GDPR Consent Management for Email Marketing: What UK Businesses Get Wrong

Say "consent management" to most UK business owners and they think of cookie banners. The pop-up on their website. The tool that records whether visitors accept or decline tracking cookies.

That is consent management for one specific regulation (PECR Regulation 6, covering cookies and similar technologies). It has almost nothing to do with the consent management that matters most for businesses doing email marketing — and the gap between these two things is where compliance falls apart.

The two consent management problems

Problem 1: Cookie consent. Solved by CMPs (consent management platforms) like Cookiebot, CookieYes, and OneTrust. These tools manage the PECR Regulation 6 requirement to get consent before storing cookies on user devices. Mature market. Widely understood. Not what this article is about.

Problem 2: Marketing communication consent. The evidence that each person on your email list agreed to receive marketing from your organisation, under conditions that satisfy both PECR Regulation 22 and UK GDPR. This includes documenting the consent wording they saw, when they agreed, how they opted in, and whether soft opt-in conditions were met. Almost no tool handles this.

When a business searches for "GDPR consent management," they most commonly find cookie consent tools. The email marketing consent problem — which is where the ICO's PECR enforcement actions actually land — goes unaddressed.

What GDPR requires for marketing consent

Under UK GDPR, if you use consent as your lawful basis for processing personal data for marketing purposes, that consent must be:

Freely given. The person must have a genuine choice. Consent cannot be a condition of service — "agree to marketing or you can't use our product" is not valid.

Specific. The person must agree to the specific processing activity. "I consent to receive email marketing about running gear from RunShop Ltd" is specific. "I agree to data processing" is not.

Informed. The person must know what they are agreeing to. Who will contact them, about what, through which channels.

Unambiguous. There must be a clear affirmative action — a ticked checkbox (that started unticked), a signed form, a clicked button with clear labelling. Silence or pre-ticked boxes are not consent.

Documented. You must be able to demonstrate that consent was given. GDPR Article 7(1) states: "Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented."

These requirements apply at the point of collection and for as long as you rely on that consent.

Where businesses go wrong

1. Recording that consent was given, but not what it covered

Your ESP records show that someone subscribed on a given date. That tells you consent was given (probably). It does not tell you what they were told. What categories of marketing were described? What channels? Was your company name visible in the consent text?

If you changed your signup form six months ago, you have no record of what the previous version said. Subscribers who joined under old wording are covered by that wording — not today's version.

2. Using legitimate interest but not documenting the assessment

If you rely on legitimate interest rather than consent as your GDPR lawful basis for marketing, you need a documented Legitimate Interests Assessment. Many businesses claim legitimate interest without completing the three-part test: (1) purpose — is there a legitimate interest? (2) necessity — is the processing necessary for that purpose? (3) balancing — do the individual's interests override yours?

Without the documented assessment, you do not have a lawful basis. And even with it, PECR still requires separate consent or soft opt-in for electronic marketing — GDPR legitimate interest alone is not enough for email. See our GDPR vs PECR comparison for the full breakdown.

3. Treating cookie consent tools as email consent tools

Cookie consent platforms manage Regulation 6 (cookies). Email marketing consent falls under Regulation 22 (electronic marketing). These are different provisions with different requirements. A CMP that perfectly manages cookie preferences does nothing for your email marketing consent records.

The UK email marketing laws guide explains where the two laws and their consent requirements diverge.

4. No consent withdrawal mechanism beyond unsubscribe

GDPR Article 7(3) states that withdrawing consent must be as easy as giving it. An unsubscribe link in emails handles email opt-out. But can someone withdraw their consent for data processing more broadly? If a subscriber wants their data deleted (not just unsubscribed), your system needs to handle that. Many businesses suppress the email address in their ESP but continue holding the personal data elsewhere.

5. No records surviving ESP migrations

You switched from Mailchimp to HubSpot two years ago. The subscriber list migrated as a CSV. The consent metadata — when each person subscribed, what form they used, what the wording said — was lost in the migration. For those contacts, you have no demonstrable consent. If the ICO asks, you cannot produce the evidence.

What consent management for email marketing actually looks like

A functional email marketing consent management system — whether built from spreadsheets or purpose-built tools — needs to:

Version consent wording. Store the exact text shown at each collection point, with date ranges. When the wording changes, archive the old version. Link each subscriber to the wording version they saw.

Record per-contact evidence. For each person: when they consented, what they saw, how they opted in (web form, paper, phone), what categories they agreed to, and whether it was explicit consent or soft opt-in.

Document soft opt-in separately. For contacts relying on soft opt-in, record the original sale, the similar products justification, the opt-out offered at collection, and the ongoing opt-out in messages. This evidence is distinct from explicit consent records.

Handle consent withdrawal. When someone unsubscribes, record the date and action taken. When someone requests data deletion, process it across all systems — not just the ESP.

Survive migrations. Consent records must transfer when you change platforms. Export and import must preserve the full evidence chain, not just email addresses and subscription status.

Produce ICO-ready evidence. When asked, you should be able to pull up a specific subscriber's complete consent record in minutes, in a format that speaks for itself. The consent records retention guide covers what to store and for how long.

What to do now

Step 1: Audit your current consent evidence. Pick five subscribers at random and try to reconstruct their full consent chain — wording, date, source, mechanism. The PECR compliance checklist walks through all 15 evidence requirements.

Step 2: Check your consent wording. The Consent Wording Checker evaluates whether your form language meets the specificity requirements under both GDPR and PECR.

Step 3: Separate your cookie consent management from your email marketing consent management. They are different problems requiring different records.

Step 4: If you rely on legitimate interest for any contacts, document the assessment. If you rely on soft opt-in, document all four conditions.

Step 5: Run the PECR compliance checker for a quick gap assessment. It covers consent records, soft opt-in documentation, and third-party data risks.

The most expensive consent management failure is not a missing cookie banner. It is an ICO investigation where you cannot demonstrate that your email subscribers agreed to receive marketing — because the evidence was never recorded, was lost in a platform migration, or exists only as a generic subscription flag in an ESP that does not store what the subscriber was actually told.

That is the consent management problem worth solving.