Type | Description | Best Practice | Required By |
Explicit Consent | A user actively opts in (ex. checks a box, confirms via double opt-in) | Use for all marketing lists globally | GDPR, CASL, PECR |
Implied Consent | Based on an existing relationship (ex. customer purchase or inquiry) | Valid only for transactional or limited-time B2B sends | CAN-SPAM, CASL |
Soft Opt-In | Consent assumed for similar products after purchase | Use with clear opt-out & only for related services | PECR (UK) |
No Consent Required | For transactional or service emails only (ex. receipts, password resets) | Still avoid promotional content. TO BE CLEAR: NO MARKETING OR SALES CONTENT WHATSOEVER!!! | All laws |
Requirement | What It Means | Best Practice |
Informed | People know what they’re signing up for | State clearly what kind of emails they’ll get |
Freely Given | No pre-checked boxes or forced opt-ins | Use separate checkboxes, not bundled consent |
Specific | Consent is tied to a particular use case | Separate consents for different types of messaging |
Unambiguous | Users must take a clear, affirmative action | “Sign up” button, checkbox, or double opt-in email |
Documented | You can prove when and how someone opted in | Store opt-in source, timestamp, and method |
Area | Best Practice |
Forms & CTAs | Be clear about what people are signing up for. Avoid vague phrases like “Stay in the loop.” |
Double Opt-In | Send a confirmation email after sign-up to verify the address and consent. |
Privacy Policy | Link to your privacy policy near every sign-up form. |
Audit Trails | Store consent logs (timestamp, IP, method, form name). |
Easy Opt-Out | Include a working unsubscribe link in every marketing email. No login should be required to opt out. |
Preference Centers | Let users manage frequency, topics, or unsubscribe entirely. |
B2B Considerations | In the U.S., CAN-SPAM allows cold emails, but you must include company address, opt-out link, and truthful subject lines. |
Children’s Data | Obtain verifiable parental consent if targeting users under 16 (or younger depending on jurisdiction). |
Field Name | Description | Best Practice Usage |
Consent Status (ex. Email_Consent__c) | High-level status such as “Opted-In”, “Opted-Out”, “Pending Confirmation” | Use this to gate sends — only send marketing to “Opted-In” |
Opt-In Date | Timestamp of when consent was given | Store automatically via form fills or confirmation clicks |
Opt-In Source | How or where the person gave consent (ex. Web Form, Event, Chatbot) | Useful for audit trails and segmentation |
Double Opt-In Status | Whether they completed a double opt-in step | Optional but encouraged for GDPR/CASL compliance |
Unsubscribe Reason | Captured via a custom unsubscribe/preference center | Can be used to improve retention or adjust targeting |
Preferred Communication Channels | Email, SMS, Phone, Postal | Stored in a multi-select or related object |
Communication Preferences | Product updates, newsletters, events, etc. | Used to personalize sends and honor opt-downs |
Last Updated By / Date | Who or what system last updated consent fields | Useful for audit logs and syncing issues |
Privacy Policy Version Agreed | Optional field to show which version of your policy they consented to | Helps track changes over time |
Use Case | How to Do It |
Suppress non-consenting contacts | Build dynamic suppression lists using Consent Status != Opted-In |
Honor communication preferences | Use Communication Preferences to create topic-based campaigns |
Support global compliance | Use country field + consent fields to apply regional laws (ex. only send without opt-in if US-based and B2B) |
Sync consent between MAP & CRM | Use bi-directional field sync + change logs to prevent accidental overwrites |
Prove compliance during audits | Export audit logs with Opt-In Date, Source, and Consent Status |
Adjust logic per region | Add workflows to dynamically update consent needs based on country (ex. require double opt-in for EU residents) |
General Data Protection Regulation (GDPR)Email Marketing - General Data Protection Regulation (GDPR)Email Marketing - General Data Protection Regulation (GDPR)
Newsletter mailings and e-mail marketing are a fixed part of the online marketing universe. Basically, the principle that processing is prohibited but subject to the possibility of authorisation also applies to the personal data which is used to send e-mails. Processing is only allowed by the General Data Protection Regulation (GDPR) if either the data … Continue reading Email Marketing
General Data Protection Regulation (GDPR)
CAN-SPAM Act: A Compliance Guide for Business
Do you use email in your business? The CAN-SPAM Act, a law that sets the rules for commercial email, establishes requirements for commercial messages, gives recipients the right to have you stop emailing them, and spells out tough penalties for violations.
Canada's anti-spam legislation
Canada’s anti-spam legislation (CASL) protects consumers and businesses from the misuse of digital technology, including spam and other electronic threats. It also aims to help businesses stay competitive in a global, digital marketplace. Learn about the legislation as well as how to protect yourself from spam and how to report it when necessary.
Electronic mail marketing
You must not send marketing emails or texts to individuals without specific consent. There is a limited exception for your own previous customers, often called the ‘soft opt-in’.
Avoid sending spam | ACMAAvoid sending spam | ACMA
If you send marketing emails or messages to customers, you need to know about the Spam Act. The Spam Act sets out your responsibilities under Australian law.
Join 3,500+ operations professionals. Get actionable MOPs tips every month.