Getting permission for email marketing is not just a legal requirement in most parts of the world. It is the foundation of a program that actually delivers ROI. Businesses that build consent-first lists see better deliverability, higher open rates, and fewer spam complaints than those that use purchased or scraped lists. This guide walks through every method, rule, and practical step you need to know.
Key Takeaways
Permission-based email marketing is an ethical form of email outreach where emails are sent only when express consent is given by recipients.
Violations of email consent laws carry serious financial penalties: GDPR fines can reach €20 million or 4% of global revenue, CAN-SPAM penalties reach up to $53,088 per email, and CASL fines reach up to CA$10 million for businesses.
Organizations that adopt double opt-in and other best practices achieve deliverability rates that often exceed 97%, compared to the global average of 83% to 85%.
Statista found that 48% of consumers will give their email address in exchange for a discount, making value-driven opt-ins one of the most effective list-building tactics.
Compliant lists are also higher-quality lists, which means better deliverability and more revenue per subscriber.
Why Email Permission Matters More Than Ever
Email providers like Gmail and Yahoo track how recipients interact with your emails. If too many people ignore or mark your emails as spam, your future emails may not reach inboxes at all.
This is not a hypothetical risk. Gmail and Yahoo cracked down on senders with spam rates over 0.3% in 2024, making permission-based practices a hard deliverability requirement, not just a best practice.
People who choose to receive your emails naturally show more interest in your content. Opt-in email marketing translates directly into better open rates, more clicks, and ultimately stronger conversion rates than non-permission-based approaches.
The business case is equally clear. Email marketing campaigns have an average ROI of 36 times, meaning businesses earn $36 for every dollar they spend. That return depends entirely on reaching people who want to hear from you.
Getting permission for email marketing is not just a legal requirement in most parts of the world. It is the foundation of a program that actually delivers ROI. Businesses that build consent-first lists see better deliverability, higher open rates, and fewer spam complaints than those that use purchased or scraped lists. This guide walks through every method, rule, and practical step you need to know.
Key Takeaways
Permission-based email marketing is an ethical form of email outreach where emails are sent only when express consent is given by recipients.
Violations of email consent laws carry serious financial penalties: GDPR fines can reach €20 million or 4% of global revenue, CAN-SPAM penalties reach up to $53,088 per email, and CASL fines reach up to CA$10 million for businesses.
Organizations that adopt double opt-in and other best practices achieve deliverability rates that often exceed 97%, compared to the global average of 83% to 85%.
Statista found that 48% of consumers will give their email address in exchange for a discount, making value-driven opt-ins one of the most effective list-building tactics.
Compliant lists are also higher-quality lists, which means better deliverability and more revenue per subscriber.
Why Email Permission Matters More Than Ever
Email providers like Gmail and Yahoo track how recipients interact with your emails. If too many people ignore or mark your emails as spam, your future emails may not reach inboxes at all.
This is not a hypothetical risk. Gmail and Yahoo cracked down on senders with spam rates over 0.3% in 2024, making permission-based practices a hard deliverability requirement, not just a best practice.
People who choose to receive your emails naturally show more interest in your content. Opt-in email marketing translates directly into better open rates, more clicks, and ultimately stronger conversion rates than non-permission-based approaches.
The business case is equally clear. Email marketing campaigns have an average ROI of 36 times, meaning businesses earn $36 for every dollar they spend. That return depends entirely on reaching people who want to hear from you.
Understand the Legal Framework First
Before you build a single opt-in form, you need to understand which laws govern your list. The three primary frameworks are CAN-SPAM, GDPR, and CASL, and they set very different standards.
CAN-SPAM (United States)
CAN-SPAM operates on an opt-out model. Organizations are permitted to send commercial email to any recipient without obtaining prior consent, provided each message includes a clear, functioning mechanism to opt out. CAN-SPAM still demands clear identification, physical addresses, honest subject lines, and functional unsubscribe mechanisms honored within 10 business days.
GDPR (European Union)
GDPR requires explicit consent from individuals before processing their personal data. In the context of email marketing, this means businesses must have clear and affirmative consent from individuals before sending them marketing emails. GDPR requires companies to get affirmative action from individuals for every specific purpose. Pre-checked boxes are not considered consent.
CASL (Canada)
CASL, effective since 2014, is considered one of the world's strictest anti-spam laws. It requires express or implied consent for commercial electronic messages sent to Canadian recipients. Organizations must keep records of when and how the recipient consented.
If you operate internationally, the golden rule is: when in doubt, choose the stricter standard. Following GDPR or CASL requirements will generally keep you compliant in most cases, even if local laws are more permissive.
The Two Types of Email Permission
Not all consent carries equal legal weight or delivers equal results. There are two types of email permission: explicit and implied. Explicit permission means a person actively agrees to receive your emails. This is the gold standard for email marketing because it ensures full compliance with privacy laws and leads to better engagement.
Implied consent is inferred from existing business relationships, such as customers who purchased products or provided contact information during transactions. Implied consent is accepted under CAN-SPAM and, in limited circumstances, CASL, but it is not sufficient under GDPR for most marketing use cases.
For most businesses, building a list on explicit consent protects you across all jurisdictions and produces a more engaged audience.
How to Get Permission for Email Marketing: 6 Proven Methods
Learning how to get permission for email marketing starts with choosing the right collection methods. Here are the tactics that consistently deliver both compliance and list quality.
1. Use Opt-In Forms on High-Traffic Pages
Make subscription opportunities visible throughout your digital presence. Place opt-in forms on your most trafficked web pages, especially your homepage, blog, and checkout pages.
Keep forms short. Limit the opt-in form to 2 to 3 fields. Every additional field reduces conversion rates. Ask only for what you need.
Your form copy should set clear expectations. A transparent and straightforward opt-in process is critical for building a quality email list and ensuring engagement from recipients. Avoid ambiguous language or automatic enrollment; instead, use clear opt-in forms that explain what users are signing up for, how often they will hear from you, and how their data will be used.
2. Offer a Lead Magnet
One of the most effective ways to build your list is by offering something valuable in exchange for an email address. These lead magnets might include ebooks, templates, or discount codes. The best lead magnets directly address specific pain points your audience faces. When your free content solves real problems, subscribers are more likely to open your future emails and eventually become paying customers.
Common lead magnet formats include:
Discount codes or exclusive offers
Ebooks, guides, or whitepapers
Free tools, templates, or checklists
Webinar or event access
Free trials or product samples
One important caveat: you cannot send marketing content to email addresses provided in exchange for a lead magnet unless the form makes it clear that sign-ups will also receive promotional messages. If you plan to send marketing emails to lead magnet sign-ups, you must mention this in the form you use.
Two major ways to get express permission are to add a consent checkbox to your opt-in form and set up a double opt-in. A consent checkbox is especially important on forms that are not directly about receiving marketing emails, such as lead magnet and inquiry forms.
Under GDPR, use a single checkbox for each purpose. For example, if you want to send a newsletter and use the address for ad platform retargeting, you need two separate boxes.
4. Use Exit-Intent and On-Site Popups
Many visitors leave a website before signing up. Exit-intent popups detect when someone is about to leave and display a targeted message to encourage them to subscribe. These popups work well when the offer is genuinely relevant to what the visitor was browsing.
5. Collect Permission at Events and Point of Sale
Offline permission is valid, but it requires the same transparency as digital opt-ins. If you collect business cards or email addresses at events, you must tell people clearly what they are signing up for. A verbal or written statement about your email program, confirmed with a written opt-in form, gives you a defensible consent record.
6. Request Re-Permission from Dormant Lists
If you have an old list with unclear consent history, do not simply start emailing them. Send a single re-permission campaign that asks subscribers to actively confirm they want to continue receiving emails. Remove anyone who does not respond. This protects your deliverability and keeps your consent records clean.
Single Opt-In vs. Double Opt-In: Which Should You Use?
Once you choose your collection method, you need to decide whether to use a single or double opt-in process.
A single opt-in is a one-step process that only requires a person to enter their email address one time in the signup box on a website. No confirmation is required, and they immediately become a subscriber.
Double opt-in, also known as confirmed opt-in, is a subscription process in which a new email address is only added to your mailing list after the email address owner clicks a confirmation link in a subscription activation email sent to them after they opt in via a form or checkbox.
The data favors double opt-in for long-term performance. A Mailchimp study of 30,000 users showed that double opt-in lists had a 72.2% increase in unique opens and a 75.6% increase in total opens, along with a 114% increase in click rates over single opt-ins.
Double opt-in is not legally required by GDPR, CAN-SPAM, or CASL, but it is often considered a best practice, especially for proving consent under GDPR. It provides clear, auditable proof that the subscriber willingly joined your list.
The trade-off is list size. Single opt-in typically generates 20 to 30% more signups initially. But those extra subscribers often include typos, fake addresses, and unengaged contacts. Double opt-in creates smaller lists of highly engaged subscribers.
For most businesses focused on deliverability and ROI rather than raw list size, double opt-in is the stronger choice.
What to Do After You Get Permission
Getting permission is the start of the relationship, not the end of the work. How you follow up directly affects whether subscribers stay engaged or unsubscribe.
Send a welcome email immediately. A timely, clear welcome email sets expectations, confirms what the subscriber signed up for, and establishes your sending cadence. See our welcome email sequence best practices for a full breakdown of how to structure this first touchpoint.
Deliver on your promise. If someone signed up for a weekly newsletter, send a weekly newsletter. If they signed up for a discount, send the discount. Misaligned expectations are the fastest route to unsubscribes and spam complaints.
Segment from the start. Collect enough information during sign-up to send relevant content from day one. Research shows that email list segmentation can boost ROI by 760%, and that advantage starts with knowing who your subscribers are.
Make unsubscribing easy. Both GDPR and CAN-SPAM require you to make it easy for people to opt out of emails. Your welcome email is a great opportunity to highlight the exit process for new subscribers. It is a good idea to have an unsubscribe button or link clearly in every message you send out.
Document your consent records. Store consent metadata including date and time, source form, and language shown. This documentation is required for GDPR compliance and protects you during any regulatory review.
What Never to Do When Getting Email Permission
Certain practices destroy deliverability, violate the law, or both.
Never buy email lists. Purchasing email lists is generally not compliant with GDPR and risky under other regulations, as recipients have not consented to receive emails from your specific business. Focus on building organic lists through opt-in forms, content marketing, and lead magnets.
Never use pre-checked opt-in boxes. Under GDPR and CASL, you must obtain affirmative opt-in consent before sending commercial emails. Pre-ticked boxes and pre-selected options are prohibited. The data subject must take a proactive action like checking a box or clicking a confirmation link.
Never scrape email addresses. Scraping email addresses from websites or social media and sending unsolicited messages violates major email marketing laws and can lead to serious penalties.
Never add customers automatically. Completing a purchase does not grant permission to send marketing emails unless the customer explicitly opted in during checkout.
Frequently Asked Questions
Do I need permission to send marketing emails in the US?
In the United States, you are allowed to send marketing messages without asking for permission. However, if someone asks you to stop emailing them, you have to comply. These rules are outlined in the CAN-SPAM Act, which Congress passed in 2003. That said, sending without consent typically harms deliverability and sender reputation, so building a permission-based list remains the recommended approach even in the US.
What is the difference between explicit and implied consent?
Expressed permission is explicit, informed consent given by users to receive specific types of communication. For example, a subscriber checks a box or completes an opt-in process to confirm they want to receive newsletters or promotional emails. Implicit permission refers to consent indirectly given through a customer's actions or behavior. For example, a customer provides their email address to complete a purchase but has not explicitly opted in to receive marketing messages.
Is double opt-in required by law?
Double opt-in is not legally required by GDPR, CAN-SPAM, or CASL. However, double opt-in is legally required in Austria, Germany, Greece, Luxembourg, Norway, and Switzerland. Even where it is not required, double opt-in provides stronger consent documentation and consistently delivers better engagement metrics.
What happens if I send emails without permission?
The consequences depend on jurisdiction. Getting compliance wrong can result in devastating consequences: fines reaching €20 million under GDPR, $10 million CAD under CASL, or over $50,000 per email under US CAN-SPAM laws. Beyond financial penalties, non-compliance can get your emails blocked by major providers, damage your brand reputation, and hurt your marketing effectiveness.
Building a permission-based email program takes more upfront effort than purchasing a list or auto-enrolling customers, but it is the only approach that scales sustainably. Clean consent records, double opt-in processes, and transparent opt-in forms protect your deliverability, satisfy regulators, and produce an audience that is genuinely interested in what you send. For a full overview of how to structure your campaigns once the list is built, explore our email marketing strategy template.
Before you build a single opt-in form, you need to understand which laws govern your list. The three primary frameworks are CAN-SPAM, GDPR, and CASL, and they set very different standards.
CAN-SPAM (United States)
CAN-SPAM operates on an opt-out model. Organizations are permitted to send commercial email to any recipient without obtaining prior consent, provided each message includes a clear, functioning mechanism to opt out. CAN-SPAM still demands clear identification, physical addresses, honest subject lines, and functional unsubscribe mechanisms honored within 10 business days.
GDPR (European Union)
GDPR requires explicit consent from individuals before processing their personal data. In the context of email marketing, this means businesses must have clear and affirmative consent from individuals before sending them marketing emails. GDPR requires companies to get affirmative action from individuals for every specific purpose. Pre-checked boxes are not considered consent.
CASL (Canada)
CASL, effective since 2014, is considered one of the world's strictest anti-spam laws. It requires express or implied consent for commercial electronic messages sent to Canadian recipients. Organizations must keep records of when and how the recipient consented.
If you operate internationally, the golden rule is: when in doubt, choose the stricter standard. Following GDPR or CASL requirements will generally keep you compliant in most cases, even if local laws are more permissive.
The Two Types of Email Permission
Not all consent carries equal legal weight or delivers equal results. There are two types of email permission: explicit and implied. Explicit permission means a person actively agrees to receive your emails. This is the gold standard for email marketing because it ensures full compliance with privacy laws and leads to better engagement.
Implied consent is inferred from existing business relationships, such as customers who purchased products or provided contact information during transactions. Implied consent is accepted under CAN-SPAM and, in limited circumstances, CASL, but it is not sufficient under GDPR for most marketing use cases.
For most businesses, building a list on explicit consent protects you across all jurisdictions and produces a more engaged audience.
How to Get Permission for Email Marketing: 6 Proven Methods
Learning how to get permission for email marketing starts with choosing the right collection methods. Here are the tactics that consistently deliver both compliance and list quality.
1. Use Opt-In Forms on High-Traffic Pages
Make subscription opportunities visible throughout your digital presence. Place opt-in forms on your most trafficked web pages, especially your homepage, blog, and checkout pages.
Keep forms short. Limit the opt-in form to 2 to 3 fields. Every additional field reduces conversion rates. Ask only for what you need.
Your form copy should set clear expectations. A transparent and straightforward opt-in process is critical for building a quality email list and ensuring engagement from recipients. Avoid ambiguous language or automatic enrollment; instead, use clear opt-in forms that explain what users are signing up for, how often they will hear from you, and how their data will be used.
2. Offer a Lead Magnet
One of the most effective ways to build your list is by offering something valuable in exchange for an email address. These lead magnets might include ebooks, templates, or discount codes. The best lead magnets directly address specific pain points your audience faces. When your free content solves real problems, subscribers are more likely to open your future emails and eventually become paying customers.
Common lead magnet formats include:
Discount codes or exclusive offers
Ebooks, guides, or whitepapers
Free tools, templates, or checklists
Webinar or event access
Free trials or product samples
One important caveat: you cannot send marketing content to email addresses provided in exchange for a lead magnet unless the form makes it clear that sign-ups will also receive promotional messages. If you plan to send marketing emails to lead magnet sign-ups, you must mention this in the form you use.
Two major ways to get express permission are to add a consent checkbox to your opt-in form and set up a double opt-in. A consent checkbox is especially important on forms that are not directly about receiving marketing emails, such as lead magnet and inquiry forms.
Under GDPR, use a single checkbox for each purpose. For example, if you want to send a newsletter and use the address for ad platform retargeting, you need two separate boxes.
4. Use Exit-Intent and On-Site Popups
Many visitors leave a website before signing up. Exit-intent popups detect when someone is about to leave and display a targeted message to encourage them to subscribe. These popups work well when the offer is genuinely relevant to what the visitor was browsing.
5. Collect Permission at Events and Point of Sale
Offline permission is valid, but it requires the same transparency as digital opt-ins. If you collect business cards or email addresses at events, you must tell people clearly what they are signing up for. A verbal or written statement about your email program, confirmed with a written opt-in form, gives you a defensible consent record.
6. Request Re-Permission from Dormant Lists
If you have an old list with unclear consent history, do not simply start emailing them. Send a single re-permission campaign that asks subscribers to actively confirm they want to continue receiving emails. Remove anyone who does not respond. This protects your deliverability and keeps your consent records clean.
Single Opt-In vs. Double Opt-In: Which Should You Use?
Once you choose your collection method, you need to decide whether to use a single or double opt-in process.
A single opt-in is a one-step process that only requires a person to enter their email address one time in the signup box on a website. No confirmation is required, and they immediately become a subscriber.
Double opt-in, also known as confirmed opt-in, is a subscription process in which a new email address is only added to your mailing list after the email address owner clicks a confirmation link in a subscription activation email sent to them after they opt in via a form or checkbox.
The data favors double opt-in for long-term performance. A Mailchimp study of 30,000 users showed that double opt-in lists had a 72.2% increase in unique opens and a 75.6% increase in total opens, along with a 114% increase in click rates over single opt-ins.
Double opt-in is not legally required by GDPR, CAN-SPAM, or CASL, but it is often considered a best practice, especially for proving consent under GDPR. It provides clear, auditable proof that the subscriber willingly joined your list.
The trade-off is list size. Single opt-in typically generates 20 to 30% more signups initially. But those extra subscribers often include typos, fake addresses, and unengaged contacts. Double opt-in creates smaller lists of highly engaged subscribers.
For most businesses focused on deliverability and ROI rather than raw list size, double opt-in is the stronger choice.
What to Do After You Get Permission
Getting permission is the start of the relationship, not the end of the work. How you follow up directly affects whether subscribers stay engaged or unsubscribe.
Send a welcome email immediately. A timely, clear welcome email sets expectations, confirms what the subscriber signed up for, and establishes your sending cadence. See our welcome email sequence best practices for a full breakdown of how to structure this first touchpoint.
Deliver on your promise. If someone signed up for a weekly newsletter, send a weekly newsletter. If they signed up for a discount, send the discount. Misaligned expectations are the fastest route to unsubscribes and spam complaints.
Segment from the start. Collect enough information during sign-up to send relevant content from day one. Research shows that email list segmentation can boost ROI by 760%, and that advantage starts with knowing who your subscribers are.
Make unsubscribing easy. Both GDPR and CAN-SPAM require you to make it easy for people to opt out of emails. Your welcome email is a great opportunity to highlight the exit process for new subscribers. It is a good idea to have an unsubscribe button or link clearly in every message you send out.
Document your consent records. Store consent metadata including date and time, source form, and language shown. This documentation is required for GDPR compliance and protects you during any regulatory review.
What Never to Do When Getting Email Permission
Certain practices destroy deliverability, violate the law, or both.
Never buy email lists. Purchasing email lists is generally not compliant with GDPR and risky under other regulations, as recipients have not consented to receive emails from your specific business. Focus on building organic lists through opt-in forms, content marketing, and lead magnets.
Never use pre-checked opt-in boxes. Under GDPR and CASL, you must obtain affirmative opt-in consent before sending commercial emails. Pre-ticked boxes and pre-selected options are prohibited. The data subject must take a proactive action like checking a box or clicking a confirmation link.
Never scrape email addresses. Scraping email addresses from websites or social media and sending unsolicited messages violates major email marketing laws and can lead to serious penalties.
Never add customers automatically. Completing a purchase does not grant permission to send marketing emails unless the customer explicitly opted in during checkout.
Frequently Asked Questions
Do I need permission to send marketing emails in the US?
In the United States, you are allowed to send marketing messages without asking for permission. However, if someone asks you to stop emailing them, you have to comply. These rules are outlined in the CAN-SPAM Act, which Congress passed in 2003. That said, sending without consent typically harms deliverability and sender reputation, so building a permission-based list remains the recommended approach even in the US.
What is the difference between explicit and implied consent?
Expressed permission is explicit, informed consent given by users to receive specific types of communication. For example, a subscriber checks a box or completes an opt-in process to confirm they want to receive newsletters or promotional emails. Implicit permission refers to consent indirectly given through a customer's actions or behavior. For example, a customer provides their email address to complete a purchase but has not explicitly opted in to receive marketing messages.
Is double opt-in required by law?
Double opt-in is not legally required by GDPR, CAN-SPAM, or CASL. However, double opt-in is legally required in Austria, Germany, Greece, Luxembourg, Norway, and Switzerland. Even where it is not required, double opt-in provides stronger consent documentation and consistently delivers better engagement metrics.
What happens if I send emails without permission?
The consequences depend on jurisdiction. Getting compliance wrong can result in devastating consequences: fines reaching €20 million under GDPR, $10 million CAD under CASL, or over $50,000 per email under US CAN-SPAM laws. Beyond financial penalties, non-compliance can get your emails blocked by major providers, damage your brand reputation, and hurt your marketing effectiveness.
Building a permission-based email program takes more upfront effort than purchasing a list or auto-enrolling customers, but it is the only approach that scales sustainably. Clean consent records, double opt-in processes, and transparent opt-in forms protect your deliverability, satisfy regulators, and produce an audience that is genuinely interested in what you send. For a full overview of how to structure your campaigns once the list is built, explore our email marketing strategy template.
