How to Direct Market Without Consent

direct marketing without consent

As a marketer, the dream is to be able to build and launch campaigns to grow your audience and sell your product or service. Pretty straightforward – right? Well, as marketers know it is rarely so straightforward.  There is much to consider before launching any campaign, including anti-competition laws, IP issues, consumer protection laws and data privacy laws. It can seem like these are waiting in the long grass to trip you up and expose your business, but data privacy laws aren’t designed to do this, and if applied correctly, marketers can happily exist within these laws and all the while build healthy DATA relationSHIPS with their users.

A good example of this and one that many marketers aren’t aware of, is that businesses are often able to market to existing customers without their explicit consent.

Here’s how:

If your organization has obtained an individual’s contact details ‘from a customer … in the context of the sale of a product or service’ a separate explicit consent to direct marketing may not be required if the following conditions are met:

  1. the direct marketing is in respect of your organization’s similar products and services only; and
  2. the individual has been given a simple means of refusing the use of their contact details for direct marketing purposes, at the time that the details were initially collected, and, if they did not initially refuse the use of the details, in each subsequent communication.

So, in simple terms, if you’re contacting someone who has bought from you before, you’re talking about a similar product/service and you gave them the opportunity to refuse direct marketing when they made the purchase you should be fine.  This is often referred to as the “soft opt-in

An obvious question arises here: What if there was an opt in box for marketing that the customer didn’t click, can we market to them based on the soft opt-in?

Short answer – no.  Why? Because the customer was not given a simple way to refuse their details being used for direct marketing, they were only presented with an option to opt in to direct marketing which they did not take.  Even if the customer was given further information about potential marketing communications, e.g., with a link to a privacy policy that adequately dealt with marketing communications and fully informed the customer about how to opt out of receiving marketing communications, including unsubscribe links and text, etc, it would not be enough.  They must be presented with a means to opt-out or refuse direct marketing at the time of collection.

Example of compliant collection where the soft opt-in can be relied on:

Compliant collection form

Example of non-compliant collection practice:

Non-Compliant collection form

What about using a pre-ticked opt-in box?

A common collection practice that is seen in many online shops is a pre-ticked opt-in box.  As covered in this article, a pre-ticked opt-in box is not considered valid consent under GDPR or ePrivacy Directive, so should never be used if relying on consent as the legal basis.  But since the legal basis for the soft opt-in is legitimate interest and not consent, one might wonder if a pre-ticked opt-in box can be used.  Let’s explore this below.

pre-ticked opt-in box

While a pre-ticked opt-in box does allow a customer to refuse marketing as they can untick the box to show they do not wish to receive direct marketing, there are flaws/gaps with this collection practice.  Some of the issues here are:

  • The customer is not informed about their right to opt-out of direct marketing at any time.
  • There is no mention of the privacy policy where further information about direct marketing practices should be explained.
  • Many European supervisory authorities recommend using an opt-out box, so it is unclear how they would look upon a pre-ticked opt-in box.

So, while a pre-ticked opt-in box may technically fulfil the requirement of giving the customer a means to refuse direct marketing, it is not airtight.  It is strongly recommended to use an opt-out box instead.  

This highlights the importance of having your collection practices and opt-in/opt-out boxes configured correctly at every collection point on your website.  Obviously, there are always nuances involved and the laws differ depending on jurisdiction. Our Collect product automates this for you and if you want to discuss the issue in more depth, we’re always on hand to help so don’t hesitate to contact us on either or

Your first-party data strategy for Shopify

Over the last 5 years, customer acquisition costs have grown by over 60%, and this trend is only set to continue. See how your Shopify business can spend less and sell more with a first-party data strategy.