GDPR and Marketing: How to Manage User Consent

Table of content

Written By:

When it arrived, GDPR shook up the habits of marketing departments by imposing new obligations on companies. However, these obligations are not all new in France, as GDPR can be considered a reinforced version of our former Data Protection Act (law no. 78-17 of January 6, 1978).

In 2018, on the eve of GDPR’s implementation, many of us received an avalanche of invitations from marketing departments to consent to receive solicitations from them. This year, four years later, the focus is back on marketing departments with the CNIL’s announcement of commercial prospecting as one of its areas of supervision for 2022.

What impact will GDPR have on marketing services? The core activity of a marketing department requires the processing of personal data of customers and potential consumers: presentation – sometimes personalized – of goods and services to stimulate the need, collection of opinions on these goods and services, monitoring and analysis of the paths of Internet users, establishment of various statistics … The use of personal data in marketing is now inevitable.

It is therefore essential for marketing departments to be able to comply with the protection of personal data held by individuals. How can companies comply with these requirements? What practices should be adopted?

1. The necessity of collecting consent (opt-in) and its limits

1) Consent but not only that: the existence of other legal bases

When GDPR arrived, the focus on the data subject’s consent to justify any data processing may have overshadowed the other five legal bases provided for in Article 6.1(performance of a contract, legal obligation, legitimate business interest …). Although, in the context of data processing for marketing activities, the knowledge and stimulation of people’s needs often requires their consent, certain situations do not necessarily require it.

In its reference framework on the management of marketing activitiespublished in February 2022, the CNIL proposes other legal bases for certain marketing operations: the legitimate interest of the company can be used for commercial prospecting actions without the need to collect consent

  • to consumers: by mail, by telephone calls; and by electronic means, for similar goods and services already purchased/subscribed from the data controller (the CNIL specifiesthat when the canvassing is not commercial in nature – charitable, for example – it is then possible to switch to the legal basis of the data controller’s legitimate interest).
  • to professionals generally (i.e., by electronic means, by mail or telephone)

2) Specific consent to cookies

The use of cookies and other tracers (tracking pixel, fingerprinting, etc.) in order to allow, for example, personalized advertising requires the collection of the Internet user’s consent.

NB: here the consent requested from the Internet user does not derive from GDPR but from Article 82 of the French Data Protection Act (from Article 5.3 of the e-Privacy directive). Therefore, as it is not a choice between six potential legal bases of GDPR but a binary choice imposed by the directive (consent or not), the legitimate interest cannot be used for a cookie to be deposited or read!

Nevertheless, there is a link between the consent to the deposit of a cookie and the consent of GDPR: the consent of Article 82 of the French Data Protection Act must meet the same characteristics as those of the consent posed by GDPR … that we will detail.

3) The “proper” collection of consent

Articles 4(11) and 7 of GDPR impose new standards on consent to data processing. Consent must be given by a clear affirmative act that is “free, specific, informed and unambiguous.”Let’s detail these requirements:


Unambiguous: the individual must express consent. Their silence or lack of action to say “yes” (e.g., continuing to browse your website without clicking “yes” to cookies, not unchecking a pre-checked box, etc.) does not constitute consent;

Free: consent must not be conditioned (for example, it must not be mandatory to accept advertising cookies to access a website);

Specific: the act of consent is to be performed for each purpose of processing, in a dissociable way (for example, a form will have to contain several boxes to be checked, one for each purpose to be consented to);

Enlightened: in order to have really consented, the person must know what they are consenting to. It is therefore necessary to provide a certain amount of mandatory information (see Article 13 of GDPR). To this end, GDPR specifies that individuals must receive information delivered “in a concise, transparent, understandable and easily accessible manner, in clear and simple terms” (Article 12). Thus, it is possible – and even necessary – to tailor the provision of information to situations and media. In a digital environment, for example, as explained by G29, you can provide information at different stages of the user journey. From a marketing perspective, this thus balances the information requirement with the fluidity of the engagement process.

Beware of minors’ consent for information society services provided directly to children(such as “information related to products or services, including marketing activities” as explained by G29). In France, the processing of personal data of a child under the age of 15 based on consent is only lawful if the consent is given or authorized by the legal guardian. G29 also explains that in the context of low-risk processing for individuals, “verification of parental responsibility by email may be sufficient.”

Once “properly” collected, the data controller must be able to provide evidence that consent has been obtained. As GDPR does not prescribe precisely how this should be done, data controllers are free in this demonstration (which refers to the principle of accountability). It is then possible, for example, to have recourse to time stamping by a click or an act of navigation to prove this collection, it can be a signature on a paper or electronic form, even if this method proves to be very unsuitable for marketing processing. The practice of double opt-in (reconfirming one’s agreement to receive solicitation emails in an initial confirmation email) is also a good practice. The EDPB (a European committee composed of national representatives of supervisory authorities, such as the CNIL in France) suggests, for example, “in the online environment, keeping information about the session in which consent was given, along with documentation of the consent workflow at the time of the session and a copy of the information provided to the data subject at the time.”

4) The need for renewed consent

In some cases, it is also necessary to regularly renew the consent of the person concerned.

This is the case of the deposit/reading of cookies on the Internet user’s terminal. In this situation, the CNIL explains in its recommendations relating to cookies that the user’s consent may be forgotten by the latter over time. Therefore, the Commission recommends that the user’s consent be renewed at regular intervals. To this end, the CNIL considers a period of 6 months to be good practice.

GDPR does not require the renewal of consent at regular intervals. However, the ICO (British equivalent of the CNIL) recommends a renewal of the consent every 2 years within the framework of the protection of the privacy of individuals.

Finally, as a reminder, if the data had been collected before GDPR came into force (May 25, 2018), the marketing treatments are only legal if the consent has been collected under the conditions provided by GDPR and detailed above (opt-in).

2. The opt-out requirement

Consumers or professionals can stop taking an interest in solicitations from marketing services. In addition to the annoyance of receiving unwanted solicitations (and the potential for them to become spam), which would produce the opposite effect of that sought, the regulations require that it be possible to stop these solicitations:

When the processing is based on the consent of the individual (opt-in), the individual must be able to withdraw it (opt-out) at any time (Article 7.3 of GDPR);

When the processing is based on the legitimate interest of the company, the data subject can exercise their right to object (from Article 21 of GDPR) at any time. In concrete terms, several options are possible: inserting an unsubscribe link in an email, proposing a user interface to manage their consent..

The e-Privacy Directive intersects here again with GDPR: in the context of commercial prospecting by electronic means, its Article 13 (transposed into article L34-5 of the French Post and Electronic Communications Code) makes it essential to propose in each electronic message a simple means of objecting to the receipt of new solicitations (for example with a link to unsubscribe at the end of the message).

3. Conclusion: Practical and long-term impact on marketing operations

1) In practice, how does this impact marketing operations?

The first step will be the distinction between the categories of data subjects:

is the person a professional or a consumer?

is the person a client or a prospect?

This will influence whether or not consent (opt-in) is required.

The second step is to insert the opt-in mechanism if necessary and, regardless of the need for opt-in, to inform the person of the use of their data to carry out prospecting:

  • For prospects: for example, when downloading white papers or participating in contests, insert a box to be checked by the person to receive commercial proposals, clearly indicating the purpose of the use of his email address by the company;
  • For professionals or clients: for example for clients, indicate at the time of the order that the client’s email address will be used to send him commercial proposals.

Point of attention, sponsorship: here, the company asks a person to fill in the details of a third party who may be interested in a commercial offer, an article or an online ad. In this situation, personal data of a sponsored person who has never given their consent are manipulated. The CNIL allows this infringement of the principle of consent under certain conditions:

  • The recipient must be informed of the identity of their sponsor;
  • The sponsored person’s data can only be used once: to send them the offer, article or advertisement suggested by the sponsor;
  • It is not possible to keep the data of the sponsored person to send them other messages without their consent.

2) What are the long-term impacts on marketing operations since the arrival of GDPR?

The larger the database of customers and prospects, the more numerous the targets and potentially the greater the number of conversions. Nevertheless, compliance with GDPR and more generally with the protection of personal data sets limits to the collection of mass data. Moreover, it is forbidden to reuse data for another purpose than the one for which it was collected.

The challenge is therefore to go beyond the stage of constraint and turn these requirements into opportunities. The protection of personal data forces marketing to refocus on quality rather than quantity. This implies, for example, in the case of electronic commercial prospecting, a reduction in the number of people reached by the prospecting operations. The opportunity can be perceived on the image of the company, thanks to the reduction of the annoyance towards the issuing company for the people placing these solicitations immediately in their basket or unwanted. The opportunity can also be perceived from an environmental point of view, with a reduction of the pollution generated by Internet traffic.

For more information

Read this next

See all
Hey there 🙌🏽 This is Grained Agency Webflow Template by BYQ studio
Template details

Included in Grained

Grained Agency Webflow Template comes with everything you need

15+ pages

25+ sections

20+ Styles & Symbols

Figma file included

To give you 100% control over the design, together with Webflow project, you also get the Figma file. After the purchase, simply send us an email to and we will e happy to forward you the Figma file.

Grained Comes With Even More Power

Overview of all the features included in Grained Agency Template

Premium, custom, simply great

Yes, we know... it's easy to say it, but that's the fact. We did put a lot of thought into the template. Trend Trail was designed by an award-winning designer. Layouts you will find in our template are custom made to fit the industry after carefully made research.

Optimised for speed

We used our best practices to make sure your new website loads fast. All of the images are compressed to have as little size as possible. Whenever possible we used vector formats - the format made for the web.


Grained is optimized to offer a frictionless experience on every screen. No matter how you combine our sections, they will look good on desktop, tablet, and phone.

Reusable animations

Both complex and simple animations are an inseparable element of modern website. We created our animations in a way that can be easily reused, even by Webflow beginners.


Our template is modular, meaning you can combine different sections as well as single elements, like buttons, images, etc. with each other without losing on consistency of the design. Long story short, different elements will always look good together.

100% customisable

On top of being modular, Grained was created using the best Webflow techniques, like: global Color Swatches, reusable classes, symbols and more.


Grained includes a blog, carrers and projects collections that are made on the powerful Webflow CMS. This will let you add new content extremely easily.


Grained Template comes with eCommerce set up, so you can start selling your services straight away.

Figma included

To give you 100% control over the design, together with Webflow project, you also get the Figma file.