GDPR Consent Email: What to Send, What to Avoid, and What to Prove in 2026
A gdpr consent email usually appears when a list starts to look shaky. The CRM fields are thin, old signups are hard to explain, and someone suggests a repermission blast as a cleanup move.
That is usually the wrong starting point. Under Articles 4 and 7 of the GDPR, consent has to be specific, informed, unambiguous, and as easy to withdraw as it was to give. The controller also has to prove it. If your team cannot explain who agreed, to what, when, and through which interface, better copy will not rescue the record.
If you want the wider backdrop first, our guides to GDPR marketing consent, GDPR consent requirements, and GDPR cookie consent cover the broader framework. This article is narrower: when the email itself is defensible, what it should do, and what evidence you should keep in 2026.

When a gdpr consent email can work
Start with the first question, not the subject line: were you allowed to send the message at all?
The ICO’s direct marketing guidance, updated on April 28, 2026, says unsolicited marketing email to individual subscribers needs consent unless you can meet a narrow soft opt-in. For the standard products-and-services soft opt-in, the contact details must have been collected directly, during a sale or negotiations for a sale, the marketing must cover your own similar products or services, and the person must have had a simple opt-out at collection and in every later message.
France lands in a similar place. The CNIL’s guidance published on June 10, 2026 says B2C electronic prospecting rests, in principle, on prior consent. It also gives a useful boundary: creating an ecommerce account without buying anything does not, by itself, create the customer relationship needed for the existing-customer exception.
That is why Anu Talus’s phrase still lands. In 2024, the EDPB Chair said users need a “real choice”. The quote was about “consent or pay” models, but the test travels well. If the signup flow hides the no path, bundles unrelated purposes, or turns email permission into a condition of getting the service, the problem started before the message was sent.
Where repermission campaigns go wrong
I would be careful with the classic “please stay subscribed” blast. Sometimes it is useful. Often it is a sign that the underlying record is weak.
The CNIL opened a consultation on proof of consent for marketing on January 22, 2026 for a reason. It said many marketing activities rely on consent and that organisations need to be able to prove that consent was valid. That shifts the practical question. The issue is not whether a business can point to a click. The issue is whether the business can reconstruct the context around that click later.
A safer consent message is narrow. It does not smuggle in a sales pitch. It does not imply that silence keeps someone subscribed. It does not collapse newsletter updates, product launches, webinar invites, and third-party offers into one vague yes.
Email permission and pixel tracking are separate questions
Teams often blend these together. Regulators do not.
The ICO says the PECR marketing rules apply to the email itself, while tracking pixels are covered by PECR’s separate rules on storage and access technologies. The CNIL went further in April 2026 and published final recommendations on tracking pixels in emails, noting that these pixels can be used for different purposes such as audience measurement, personalisation, and deliverability.
That matters because a clean preference flow should separate choices by purpose. If the person wants product updates but not open-rate tracking for profiling, your setup should be able to reflect that. This is not flashy design. It is just a more honest one.

A practical example
If you already have a lawful route to contact the person, the job is usually to help them refine preferences, not to retroactively bless a messy database.
Subject: Choose which emails you want from DataShyre
>
Hi [First name],
>
We send privacy updates, product news, and occasional event invitations. Use your preference center to choose which email categories you want to receive.
>
Update my preferences
>
You can change your choices or unsubscribe at any time.
Why this works better than the usual repermission email:
- it names categories instead of asking for one fuzzy yes;
- it moves the real decision into a preference center where boxes can stay unchecked by default; and
- it gives the person a plain withdrawal path.
What it should not do is claim that inactivity counts as permission, use pre-ticked boxes, or blur email marketing with unrelated tracking choices.
What the workflow should record
The copy matters less than the evidence around it. Keep:
- the exact wording shown at signup or preference update;
- the date and time of the action;
- the source page, form, or workflow;
- the purpose or category selected;
- any tracking disclosure presented with the choice; and
- later changes, including unsubscribe or preference-center updates.
This is where the article stops being theoretical. On April 29, 2026, ICO Executive Director William Malcolm said organisations want “clear, practical guidance they can rely on.” That is a good internal test. If your team needs a long memo to explain why the workflow was acceptable, the workflow is probably the problem.
gdpr consent email work is really consent-record work. The message is only one layer. The defensible version is boring in the right way: clear purpose labels, easy refusal, easy withdrawal, and logs that still make sense when someone asks hard questions six months later.
Sources
- EUR-Lex
- UK Information Commissioner’s Office
- Commission Nationale de l’Informatique et des Libertés (CNIL)
- European Data Protection Board