This post is a comprehensive guide put together by Emarsys strategic and email deliverability experts Sonal Mistry and Rin Chau — big thanks to them for for their time, energy, and insight.

If your organization relies on consent as the lawful reason for processing personal data, you must make sure that data you hold is GDPR-complaint in order to continue using it.

You must also have an audit trail of how, when, and where consent was obtained, so that you can provide evidence if required. If you don’t, you likely need to create some sort of re-permissioning campaign.

In this ultimate guide, I teamed up with two of my colleagues to create the BEST resource on the Internet that will help you understand, create, and implement re-permissioning campaigns — not just for GDPR, but anytime — where we’ll show you exactly:

  1. What re-permissioning campaigns are intended to do
  2. Key considerations to keep in mind when executing a successful re-permissioning campaign, and
  3. Good examples of multichannel re-permissioning campaigns so that you can start creating your own

Table of Contents

Chapter 1: Understanding why GDPR Warrants Re-Permissioning

When you need to re-permission →

If you can’t identify how, when, and where consent was obtained, the best option in order to be compliant is to ask (to communicate with contacts) again.

You can do this most effectively with re-permissioning campaigns — where you’ll, again, seek the permission of contacts to email, text, or otherwise message them.

The good news: if consent has already been obtained in a GDPR-compliant fashion, then you don’t need to re-capture consent at all.

You only need to re-permission if you have collected personal data without adequate consent under the GDPR.

“Having subscribers opt-in to marketing communications means that they’re indicating that they want to hear from you. This has a number of benefits including cleaner data and increased engagement. In turn, this will increase the amount of your emails that get delivered to the inbox. Think about this equation: clean data + positive intent = increased engagement + improved inbox placement + better ROI.

If you handle the requirements for transparency correctly, you’ll increase the likelihood that subscribers will provide you with more information because they’ll have greater confidence in how your data will be used. This means that you can build a deeper and more accurate understanding of your subscribers, provide them with a better experience, and retain their advocacy for a longer period.”

Dale Langley · Global Head of Email Strategy & Deliverability, ‎Emarsys · London, UK · @email_dale · LinkedIn


For some businesses, this may mean you need to re-permission your entire database. For example, you’ll need to re-permission if you’ve always used a “pre-checked” box for “consent by default” — which is no longer sufficient under the GDPR.

Or you may need to re-permission a proportion of your database, for example, if your consent methods changed prior to becoming compliant — in this case, you only need to re-permission those contacts added before the changes were made.

The intent of re-permission campaigns →

Since the GDPR is only a few weeks away, we can expect to see more re-permissioning campaigns across all industries.

From now until May 25, 2018, you have a small window to get adequate permission from your subscribers — so, consider running campaigns to grab their attention (consider using lead magnets like incentives, offers, or content upgrades). If these subscribers feel that there’s value in the communication, they’ll be more likely to give you their consent.

Re-permissioning emails are similar to win-back emails in that they’re designed to capture the attention of subscribers and prompt them to confirm their subscription.

That said, the tone and appeal may differ slightly because re-permission campaigns are used to re-capture consent in a GDPR-compliant fashion (they could be sent to subscribers already interacting with your emails, for instance), whereas win-back campaigns are used to target lapsed or lapsing subscribers.


“The most important thing to remember about re-permissioning campaigns is that while obtaining re-permission is only a tiny percent of the total work to be done to be compliant with GDPR, it can potentially have a huge negative impact on revenue if not planned, implemented, and optimized correctly. Don’t take it for granted that you’ll maintain your current list size. You’re going to have to work smarter to gain permission, and carefully test to see what format, number of fields, signup process, copy, position, benefits, tone of voice, and elements of persuasion work best for your audience.”

Kath Pay · Head Consultant, Holistic Email Marketing · UK · @kathpay · LinkedIn


You may lose the opportunity to re-permission subscribers if you wait too long, so we suggest taking action now. Alternatively, you could choose to remove customers whose consent you cannot demonstrate from your customer database completely. However, eliminating contacts outright should be a last resort — especially given the option to re-permission.

Chapter 2: Planning, Building, & Executing a Re-Permissioning Campaign: Where to Start

Let’s be honest — constructing a successful GDPR campaign requires some thought, and it’s important we address all elements of consideration when planning an execution method for re-permissioning.

When constructing your GDPR re-permissioning campaign, it’s important to know where to begin, who to target, how to set segmenting rules, the frequency at which you should send, and the channels you should use.

1. Who is my target list? →

One of the most common questions we are asked is “Who in my database should I be targeting?” It’s great question and an important one.

You should always target customers that subscribed to your mailing list at any point during your old, non-GDPR-compliant days of “pre-checked” opt-in boxes at the point of sign-up.

However, it’s also wise to consider any unengaged contacts in your database (who have not interacted with emails or online channels in the last six months* and beyond. These contacts or customers have not actively engaged with your content across your emails or the website, which suggests a disconnect or disinterest with your brand.

It’s also wise to offer these contacts a clear unsubscribe route to ensure you are clearing your database of anyone who doesn’t care to receive messages — and who are bringing your overall campaign engagement rates down.

For contacts who have actively engaged with emails or your website within the last six months, you can safely assume that they are still interested. Targeting these engaged customers with a treatment layer in general e-newsletters (see Selfridges, below) or on your website is recommended to cover all bases.

Editor’s note: The timeframes of engagement levels can vary according to the nature of your database and target market. Speak to an Emarsys Deliverability Consultant to get a clearer picture of what your engagement criteria should look like if you are unsure.

2. What segmentation rules should be set? →

Your segmentation rules will be heavily determined by who you’re targeting.

Remember to ensure you have no overlaps in your segmentation rules to avoid upsetting contacts with too many of the same types of communication (or different communications asking them to do the same thing).

The number of segments you target should be further broken down by engagement levels to ensure you are approaching your re-permissioning campaign to unengaged contacts in the safest way possible, in small batches.

3. What cadence/volume should be used for re-permissioning? →

It’s fine to send contacts friendly reminders if they still need a nudge to make a decision on re-confirmation of consent.

Ensure you are spacing out these reminders to avoid an barrage of communications hitting your contacts’ inbox in a short period of time.

Frequency-of-send is always a touchy subject across email marketing as we never want to bombard our contacts with too many communications. However, in the interest of preserving as much as your addressable database as possible, it’s important that you are smart in planning cadences effectively across your GDPR re-permissioning efforts.

Think about repeating your efforts to encourage contacts who have still not confirmed opt-in (or engaged or just simply unsubscribed if they are no longer interested) with re-permissioning campaigns on a monthly basis.

It’s extremely important to add variations to content in each monthly stint in order to avoid complaints of repeat email communications. Also ensure you cut cadences before May 25, 2018.

4. What channels should I use for re-permissioning campaigns? →

You are not restricted to only contacting email subscribers with re-permissioning campaigns via email – make the most of your other channels to drive confirmed opt-ins.

For instance, you can use social media, email, mobile push, text messaging, or pop-ups to leading contacts to a quick form.


“To get started: add pop-ups and other CTAs (seeking opt-ins), use social media to proactively and properly attract opt-ins, and review all forms to ensure that they are proving clear opt-in check boxes for marketing materials as well as only collecting necessary data. It’s good to practice these things regardless of the GDPR — isn’t this [level of transparency] how we would all want to be treated?”

Brenda S. Stoltz · Founder & Chief Strategist, Ariad Partners · Washington, DC · @BSStoltz | LinkedIn


Social channels and your website are excellent channels for targeting contacts who are unengaged and require extra effort to try and get hold of.

Ideally, you actually should use your website as the first, central channel to communicate re-permissioning initiatives (a la Manchester United, below).

Now, let’s take a look at several examples of re-permissioning campaigns in action.

Chapter 3: Examples

Selfridges →

Opposed to creating a one-off re-permissioning campaign, Selfridges has adopted an ongoing approach by incorporating a re-consent banner to existing campaigns.

The design Selfridges uses is smart because the yellow banner is eye-catching, yet flows with the Selfridges brand. The banner is also placed on the top of the email which helps it stand out, and appear in the preview pane (it’s still visible when the email is not opened).

In taking a closer look at their email form, Selfridges has taken a subtle approach in their copy. The brand doesn’t explicitly explain that by not clicking “yes please,” that, in May 2018, contacts may stop receiving emails.

What we’d like and expect to see as we inch closer to May 2018 is stronger language — giving subscribers the chance to remain opt-ed or removed from the subscription if they choose to do so.

Selfridges still uses a soft opt-in approach. But, we’re anticipating this will change in the upcoming weeks to become in-line with compliance.

In using sign-up forms on its website, the brand clearly states the types and frequency of communications that contacts should expect.

The North Face →

Unlike Selfridges, The North Face has taken a common approach to re-permissioning by sending a “win back” kind of campaign.

The subject line “It’s been a while [Name]” is used to catch the subscriber’s attention. Additionally, the CTA in the email is clear.

The North Face will likely stop sending to those who do not respond — otherwise it may send a follow-up to give subscribers one last opportunity to remain opted-in. Although this is a great opportunity to capture more data, look at your response rate and data quality to judge whether it’s worth sending a follow up (or whether it’s best to remove a contact altogether).

Remember: sending emails too often can irritate your unengaged subscriber, and cause them to mark your email as spam.

The North Face could have used this opportunity to remind disengaged contacts the benefits of being a subscriber, or to share the benefits they’ve received over the lifetime of being a customer. It could also offer a lower frequency option (e.g., “digest” version) to avoid complete unsubscribes, or an exit survey to understand why subscribers may be leaving.

Grobag →

We really like Grobag’s example because both the copy and design is fun, yet effectively communicates what it’s asking subscribers to do.

Grobag recognized that email may not be the only outreach tool for its audience — it also used social media as an alternative way to keep in touch.

This is a good approach because engagement should be an overarching strategy with all your communication touchpoints. Grobag also offers a personalized discount code which is a great way to thank subscribers. Those who click “NO” in the email are given the option to change their mind and remain subscribed when they’re lead to a preference center (where Grobag can collect more data for better targeting).

Manchester United →

Manchester United uses our favourite approach.

The soccer brand uses various areas on their website — as well as email — to capture opt-ins. Each version has a slightly different design, and the wording varies (some instances are more detailed than others) depending on where and how it’s capturing the re-permissioning.

Manchester United offers a preference center, and even explicitly say “the law is changing.” It also includes a benefit statement letting subscribers know why they should stay subscribed.

Pro Tip: It always helps to provide some context into the action of confirming opt-ins as this helps to add some urgency to the matter. You don’t have to explicitly state that you are asking the customer to confirm opt-in because the GDPR is coming into force, like Manchester United does. However, by subtly mentioning that re-subscribing is crucial to ensuring the customer’s data is being used for the right reasons, you will be able to continue to provide the customer with a great ongoing experience.

Manchester United sets a good example in how a re-permissioning strategy should be crafted — it’s even created a one-minute video to help subscribers understand why they need to re-subscribe, and used the opportunity to promote program benefits. Early birds who opt-in can also win a signed shirt — incentivization is a great option to add urgency and prompt responses.

Like Selfridges (above), it mixes re-permissioning asks into regular emails, but situates the ask at the top of the email.

Once you click through, you’re taken to a more thorough registration page requiring you to fill out with your information, as well as take action to indicate that, yes, you would like to receive updates.

Essex and Herts Air Ambulance →

Consider what channels you may want to use.

While email will be the most common, efficient, and effective choice for most marketers, you can also consider using SMS, CRM ads, or even direct mail.

This example from Essex and Herts Air Ambulance was sent through the mail — and it’s taken an explicit approach in highlighting that “With the law changing soon, we’ll be unable to contact you without your explicit permission and preferences.”

Explore what channel works best for your business, and what language and tone suits your brand. As mentioned, you can take a subtle approach now, and use stronger language or tactics as we approach May 25 when the GDPR goes into effect.

Chapter 4: Now What?

The GDPR is a good thing in disguise. It’s an opportunity to cleanse your data by removing those who are not engaging, as well as a chance to build a better relationship with your best customers

Subscribers may feel overwhelmed if they receive too many re-consent emails from all the brands that they’ve signed up with, so the sooner you put together a re-permissioning strategy, the better chance you have in getting a (positive!) response.

There is a lot to take in here, and time is ticking — how do I scale this? →

Yes, time is ticking — so, the first step is figuring out how much time will be needed to operationalize this effort. Don’t let it be a cause for sleepless nights – automate it!

Once you have planned and scheduled your GDPR campaigns, we strongly advise that you consider building it into a automation program that will do the work for you on a monthly basis.

You can contact an Emarsys Customer Experience Consultant for advice and workshops on planning and executing a successful GDPR re-permissioning campaign to your database. Speak to your Customer Success Manager for more information.

Promise value, and deliver it across channels →

Remember to create varying versions of the campaigns for each batch or cycle to avoid repetition, and always incorporate a multichannel marketing approach to maximize reach and conversion to re-confirm as many (and even get new) opt-ins as possible.

Remember to explore all channels — tap into device usage data, engagement data, and preference data to decide where and how to re-permission. Once you’ve decided which channel(s) to use, don’t miss out on the opportunity to let your subscribers know why they should stay — and remember to live up to what you promise.


“Fine-tuning data collection tactics will help brands focus on providing relevant experiences and driving value for the customer. We’ve always worked with clients on raising standards in offline registrations, online account creation, email sign-ups, and SMS data capture with the goal of creating a clean, valuable, addressable customer database. The GDPR is a chance to look at how you acquire, convert, and retain customers across channels. It means building a better view of customers, of what they want, and how they’re engaged by your brand.”

Alex Timlin · VP, Client Success, Emarsys · London, UK · @ARTimlin · LinkedIn


Little precedent, but big opportunity →

In general, the industry has not yet seen many examples of re-permissioning campaigns, but we’ll see more as we approach May when the GDPR will go into enforcement. Just like a significant other, we don’t just want a honeymoon period… but a real relationship that will last. That’s what the GDPR is allowing you to create.

That’s it! Re-permissioning is critical for your ongoing compliance and list cleanliness, but it’s a doable feat if you plan and execute it with strategy and patience. ◾

Contact your CSM to learn more, or contact the Emarsys deliverability team to learn more, here.

For more information on the GDPR and how it’s going to affect your job, check out these resources:


Lindsay TjepkemaLindsay Tjepkema is the Director of Marketing, North America, at Emarsys. She and her team deliver resources that empower marketers to seek out solutions and strategies that will allow them to thrive by focusing on what they love – strategy, content, and creative – not the technology, itself. Although her true love is tech marketing, she has worked in a range of industries, from life science to talent management, economic development to software development, eProcurement to social networks and more. She has crafted and executed B2B and B2C strategies for brands like Intel, LinkedIn Marketing Solutions, OfficeDepot, SalonCentric, Ashley Furniture, and more. Her experience is built on time spent leading in-house teams, in agency settings, and independently running her own marketing consultancy.

Connect with Lindsay: LinkedIn@blueprintmkt