Nearly half (49%) of UK consumers are still yet to receive an email from brands asking permission to continue using their personal data in accordance with the upcoming GDPR regulation.

The research by Databoxer on 1000 consumers finds today (April 5), that despite the GDPR looming on May 25, which states that brands will need explicit permission from customers to use their data, like email addresses for marketing purposes, only a third (34%) of consumers say they recall recently receiving emails from brands asking for consent.

The average consumer is signed up to 12 marketing email lists, which likely suggests that a vast number of brands in the UK are still not GDPR compliant. Among the consumers who had received an email, 63% sent a message back to accept brands using their data, while 37% declined.

While Tim Haynes, co-founder of the GDPR compliance platform, said the research “clearly shows that brands still don’t know where to start when it comes to getting permission from consumers to use their data,” it’s important to clarify that not all companies may be required to seek opt-in from users if they already have a record of consent for that individual.  

Don’t rip up your lists

The process of ‘permissioning’ mailing lists in accordance with GDPR is having a profound effect on the way businesses get in contact with their target audiences, potentially reducing the number of people on mailing lists.

Echoing the thoughts of many within the digital marketing industry, Haynes argues that the process isn’t “the end of the world”; “The GDPR doesn’t mean that you have to completely rip up your marketing mailing lists. If anything, the regulation will help you weed out those who really have no interest in your communications.

“That said, re-permissioning is a hugely important task for businesses right now. I’d strongly advise businesses start a re-permissioning campaign ahead of the GDPR date,” said Haynes.

That includes using content your subscribers are already getting as an opportunity to demonstrate the value of their subscription.

“Alongside content on your landing pages, present them with the opportunity to reconfirm they want to continue to hear from you,” Haynes added.

Important to note 

However, despite the findings suggesting that many companies are yet to take action, it is important to clarify that not all companies will be required to seek opt-in from their users.

“It may well be the case that if companies are not sending ‘re-permissioning’ emails that they have a lawful basis for keeping users’ details for marketing purposes  - and have documented this in line with their GDPR obligations – so why send out communications needlessly?,” said Micky Khanna, founder of

“Although this does not constitute legal advice, recommendation or opinion, if it were my company I would be categorising those email addresses to understand the lawful bases that I have for marketing to them,” said Khanna; “If it’s consent then I would need to have record of their consent; if it’s for legitimate interest then I would need to do a balancing test to weigh up whether the legitimate interest is more in my favour or theirs.”