Marketing Consent in 2026: What Needs Opt-In and What Doesn’t
Most teams still talk about consent as if it were one checkbox. It is not. marketing consent changes by channel, jurisdiction, and what you plan to do with the data after you collect it.

That is why a form that works for a U.S. email campaign can fail for SMS, and why a California opt-out flow solves a different problem than an EU cookie banner. If you are trying to simplify the issue, start here: separate outreach, tracking, and downstream ad use before you write a single checkbox label.
The channel matters more than the checkbox
A usable consent model starts with the channel, not the campaign.
| Channel or use case | Common rule in 2026 | What your team should keep | | — | — | — | | EU/UK promotional email | Consent is often required, though a soft opt-in may apply in some cases | Capture wording, source form, timestamp, and withdrawal state | | U.S. commercial email | CAN-SPAM is generally an opt-out regime, not a blanket prior opt-in rule | Unsubscribe proof, sender identity, and suppression controls | | U.S. telemarketing texts and calls | Prior express written consent may be required for many promotional texts and robocalls | Consent language, timestamp, number source, and revocation history | | EU/UK analytics or ad cookies | Non-essential cookies need consent before they are set | Banner version, category choices, and consent logs | | California ad targeting or data sharing | Opt-out rights and preference handling are central under the CCPA/CPRA | Notice at collection, opt-out path, and preference state |
The law behind that table is not mysterious. The GDPR still defines consent as freely given, specific, informed, and unambiguous, and says withdrawing it must be as easy as giving it. In April 2026, the ICO updated its detailed guidance on electronic mail marketing to reflect the UK Data (Use and Access) Act changes, including the new charitable soft opt-in route. In the U.S., the FTC’s CAN-SPAM guidance still focuses commercial email on truthful sending, clear identification, and a working unsubscribe process rather than universal advance opt-in. California keeps pushing a different point: people need a real way to say no to the sale or sharing of personal information and to limit certain sensitive-data uses.
If you need the Europe-specific version of this question, our guide to GDPR marketing consent goes deeper on the lawful basis and proof standard.
What regulators are signaling right now
The practical trend is pretty clear. Regulators are less interested in your policy language than in the live user journey.
That shows up in current guidance. When the ICO published its final storage and access technologies guidance in April 2026, William Malcolm said businesses wanted “clear, practical guidance.” That sounds simple, but it is also a design brief. Your banner, signup form, preference center, and downstream tooling should line up closely enough that a normal person can understand what they accepted and reverse it later.
The EDPB has pushed the same logic from the advertising side. Chair Anu Talus said users should get a “real choice” in consent-or-pay models. Different fact pattern, same lesson for marketers: if the yes path is instant and the no path is slow, hidden, or fragmented, the interface is already doing legal damage.
California has been just as blunt on execution. In May 2025, the CPPA fined retailer Todd Snyder after its privacy request infrastructure failed to process opt-out requests for 40 days. Michael Macko put the operational point better than most privacy memos do: “Using a consent management platform doesn’t get you off the hook for compliance.” That line matters because many consent failures now come from bad configuration, not bad intentions.
If your team still treats marketing consent as one combined permission for newsletters, SMS, partner promotions, audience building, and tracking, this is where the cracks usually start.
What good records look like
Specific wording matters, but record quality matters more. When regulators ask questions, they usually want to know what the person saw, what they selected, and whether your systems respected that choice later.
Strong proof usually includes:
- the identity or identifier tied to the choice
- the exact wording shown at the time
- the channel or purpose selected
- the timestamp and source page or tool
- later changes, withdrawals, or sync events

This is where many teams get tripped up. Email permission is not SMS permission. A newsletter signup is not permission for retargeting. A cookie banner is not a blanket approval for every downstream marketing use. If those choices are bundled together, the record becomes hard to defend and even harder to operationalize.
Our opt-in consent guide is a useful companion if your team is still sorting out when explicit permission is actually required. For tracking-heavy sites, pair this with our breakdown of cookie consent requirements.
A fast pre-launch check for marketing teams
Before a campaign goes live, ask five blunt questions:
- Which exact channel is this permission for?
- Which exact purpose is the person agreeing to?
- Is refusing as easy as accepting?
- Which law or regulator view supports that standard?
- Could your team prove all of that six months from now?
If the answer to any of those is fuzzy, the form is probably doing too much or the system behind it is logging too little.
marketing consent works when it is narrow, honest, and easy to reverse. The teams that handle it well in 2026 ask for the minimum permission they actually need, split channels and purposes cleanly, and keep proof that a real person can read later.
Sources
- UK Information Commissioner’s Office
- European Data Protection Board
- U.S. Federal Trade Commission
- U.S. Federal Communications Commission
- California Privacy Protection Agency
- California Department of Justice