BG Beter Geregeld ICT
AVG & privacy · 2 min leestijd · 04 December 2025

Marketing consent: email, WhatsApp, retargeting — what are you still allowed to do?

Your newsletter, promotional emails, retargeting pixels — they all need a valid consent basis. Here are the concrete rules per channel.

Marketing and GDPR intersect on three points: how you make contact, on what basis, and how someone can opt out.

\n \n

Email

\n
    \n
  • Opt-in required for non-existing customers. A pre-checked box does not count.
    • \n
  • Existing customers ("soft opt-in"): permitted for similar products. 12 months after the last purchase is the cut-off.
    • \n
  • Unsubscribe link in every email. One-click must work.
    • \n
  • Consent log: when, on which URL, and with what wording.
    • \n
\n \n

WhatsApp / SMS

\n
    \n
  • Explicit opt-in required — no assumptions.
    • \n
  • Channel-specific consent — a WhatsApp opt-in does not equal an email opt-in.
    • \n
  • Opting out must be straightforward.
    • \n
\n \n

Phone / cold calling B2C

\n

Checking the Do Not Call registry is mandatory. Penalty for non-compliance: €10,000+.

\n \n

Phone / cold calling B2B

\n

Permitted to a limited extent. After an opt-out: record it and do not call again.

\n \n

Retargeting / cookies

\n

See cookie consent. No pixels before consent.

\n \n

Social media targeting

\n

Custom audiences from an email list: only permitted with consent for that specific processing purpose. Lookalike audiences are a different matter (aggregated data).

\n \n

What doesn't work

\n
    \n
  • Buying a list and emailing it.
    • \n
  • "You can unsubscribe" without an opt-in.
    • \n
  • Cold-emailing B2B contacts using "legitimate interest" without proper grounds.
    • \n
\n \n

See also: GDPR overview.

Onderwerpen

#avg #consent #marketing #email-marketing

Volledige gids: Cumplimiento GDPR para pymes: el mínimo práctico

Dit artikel is onderdeel van onze uitgebreide AVG & privacy-gids. Lees de pillar voor het complete plaatje.

Lees de pillar →

Verwant leesmateriaal

AVG & privacy

GDPR Compliance for SMBs: The Practical Minimum

GDPR doesn't require a €10,000 project or a DPO for most small businesses. Here's what every SMB actually needs — based on what the Dutch DPA really checks for.

2 min
AVG & privacy

Logging IP addresses under GDPR: pseudonymous, personal data, and what's allowed?

An IP address is personal data under GDPR. Security logs often need to retain them for weeks or months. How do you reconcile that with data minimisation principles?

2 min
AVG & privacy

Data Retention Periods by Category for SMBs

How long should you keep customer data, job applicants, invoices, or CCTV footage? Here are the key categories in a clear overview table, with the source for each retention period.

2 min
AVG & privacy

Data subject rights: access, rectification, erasure — a workable procedure

A customer wants to see their data — or have it deleted. You have 30 days. Here's the procedure that gets it done without each request eating up half a week.

2 min
AVG & privacy

Sub-processors outside the EU: what Schrems II still requires

Using AWS, Google, or Microsoft? Then some of your data flows through the US. Since Schrems II, that's no longer a given. Here's what actually works today.

2 min
AVG & privacy

DPIA — Data Protection Impact Assessment: when is it required, and when can you skip it?

A DPIA sounds like something only large enterprises need to worry about. For SMBs it's rarely required — but there are a handful of specific situations where it is. Here's the decision tree.

2 min
← Alle artikelen in "AVG & privacy"