GDPR Marketing Consent Checklist — Article 6/7 Lawful Basis for Marketing

GDPR Article 6(1) requires a lawful basis before any processing. For marketing: consent (Article 6(1)(a)) or legitimate interests (Article 6(1)(f)) are the two applicable bases. Consent is required for: email marketing to non-customers, SMS marketing, cookie-based behavioural advertising, and any profiling that informs marketing decisions. Legitimate interests may apply for postal marketing and direct marketing to existing business contacts — but requires a balancing test. Document the basis for each channel in your Article 30 ROPA.

Valid consent must be: freely given (no detriment for refusal, not bundled with terms), specific (separate for each marketing purpose and channel), informed (clear identity of controller, description of processing, right to withdraw), and unambiguous (explicit affirmative action — no pre-ticked boxes, no silence, no inactivity). Test each consent mechanism against all four criteria. A single consent for 'all marketing' is not sufficiently specific if you send email, SMS, and push notifications separately.

Article 7(1) places the burden of proof on the controller to demonstrate valid consent. Consent records must capture: the text of the consent request presented to the individual, the date and time of consent, the version of the privacy notice at the time of consent, the IP address or device identifier, and any pre-selected states of checkboxes. Retain records for as long as you process data under that consent plus a period for dispute resolution.

Article 7(3) requires withdrawal to be as easy as giving consent. For email marketing: a one-click unsubscribe link in every email — not a multi-step process requiring account login or email confirmation. For SMS: a STOP reply mechanism. For cookies: users must be able to withdraw cookie consent as easily as they granted it, without requiring navigation to a buried settings menu. Log withdrawal with timestamp and cease processing immediately.

Pre-ticked boxes and default-on consent are explicitly invalid under GDPR (Recital 32). Conduct an audit of every consent collection touchpoint: registration forms, checkout flows, preference centres, cookie banners, and pop-ups. Remove any pre-selection. Ensure consent for marketing is separate from consent to terms of service — bundling invalidates both. This is one of the most commonly cited enforcement violations.

Under GDPR Article 6(1)(a) and the ePrivacy Directive, non-essential cookies (advertising, analytics, tracking) require prior informed consent before placement. Your cookie banner must: offer a genuine 'Reject All' option with equal prominence to 'Accept All', not use dark patterns (grey-out reject button, 'X' that accepts), provide granular purpose-level controls, and not set non-essential cookies before consent is obtained. Document cookie categories, purposes, and vendors in a Cookie Policy.

Legitimate interests for direct marketing (Recital 47) requires a three-part test: (1) the interest must be legitimate and lawful, (2) processing must be necessary for that interest, and (3) the interest must not be overridden by the data subject's interests, rights, and freedoms. Document the LIA for each marketing activity relying on legitimate interests. Consider: the individuals' reasonable expectations, the sensitivity of the data, the severity of impact. The LIA must be documented before processing begins.

Your Privacy Notice must describe marketing processing under Articles 13 and 14, including: the purposes (marketing communications via specific channels), the lawful basis, the categories of data used (email address, purchase history, browsing behaviour), any profiling or automated decision-making, data sharing with third-party marketing platforms, and the right to object under Article 21 (for legitimate interests) or withdraw consent under Article 7.

When an individual opts out or withdraws consent, their suppression must propagate to all marketing systems within the maximum timeframe communicated (typically within 10 business days, with immediate effect being the EDPB expectation). Maintain a suppression list that covers email, SMS, and any third-party marketing platforms. Regularly audit CRM, email service provider, and ad platform audience lists for suppressed contacts.

Article 21(2) gives individuals an absolute right to object to processing for direct marketing, which cannot be overridden by a legitimate interests balancing test. When an individual objects to direct marketing processing, you must cease that processing immediately — there is no proportionality assessment. The right to object must be explicitly communicated in your Privacy Notice and at the point of first contact.

Purchased email lists, data broker lists, and lookalike audience sources must have been collected with GDPR-compliant consent that covers your specific marketing purposes. Article 14 requires informing individuals about second-use of their data within one month. Verify that any third-party list provider can demonstrate the lawful basis under which they collected the data and that it extends to your marketing use case.

Collect only the personal data strictly necessary for the marketing purpose (Article 5(1)(c)). Do not collect date of birth if your marketing does not require age segmentation. Do not retain full purchase histories if you only need category-level data for segmentation. Define and document data fields used for marketing and justify each. Set automated deletion rules for marketing data once the purpose is achieved or consent is withdrawn.

Article 8 sets 16 as the default age below which parental consent is required for information society services (member states can lower this to 13). For marketing to under-18s generally, higher standards apply. If your service is directed at or likely to attract minors, implement age verification and enhanced consent mechanisms. The ICO's Children's Code applies to UK-based services — similar standards are being adopted across the EU.