Back to main menu


Explicit consent and the GDPR

Consent is one lawful basis for data processing in the GDPR, but what is changing? Well, it's now explicit and dynamic because it can change at any time.



GDPR is real (and enforceable) to anyone that does business with EU residents, even if you’re halfway across the world. Time just flew by in all this prep work to become GDPR compliant, and no one had any fun – except for the data privacy experts. Those guys had all kinds of fun and an early Christmas. Everyone else had real talk and real confusion.

Disclaimer: EU data protection laws, including the GDPR, are complex. This blog post should not be considered legal advice. Please consult a legal professional for details on how the GDPR impacts your business.

So, why has this whole thing been so painful?

You could say that enforcing these EU laws is basically the equivalent of calling someone’s baby ugly. It points out that there’s something wrong with data collection and processing if businesses are not following best practices. And the truth hurts.

GDPR doesn’t seem to offer straightforward guidelines on how to correct course either. So, yeah…it’s been rough. And somewhat ironic, too. Those same laws call for change in the way we obtain consent, stating that it can no longer be assumed. Explicit laws with vague implementation directives, calling for explicit consent. Let that sink in for a sec.

Sign Up

It's easy to get started. And it's free.

See what you can accomplish with the world’s best email delivery platform.

Consent is dynamic

GDPR covers several lawful basis for data processing, and consent is one of them. We need to shift our understanding of consent from permanent to dynamic. This means that consent under GDPR depends on the situation and is only specific to the activity. Especially on the marketing side, we have to start asking ourselves: do I have permission to send marketing messages to you? Are you expecting my emails? Even a wealthy, Nigerian prince who wants to share his fortune with me would need my explicit consent to continue sending me spam email!

Old lady looking at computer with Nigerian prince meme text

While someone unsubscribing from your emails isn’t quite the emotional roller coaster of an in-person breakup, it still freaks most marketers out. But really, why would you want to talk to someone who doesn’t want to listen to you in the first place?

With GDPR, customers must have the option to withdraw consent (objecting to use of information for direct marketing) if they decide they don’t want to hear from you anymore. And they need to have the choice to opt-out on an ongoing basis, the choice to update their consent status at any time, and the right to have their data eliminated. Oh, and if they want to take their data with them, you have to provide it to them.

This focus on explicit consent targets the prevailing offender: pre-checked boxes that are set up as the default option on forms, using some blanket statement in the terms and conditions of service. If you want to reach your contacts, offer them only what they’re interested in, and engage in a safe space where you have to ask for permission directly before engaging with them. A good example of this is the InMail feature on Linkedin. You’re only talking to someone there for a business purpose, and they decide whether or not to respond.

What is Mailgun doing about data collection?

In all of this, we did a lot of work on the data processing side of things to update our DPA and make changes before the deadline. But data collection was not overlooked… we’ve had to take some action to meet the requirements of GDPR on our marketing communications as well.

We asked ourselves (and our lawyers) some hard questions to decide what to do. You know, the stuff of nightmares for a marketer: do we re-engage contacts and ask them to explicitly say they opt-in? Do we delete our entire database because we think we can’t obtain explicit consent? Do I really need things like phone numbers and mailing addresses?

After some thought, we came to the conclusion that it makes sense to do the hard work upfront – even if we lose a big chunk of our email lists. We made updates to our web forms to make sure checkboxes were there, and they weren’t checked by default. This also included separating out each type of communication into its own checkbox.

Window with checkboxes for subscription preferences

This is to make sure we capture explicit consent moving forward, regardless of geographic location. For existing contracts, we are re-engaging them by sharing our new opt-in form and letting them choose their communication preferences by type. Once GDPR kicks in, we will sunset those contacts that did not submit their opt-in preferences (you’ll know what I mean by this if you watched our webinar on email list practices).


GDPR is going to have an impact beyond EU borders, it’s just a matter of time before other countries implement similar provisions in some shape or form. We figured it’s better to get ahead of the game, even if you have a few short-term drawbacks.

There’s a silver lining though. Your engagement with customers and contacts will be much improved, which is a great thing for email. It can lead to better conversations and also have a positive impact on your email deliverability overall.

Sign Up

It's easy to get started. And it's free.

See what you can accomplish with the world’s best email delivery platform.

Related readings

Navigating global data compliance and regulations in 2024

Protection from loss, theft, and corruption – these are the goals of data privacy regulations. Adhering to these regulations makes you a trusted sender but it takes...

Read more

Why you shouldn’t count on the ADPPA and Privacy Shield 2.0

There’s been a lot of buzz around bipartisan U.S. legislation that may eventually become a federal law on data privacy protection. Plus, the U.S. and EU have come to an agreement...

Read more

HIPAA compliance and email: What you need to know

HIPAA is all about protecting and securing patient information. Even if you don’t send marketing emails, you’ll still send transactional and informational emails to...

Read more

Popular posts

Email inbox.

Build Laravel 10 email authentication with Mailgun and Digital Ocean

When it was first released, Laravel version 5.7 added a new capability to verify user’s emails. If you’ve ever run php artisan make:auth within a Laravel app you’ll know the...

Read more

Mailgun statistics.

Sending email using the Mailgun PHP API

It’s been a while since the Mailgun PHP SDK came around, and we’ve seen lots of changes: new functionalities, new integrations built on top, new API endpoints…yet the core of PHP...

Read more

Statistics on deliverability.

Here’s everything you need to know about DNS blocklists

The word “blocklist” can almost seem like something out of a movie – a little dramatic, silly, and a little unreal. Unfortunately, in the real world, blocklists are definitely something you...

Read more

See what you can accomplish with the world's best email delivery platform. It's easy to get started.Let's get sending
CTA icon