Skip to main content
Consent is the foundation of compliant email sending. Under GDPR, CASL, and other privacy regulations, sending commercial email without valid consent can result in significant fines and damage to your sending reputation. Even where consent is not legally required (such as under CAN-SPAM’s opt-out model), obtaining it is a best practice that improves engagement and reduces spam complaints.
Strong consent practices protect you legally, improve your deliverability, and build trust with your recipients. Lists built on genuine consent consistently outperform purchased or scraped lists.

Single vs Double Opt-In

The two most common consent collection methods are single opt-in and double opt-in. Each has trade-offs.

Single Opt-In

The recipient submits their email address through a form and is immediately added to your list. No confirmation step is required. Pros: Lower friction, larger list growth, simpler to implement. Cons: Higher risk of invalid addresses, typos, and bot signups. Weaker evidence of consent for GDPR compliance.

Double Opt-In

After submitting the form, the recipient receives a confirmation email and must click a link to verify their address. Only confirmed addresses are added to the list. Pros: Stronger consent evidence, cleaner lists, fewer spam complaints, better deliverability. Cons: Some recipients never complete confirmation (expect 10–30% drop-off), slightly more complex to implement.
FactorSingle Opt-InDouble Opt-In
Consent strengthModerateStrong
List qualityLower (typos, bots)Higher (verified addresses)
GDPR complianceAcceptable but harder to proveRecommended — clear audit trail
CASL complianceAcceptable for express consentStrongest evidence of express consent
List growth rateHigherLower (10–30% drop-off)
Deliverability impactNeutral to negativePositive
If you send to EU or Canadian recipients, double opt-in is strongly recommended. It provides the clearest evidence of consent and produces the highest-quality lists.
A consent form must clearly communicate what the recipient is signing up for. Vague or bundled consent is not valid under GDPR or CASL.

Required Elements

1

Clear description of what they will receive

Tell recipients exactly what emails you will send — newsletters, product updates, promotional offers, etc. Do not use vague language like “we may contact you.”
2

Frequency expectations

State how often you will send — weekly, monthly, or as applicable. Recipients should know what to expect.
3

Sender identification

Clearly identify your organization name so recipients know who will be emailing them.
4

Separate consent for separate purposes

If you send different types of email (e.g., product updates and partner offers), obtain separate consent for each. Bundling multiple purposes into a single checkbox is not valid under GDPR.
5

Unsubscribe disclosure

Inform recipients that they can withdraw consent at any time.

Example: Compliant Signup Form

<form action="/subscribe" method="POST">
  <label for="email">Email address</label>
  <input type="email" id="email" name="email" required />

  <fieldset>
    <legend>Email preferences</legend>

    <label>
      <input type="checkbox" name="consent_product" />
      Send me product updates and feature announcements (approximately twice a month)
    </label>

    <label>
      <input type="checkbox" name="consent_marketing" />
      Send me promotional offers and discounts (approximately weekly)
    </label>
  </fieldset>

  <p style="font-size: 12px; color: #666;">
    You can unsubscribe at any time using the link in our emails.
    Your Company Inc. — 123 Main Street, New York, NY 10001
  </p>

  <button type="submit">Subscribe</button>
</form>
Never use pre-checked checkboxes. Under both GDPR and CASL, consent must be an affirmative action taken by the recipient. Pre-checked boxes do not count.
You must be able to demonstrate that valid consent was obtained if challenged by a regulator or a recipient. The burden of proof is on you as the sender.

What to Record

For every consent record, store:
FieldDescription
Email addressThe address that was submitted
TimestampWhen consent was given (ISO 8601 format)
SourceWhere consent was collected (URL, form name, event)
MethodHow consent was collected (checkbox, double opt-in confirmation click)
IP addressThe IP address of the person who submitted the form
Consent textThe exact wording presented at the time of consent
Form versionAn identifier for the version of the form used
{
  "email": "recipient@example.com",
  "consent_given_at": "2025-09-15T14:22:00Z",
  "source": "https://yoursite.com/newsletter-signup",
  "method": "double_opt_in",
  "confirmed_at": "2025-09-15T14:25:12Z",
  "ip_address": "198.51.100.42",
  "consent_text": "Send me product updates and feature announcements (approximately twice a month)",
  "form_version": "signup_v4"
}
Under GDPR, you must also record the specific purposes the recipient consented to. Generic “opted in to email” records are insufficient if you send multiple types of email.
Consent is not permanent. It must be managed as your relationship with the recipient evolves. Even with valid consent, engagement declines over time. Recipients who signed up years ago and no longer open your emails are unlikely to still want them. Continuing to email disengaged recipients harms your deliverability and wastes resources. Best practices for managing consent over time:
  • Re-engagement campaigns — Send a targeted email to inactive recipients (e.g., no opens in 6+ months) asking if they still want to hear from you.
  • Sunset policies — Automatically suppress recipients who have not engaged in a defined period (typically 6–12 months).
  • Periodic consent refresh — For high-risk lists or long-inactive segments, ask recipients to reconfirm their subscription.
Under CASL, implied consent has explicit expiry dates (2 years for business relationships, 6 months for inquiries). Under GDPR, consent does not technically expire, but regulators expect you to refresh consent periodically if there is no ongoing relationship.
Track the date of last engagement (open or click) alongside consent records. This helps you identify recipients whose consent may still be technically valid but whose interest has clearly lapsed.
If you plan to share recipient data with third parties or send emails on behalf of partners, you need separate, specific consent for this purpose. Bundling third-party sharing into a general email consent is not valid under GDPR. 
<!-- Separate consent for third-party communications -->
<label>
  <input type="checkbox" name="consent_partners" />
  I agree to receive offers from selected partners of Your Company.
  <a href="/partners-list">View partner list</a>
</label>
Never assume that consent to receive your emails also covers emails from your partners or affiliates. Each sender needs their own consent.

Common Mistakes

Purchasing an email list does not transfer consent. The recipients consented to hear from the original collector, not from you. Sending to purchased lists without obtaining your own consent violates GDPR, CASL, and damages your deliverability.

GDPR and Email Sending

EU data protection requirements and consent standards for email.

CASL (Canadian Anti-Spam Law)

Canadian consent requirements including express and implied consent.

List Hygiene

Maintain healthy, engaged recipient lists.

Unsubscribe Best Practices

Implement compliant unsubscribe mechanisms.