Permissions GDPR

Five GDPR repermissioning campaigns and what they teach us

10th May 2018

We examine some of the repermissioning emails being sent out in the build-up to GDPR, and how different approaches are being adopted to gain customer consent. 

The GDPR has set in motion a frenzied fire-hose of brand communications at a scale not seen since 1999, when fear of the Millennium Bug was sweeping the globe.  

Check your email at any given moment and you’ll see multiple messages from brands you have (and on occasion, don’t have) an affinity with, asking you to confirm and set the boundaries of your relationship with them after GDPR’s May 25th deadline kicks in and greater data control is officially handed over to EU consumers.

However, the sheer range of communications suggests that brand marketers have yet to fully establish what is and isn’t acceptable in terms of repermissioning their customers in advance of GDPR, and equally, whether they even have to at all.

In this post we look at five different approaches in a bid to establish their pros and cons, and whether a similar approach might be relevant for your business. 

The Filter

The Filter’s repermissioning choice is a pretty straight-forward email asking its subscribers to confirm they wish to continue being communicated with:

The Filter

The caveat for The Filter’s messaging comes with the sentence “If you do not tell us you want to continue receiving emails, we’ll have to remove you from our database when the law changes…” – this statement is one that’s wedded to the GDPR stipulation around ‘consent’ and whether subscribers fall into the following three categories:

  1. Consent provided and asked in a GDPR compliant fashion.
  2. Consent provided but not compliant to GDPR.
  3. Consent not provided or removed.

(Information about what represents ‘GDPR-compliant’ consent can be found here.)

The Filter’s email suggests that its subscribers possibly fall into category 1 or 2, but that it is unable to provide absolute clarity over which category. This is a common occurrence for brands and the driver behind the majority of GDPR-related repermissioning exercises. However, Jim Roberts, director and founder of BlacklerRoberts suggests this approach can be a hazardous one:

“The only time you need to consider repermissioning is if you are sitting in option 2. If consent is provided and asked in a GDPR compliant fashion, why do you need to re-ask?”

“Looking at option 2 you then need to decide ‘do I have permission to speak with them to clarify consent (be specific, remove ambiguity)’. So for existing customers who have not removed consent for marketing, can I use existing soft opt-in rules to email them with details of marketing services and consent options, remembering they must be GDPR compliant, so an affirmative action is freely given, informed and not ambiguous.”

The acknowledgement in this arrangement is that brands may well lose the capacity to market to huge swathes of subscribed and active customers based on their failure to take action on an email communication they may have missed, forgotten about or never actually seen.

The Guardian          

The Guardian adopted a pop-up on its website asking its subscribers to ‘opt-in’ or ‘miss out’:  

The Guardian GDPR

The pop-up featured regardless of whether you’re a Guardian member and by clicking ‘continue’ simply takes users to a ‘sign-in or sign-up page’.

The semantics ‘opt-in or miss out’ are arguably somewhat passive aggressive, but also act as an exercise in data capture over repermission, given that the message features whether you’re a member or not.

“As the tsunami of permissioning emails reaches its zenith consumers will notice the different approaches,” says customer insight leader and GDPR expert, Paul Laughlin. “Ask yourself, do you want to be perceived as threatening exclusion or having a positive value proposition that people will want to choose?

“On the positive front, I like the lack of passivity in this approach. Requiring action to choose one of the two options, not just ‘old school positive opt-in’ is a good way to wake people up. If they haven’t left it too late with this campaign, then such a behavioural design approach should better enable readers to make conscious, not automatic, decisions. That is in the spirit of the GDPR.”

Manchester United

The world’s most supported mid-tier Premier League team have seemingly gone all-out in their bid to repermission their supporters in preparation for GDPR, with any astute follower of football noticing ‘opt-in’ messages scrolling around pitch-side advertising hoardings since the end of 2017.

What is a fairly comprehensive marketing campaign includes a video being emailed to the club’s current subscribers featuring some of its top players encouraging members to resubscribe to their communications and set their preferences:     

“It’s an interesting strategy and one that will hopefully pay dividends with a high opt-in rate for the club,” says the DMA.

“They throw an incentive into the mix to encourage people to check their marketing preferences. If supporters opt-in or opt-out then they will be entered into a prize draw….

“Crucially, the prize draw does not penalise supporters for not opting-in to receive marketing and is open to all regardless of their preference.”

Pizza Express

Whilst one prize draw is praised, another has been widely lambasted.

Pizza Express has come under fire for its approach to opting customers in:

Is scrutiny for this approach fair whilst Man United is credited for its own? The issue may lie in the crucial point that Pizza Express makes around incentives exclusively for opting-in over opting-out, which may yet be in breach of GDPR’s article 7:

“When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.”

The question of whether consent has been ‘freely given’ is arguably the point of differentiation.

“Fear Of Missing Out (FOMO) and competition lures may be very effective marketing ploys, but I would encourage firms to be more positive,” adds Paul Laughlin

“As the tsunami of repermissioning emails reaches its zenith, consumers will notice the different approaches. Ask yourself – do you want to be perceived as threatening exclusion or having a positive value proposition that people will want to choose?”


Finally, from Lloyds, an email to its customers that simply affirms that its customers can expect more control over its data once GDPR comes into force (but also an omission that they won’t until the regulation kicks in):


Lloyds has applied its repermissioning at the point-of-contact in which customers attempt to log-in to their mobile/online banking account. By doing this, customers have to set their preferences in order to perform a fundamental task, and is using its email communications as merely a primer for this repermissioning exercise.    

Of course this option is arguably one reserved for a small number of ‘necessary’ providers (i.e. banks, utilities, telecoms, public services) but does give brands an idea of the different points-of-contact they can apply their permissions to.

Replies (0)

Please login or register to join the discussion.

There are currently no replies, be the first to post a reply.