At the beginning of this year, a decision by the CNIL has put the question of whether or not brands need consent and opt-in to send a newsletter back in the spotlight. Indeed, a €20,000 penalty was given to  a start-up which sent prospecting emails without having previously collected consent and for having failed to comply with several GDPR obligations. Can we talk to people who have not consented to receive communications?






Opt-in and opt-out: the different principles 


At Didomi, our mission is to enable companies to put consent at the core of their business strategies. Asking users to opt-in or out of communications is important because it allows users to have control over their personal data, companies to generate trust among consumers and greater efficiency in their marketing efforts.


On the one hand, prospecting messages (emails , newsletters, push notifications, SMS, telephone canvassing calls, etc.) meant to promote a service or a product are subject to the opt-in rule, and consent is mandatory, with some exceptions (e.g. B2B). 


On the other hand, service messages (order confirmations, order tracking information, requests for advice, etc.) are not necessarily subject to the opt-in rule, i.e. consent is not required, since the legal basis for the communication may be the fulfilment of a contract. 


In which cases is consent required  (B2C vs. B2B)?

On the one hand, in B2C (Business-to-consumer), i.e. in the context of sales to individuals, we need to have explicit opt-in from the individual being contacted. . Therefore, consent is mandatory to send promotional emails and editorial newsletters.


However, in some cases, consent is not required to communicate with a particular prospect or customer. Consent is not required if and only if: 


  • The individual  has purchased a product or service from the company;

  • The brand promotes "similar" products; 

  • Customers have been informed at the time of collection that their email address will be used for digital marketing with the opportunity to opt-out.


(Some may consider, regarding the third point, that this agreement  is equivalent to consent, and we can understand why. However, according to GDPR  regulation, consent must be free, specific, informed and unambiguous, and a simple mention that an email address will be used for marketing purposes does not equal a positive consenting action from the user. ).  


On the other hand, in B2B (Business-to-Business), there is no obligation for prospects or customers to explicitly opt-in to receive communications under 2 conditions:


  • The person was informed of the possibility of receiving communications at the time his or her details were collected and was given the opportunity to object;

  • The purpose  of the request  is related to the profession of the contacted person. 


Remember that generic business addresses such as "" are not affected.


Written and verbal consent collection 


How to properly inform customers when collecting consent in writing?

At the time of collecting personal data, there may be a small obligatory statement informing users that their details will be used for commercial prospecting. The customer is required to answer negatively or positively by ticking the "yes" or "no" box. There is no way out of this.  In this case, the trader clearly asks for consent. 


But, a problem arises when the trader does not make this choice mandatory. In this case, as many people will potentially  not respond, a non-reply must be equivalent to  an opt-out, and the merchant will only be able to send promotional emails if the customer has already made a purchase. 


A concrete case: FNAC 

FNAC has opted for a different version. Indeed, it proposes a single box to be ticked which expresses the customer's disagreement to receive emails and newsletters (opt-out). If the customer ticks the box, it means that they do not wish to be informed. If they do not tick it, they will be able to receive the newsletter as long as, once the account has been created, they have made a purchase. 




How to properly inform customers in-store or over the phone? 

So, that’s a brief explanation of how to manage opt-in digitally, but consent must also be able to be collected  and managed in-store, over the phone or any other form of verbal (non-written) communication.


If you want to ensure a smooth customer experience and increase user trust, you can build a consent architecture that seamlessly integrates the two. And that's where Didomi's double opt-in consent solution comes in. 


With Didomi's Preference Center, if a customer enters a shop and decides to sign up for brand communications, for example, they can either give their consent directly on a touch device provided by the salesperson (single opt-in), or request to receive an email allowing them to authenticate and update their consents in a dedicated Preference Center (double opt-in).


Didomi Whitepaper: Customer Permission in Retail & E-commerce 

For concrete examples, download our white paper and find out how to satisfy your customers and increase your sales while remaining compliant.


Download our whitepaper


E-commerce Whitepaper_Socials_VF (EN)



Let’s clarify things! 


How to handle those who have opted-out of communications?

You can, legally, promote to customers that have opted-out of communications if and only if they have never objected to receiving promotional emails and newsletters, or if they have already made a purchase. In the latter case, if the customer has purchased a product from your company, you can market  a similar product or service to them. Let's take the example of a person who has bought a book from an e-retailer. If this e-retailer also sells DVDs, CDs, etc., they  can promote these items to the customer as well.


How to handle those who have opted-in to communications?

Opt-in can be verified in several cases: 


  • When a shopping cart abandonment email is re-sent, it is no longer a service email, but it becomes prospecting because the customer is being offered a service that he or she has abandoned. The exception is, as always, the customer who has already purchased that product;

  • When the opt-out customer of a shop is going to receive an editorial newsletter that includes the content of that shop, we speak in this case of opt-in because it is a question of promoting brand image;

  • When the customer is asked to participate in a loyalty programme, this is a marketing strategy based on individuals opt-in  because he or she must give consent;

  • When the customer receives an email stating that their data will be deleted (with an incentive to return to the site).


What about the storage of personal data?

In principle, personal data relating to customers cannot be kept beyond the period strictly necessary for the management of the commercial relationship. In other words, from the moment the party processing the data concludes that the purposes for which that data was collected have expired, and therefore there is no longer any point in keeping the data in the database.


There are two more specific cases:


  • Customer data used for commercial prospecting purposes may be kept for a period of three years from the end of the commercial relationship (e.g. from the end of a purchase, the expiry date of a guarantee, the end of a service contract or the last contact from the customer);

  • Personal data relating to a non-customer prospect may be kept for a period of three years from the date of collection by the party processing the data or from the last contact from the prospect (e.g. clicking  on a hyperlink in an email, but not merely opening an email).


The CNIL recommends that prior consent to these conditions should be obtained by means of a checkbox (which should not be pre-ticked).


In conclusion, you can  address contacts who have already made a purchase and who have not objected to receiving promotional emails. These are the fundamental rules that the CNIL will ensure you respect. 


So, now you know the rules surrounding  opt-in and opt-out, but do you know how to  implement them? This is where the Didomi Preference Center comes into play.


The Didomi Preference Center 

A Preference Center is an area dedicated to managing subscription settings. More than an elaborate unsubscribe page, the Preference Center is a comprehensive system for collecting and managing consumer preferences across any channel and serves as the basis for better permission based marketing. 


It allows you to collect your users’ consent and preferences both online and offline (delegated consent), and to design the best consent workflows for them by giving them a simple way to manage their consents and preferences. 


It also allows users to reconfigure their choices at any time if they change their mind, allowing your brand to remain relevant and powerful in its marketing strategy.


Indeed, customers can choose :


  • On which channels they prefer to be contacted (phone, email, sms);

  • How often they want to be contacted (weekly, monthly, etc.);

  • Which subjects they like to be contacted about  (sales, new products, etc.).

Setting up a Preference Center is the best way to create and maintain a real engagement with customers while remaining compliant with privacy regulations. 


Build user trust and optimise opt-in with the Didomi Preference Center


  Request a demo