GDPR Marketing Consent Checklist — Article 6 & 7 Lawful Basis

GDPR Article 6(1) requires a lawful basis before any marketing processing begins. Consent (Article 6(1)(a)) is required for email marketing to non-customers, SMS marketing, cookie-based behavioural advertising, and profiling used in targeting. Legitimate interests (Article 6(1)(f)) may apply to postal marketing and existing-customer email marketing but requires a Legitimate Interests Assessment. Document the basis per channel in your Article 30 Record of Processing Activities — a single entry for 'marketing' covering all channels is not sufficient.

Valid consent must be: freely given (no detriment for refusal, not a condition of service), specific (separate consent for each distinct purpose and channel), informed (identity of controller, processing description, right to withdraw must all be clear at the point of consent), and unambiguous (requires a positive opt-in action — no pre-ticked boxes, no silence, no inactivity). Test every consent touchpoint against all four criteria. A single checkbox for 'all marketing' is not specific enough if you operate email, SMS, and push channels separately.

The controller bears the burden of proof for valid consent. Records must capture: the exact text of the consent request shown to the individual, timestamp of consent, version of the privacy notice in effect, IP address or device identifier, and the pre/post state of any checkboxes. Store consent records separately from marketing lists so they remain available if the marketing data is deleted. Retain for the duration of processing plus a reasonable dispute period (typically 3–5 years).

Article 7(3) requires withdrawal to be as easy as giving consent. For email: a one-click unsubscribe link in the footer of every message — not a link to a preference centre requiring login. For SMS: a STOP-reply mechanism that takes immediate effect. For cookies: a consent management platform that allows users to withdraw from a single accessible location without navigating multiple screens. Log every withdrawal with timestamp and apply it immediately to all systems.

Pre-ticked boxes and default-on consent are explicitly invalid (Recital 32). Conduct a systematic audit of every consent collection point: registration forms, checkout flows, preference centres, cookie banners, pop-ups, and app onboarding. Remove any pre-selection. Marketing consent must be separate from consent to terms of service — bundling both into one checkbox invalidates both. The audit should also cover third-party embedded forms and checkout widgets where consent language may be inherited.

Non-essential cookies (advertising, analytics, social tracking) require prior informed consent under GDPR Article 6(1)(a) and the ePrivacy Directive. Your CMP must: present a genuine 'Reject All' option with equal visual prominence to 'Accept All', avoid dark patterns (greyed-out reject buttons, X buttons that accept consent, misleading colour contrast), provide granular purpose-level controls, and not fire tracking tags before consent is received. Cookie walls that deny access for refusing non-essential cookies are generally unlawful.

Using legitimate interests (Recital 47) for direct marketing requires a three-part documented test: (1) identify a legitimate, lawful purpose; (2) demonstrate processing is necessary and there is no less intrusive alternative; (3) balance that interest against the individual's rights, freedoms, and reasonable expectations. The LIA must be completed before processing begins and stored as part of your compliance record. Factor in sensitivity of data, scale of processing, and whether recipients would reasonably expect the marketing.

Article 21(2) provides an unconditional right to object to processing for direct marketing purposes. Unlike other objection rights, this one cannot be overridden by a legitimate interests balancing test. When an individual objects to direct marketing, you must cease all marketing processing immediately — there is no proportionality consideration. The right must be explicitly described in your Privacy Notice and communicated at the point of first contact. Set up automated workflows to enforce objections across all marketing systems.

Your Privacy Notice must describe marketing-specific processing: the purposes and lawful basis for each channel, categories of data used (email, purchase history, behavioural data), any profiling used for targeting, data sharing with advertising platforms and data brokers, retention periods, and the right to withdraw consent or object under Article 21. For data obtained from third parties, Article 14 requires notification within one month of obtaining the data.

Opt-outs and consent withdrawals must be applied to every marketing touchpoint: email service providers, SMS platforms, CRM systems, advertising platforms (Facebook Custom Audiences, Google Customer Match), data management platforms, and any third-party processors. Define and document the suppression propagation timeframe (immediate is expected; 10 business days is the maximum acceptable). Conduct quarterly audits to verify that opted-out contacts do not appear in any active audience segments.

Purchased lists, data broker files, and lookalike audience seeds must have been collected under a lawful basis that extends to your specific marketing purpose. Under Article 14, you must inform individuals about second-use processing within one month. Require data providers to supply a Data Provenance Document or Controller-to-Controller data agreement specifying the original lawful basis, collection context, and permitted purposes. Any third-party source that cannot evidence compliant collection must not be used.

Consent that has been dormant — no opens, clicks, or engagement — for a prolonged period may no longer reflect a freely given, current expression of intent (EDPB guidance). Define a re-engagement policy: typically, send a consent re-confirmation email to subscribers with no activity in 12–18 months. If no positive re-confirmation is received, remove from active marketing lists. Document this policy and apply it automatically. Retain consent records even after removal for evidence purposes.

Article 8 sets 16 as the default age requiring parental consent for information society services (member states can lower to 13). For marketing services likely to attract under-16s, implement age verification, obtain verifiable parental consent, and apply the ICO's Children's Code standards. Do not use profiling or behavioural advertising for users identified or reasonably suspected to be under 18. Map data sources to identify any under-18 contacts in your marketing database.

Collect only the personal data fields strictly necessary for the stated marketing purpose (Article 5(1)(c)). If your email marketing does not use date of birth for segmentation, do not collect it. If you only need category-level purchase history, do not store transaction-level detail. Review every field in your marketing intake forms, sign-up pages, and preference centres. Set automated deletion schedules for fields that exceed their retention purpose.

A Data Protection Impact Assessment is required before processing likely to result in high risk under Article 35. For marketing: systematic profiling using sensitive categories of data, large-scale behavioural tracking, use of new technologies (AI-driven targeting, emotional inference), or processing that combines datasets from multiple sources to create detailed profiles. The DPIA must identify risks and document mitigations. Maintain the DPIA as a living document updated when processing changes.

If marketing data is transferred to a third country (e.g., US-based email service providers, advertising platforms), ensure the transfer mechanism is lawful: adequacy decision, Standard Contractual Clauses (SCCs), or Binding Corporate Rules. Post-Schrems II, SCCs must be supplemented by a Transfer Impact Assessment (TIA) where the recipient country's law may impair the SCCs' effectiveness. US-based processors must be covered by EU-US Data Privacy Framework certification or current SCCs.

Your Article 30 ROPA must cover marketing processing: controller and DPO contact details, purposes and lawful basis for each marketing channel, data categories, recipient categories (advertising platforms, analytics providers, data brokers), third-country transfer mechanisms, and retention periods. Keep the ROPA current — review at least annually and when processing changes. The ROPA must be made available to the supervisory authority on request.

Schedule annual (or more frequent) internal audits of the entire marketing consent lifecycle: consent collection mechanisms, withdrawal processing, suppression list hygiene, third-party data sources, CMP configuration, and data flows to advertising platforms. Document audit scope, findings, and remediation actions. Use audit findings to update training materials and procedures. Engage the DPO in audit planning and sign-off.