changes, as well as its updated privacy policy, featuring video content, clear headlines (in ASOS’ tone of voice), and a concertinaed policy which is easy to digest.

Bravo, ASOS.

2. Money Supermarket – a softer approach

The subject line on Money Supermarket’s repermissioning email reads “[Name], don’t forget to tell us if you still want our money-saving deals and tips”.

So far, so normal. It looks like this is a standard repermission email which will go on to ask the recipient to consent once again.

But a look at the email content below reveals that Money Supermarket is asking those signed up to its emails to “let us know if you’d rather not get these emails from us any more”. The call to action at the bottom is then to “update my preferences”.

Money Supermarket is not seeking consent from recipients of this mail, but giving a chance to check preferences and opt-out.

It could be argued that this approach creates a catch-22 scenario – to opt-out, users have to be somewhat engaged with Money Supermarket emails, but it is the recipients that are not engaged with these emails that are most likely to want to opt out.

I’m not arguing here that Money Supermarket has taken the wrong approach – the brand’s marketers may well be confident that they already comply with the GDPR and are simply taking the opportunity to reconnect with their database and increase their awareness about their contact preferences. Such activity is a good idea.

All this aside, the imagery and copy is nicely done.

money saving expert optin email

3. Nucco Brain – confusing copy

To properly inform a data subject, companies must excel at clear, straightforward language (see the ICO’s guidance on privacy notices). Though the ICO does say that privacy information should conform to house style, that shouldn’t preclude clarity.

In the example below from Nucco Brain, a London-based storytelling studio, the analogy between consent and of a cup of tea is stretched a little too far in my opinion.

The subject line (not captured below) reads “GDPR is coming, and we’d still like to offer you a cup of tea”. Read the full email and it is really is a bit wishy washy. Even the important question of whether recipient still want to receive emails is disguised by analogy – “would you like to keep drinking our cup of tea?”

Whatever you think of this copy, it might not matter too much, as Nucco Brain takes the same approach as Money Supermarket, not asking for people to opt in, but to opt out.

nucco brain optin email

4. PwC – bang on the money

You wouldn’t expect anything less from PwC, but its repermissioning email includes everything that the ICO would want to see. Namely:

  • Description of what marketing emails may include
  • The option to opt out within every marketing email
  • A link to the PwC privacy statement
  • Notice that transactional/servicing emails will be unaffected
  • Right to withdraw consent at any time
  • Notice that recipients will be opted out if they do not respond
  • Two clear and equal-sized buttons to opt in or opt out

Any marketer wanting to include all the right information in their repermissioning campaign would be wise the follow the lead of an email like this, in my opinion.

Inkeeping with the brand, the subject line is professional and easy to understand, too.

pwc repermissioning email

5. Destination KX – confusing competition?

Destination KX is the newsletter for the newly happening Kings Cross area of London.

The subject line for its repermissioning email is “We care about your data”, which to me is a bit ambiguous. Once you open, however, there’s a lovely clear message and call to action inside.

But there’s one issue for me – consenting to marketing is incentivised with entry into a competition to win two tickets to an event. Does this perhaps confuse the opt in slightly? Is it really unambiguous when the recipient may be more interested in winning than receiving marketing? The competition should really be open to all, whether they opt in or not, and that should be clear on the email.

I’m not passing judgment here. But simply from the perspective of achieving clarity, the competition element doesn’t seem ideal to me, even some may argue it’s no different to the discounts that retailers offer to those signing up to email newsletters.

kings cross gdpr email

6. South Western Railway – weak call to action

South Western Railway takes the tack of telling recipients “the power is in your hands” before giving some brief information on the GDPR and including a call to action to “update preferences”.

It’s unclear to me from this email whether those that fail to respond will remain opted in. I also think the call to action is a little weak (‘update preferences’) – there is no suggestion of resolution within the email itself. To me, this is asking quite a lot of customers, particularly the apathetic, and relates to the catch-22 I mentioned earlier with Money Supermarket.

The 21 day processing time also seems quite lengthy, and is the sort of thing that those who unsubscribe may get annoyed by.

south western railway opt-in email

GDPR: Six examples of privacy notice UX that may need improvement

7. Little Green Sheep – straight to it

Little Green Sheep, a retailer that sells natural bedding, mattresses and sleepwear for babies, is a model of brevity, which is a good thing in my book.

First off, the marketing team has opted for a more intriguing subject line, obviously keen – because they are asking recipients to opt-in – that as any people open the email as possible.

subject: we wouldn't want you to miss out

Once you get into the email, it’s all very straightforward:

  • A clear header – “let’s keep in touch”
  • Two sentences explaining what’s going on
  • Two clear calls to action (to consent or not) with the opt-in button larger and more inviting than the opt out (which is still visible, for sure)
  • An ecommerce header menu just in case the recipient fancies doing some shopping

Fair play to Little Green Sheep for asking for repermissioning, and for doing it with confidence.

little green sheep optin

8. Guardian – reminding logged in users

Not an email now, but a nice footer featured on Guardian articles viewed by logged-in readers.

There’s not much to say about this, other than the contrasting colours highlight the key message and button to continue. There’s also a link to find out more.

guardian opt-in banner

Lots of companies are doing more than just emailing their database to establish consent – Manchester United, for example, has been using a combination of email, print handouts at games, video content and even advertising hoardings to get its fans to opt in (which our former editor, judging by the tweet below, clearly thinks is not necessary, though anything that can keep people from lapsing is surely a wise investment?).

The Guardian, though it doesn’t seem to be repermissioning, is making sure users are getting to grips with their preferences. A wise move.

9. The Candidate – missed opportunity?

The Candidate is a marketing recruitment agency in Manchester, England. It has taken the admirable approach of repermissioning its email newsletter.

Those that receive the newsletter will have to actively opt in to continue receiving it. As discussed in the intro to this article, this means that those who miss or disregard a repermissioning email will be opted out automatically. Therefore, you would imagine that where companies take this approach, asking for consent would be front and centre in any repermissioning email. However, that’s not the case with The Candidate.

Opt in is lost in a cacophonous subject line which reads “Top Jobs, Opt in, Candidate Case Study, New Consultants and lots more!”

Then once on the content proper, partly shown below, opt in is only one of the main messages. Even if you do read it, there’s a very weak call to action – “read the full blog here!” – so the anyone scanning the email will not get the main message i.e. “if you want to keep hearing from us, you need to opt in”.

This email shows the need to put the repermissioning message up front, as blatant as possible. You just can’t afford not to.

The candidate newsletter with gdpr optin

10. Imperial Enterprise Lab – more of the same

Here’s another newsletter that doesn’t draw enough attention to the need to opt in. Yes, the subject line does have a kooky pun and emoji (see below), but does every reader know what the GDPR is? Would the subject line better asking “want to stay in touch?”

Programm/able, The Mayor's Entrepreneur winners and GDPAaarrgh!

Imperial College’s Enterprise Lab has the same issue that The Candidate has – the GDPR and opt-in message is buried within a very noisey email (show in two columns below to save space).

I’m not on this email list (it was forwarded by a friend), so I can’t be sure if Imperial Enterprise Lab has previously sent messages dedicated to opt in. If they have done so, then this newsletter perhaps isn’t as problematic.

imperial enterprise lab gdpr opt-in imperial enterprise lab gdpr opt-in

11. John Muir Trust – does what it says on the tin

Of all the emails featured here, I really like this subject line (A quick question for you…) and headline (Can we stay in touch?).

The copy is clear and the call to action speaks for itself, using language the customer understands. There’s clear text saying “You can unsubscribe from our emails at any time”, too.

Extra points for snow hare, or whatever that member of the Leporidae is sitting within the email.

john muir trust email

12. Knight Frank Finance – risking apathy

I thought I’d include a simpler example, with less HTML going on. I have no objection to plain text at all, especially in sector such as finance where customers may be paying more attention.

However, I do think that a simple hyperlink on the word ‘here’ is making life unduly difficult for both Knight Frank’s customers and marketers. Those that don’t click with be removed, after all.

knight frank finance email gdpr

13. The Waterside – the old bait and switch

A Young’s public house in Fulham, London next. The Waterside example is notable because it is the only email I have seen where the subject line (“Win two nights in Bilbao”) doesn’t even attempt to hint at contact preferences.

Rather, the top of the email content is reserved for a big message (in flashing colours no less) and a “yes please” call to action, available to all those tempted in by the completely separate competition. I don’t think this is a bad approach to getting the message in front of punters.

waterside opt-in email

14. MRS – nice subject, nicer chipmunk

Is this a chipmunk? Either way, here’s a really clear example of repermissioning. Subject (“GDPR: We need your consent”), copy (“we want to keep you up-to-date…”) and ‘yes’ and ‘no’ options are all beautifully simple. Kudos for giving equal prominence to both options, too.

mrs gdpr

15. Guidebook – written by a marketer too close to their job?

I really like the simplicity of the email below from Guidebook, a company that makes mobile apps for events. The button is in the brand colour and the text is mostly simple to understand.

The only bum note for me is the line “please opt in so we can maintain your record in our CRM database”. Luckily, Guidebook is a B2B company, so many of its recipients will understand this language, but it did stick out to me. Why not just ask people to opt in to “continue receiving the great content”.

I’m probably being harsh, the company’s motivation is transparency after all, which is admirable, but it does allow me to again make the point that B2C marketers need to do their best to make all of this easy to understand for their customers.

guidebook optin email

Note that this article represents the views of the author solely, and is not intended to constitute legal advice.

Get up to date:

GDPR: A year on