What is “granular consent”?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

Imagine someone signs up on your website for shipping updates. Two weeks later, you start sending them your weekly promotional newsletter. They never asked for that. Under GDPR, that's not just bad practice. It could be a compliance violation.

That's the whole idea behind granular consent. Instead of one big checkbox that covers everything you might ever send, granular consent means getting separate permission for each distinct communication type. Product updates, promotional offers, newsletters, partner messages. Each one gets its own opt-in.

So where is it legally required versus just good practice? It depends on where your subscribers are.

  • GDPR (EU and UK): Consent must be specific, informed, and freely given. Bundling unrelated communication types into a single checkbox is explicitly against the rules. Granular consent isn't optional here. It's required when consent is your legal basis for sending.
  • CASL (Canada): Similar in spirit. Express consent must be tied to a specific purpose. Sending something your subscriber didn't ask for is a violation, even if they opted in somewhere.
  • CAN-SPAM (US): Much looser. It doesn't require explicit opt-in at all for commercial email. Granular consent is best practice in the US, not a legal obligation.

Now, the question senders always ask: if someone consents to product updates but not promotions, do I really have to enforce that strictly? Yes. Under GDPR, the answer is unambiguously yes. The consent record defines what you can send. Sending outside that scope invalidates the consent you do have.

The practical way to manage this is through a preference center. That's where subscribers can adjust their choices over time, and where you document what each person agreed to. It also protects you if you're ever asked to prove consent.

One thing worth watching: consent contamination happens when one system doesn't know what another system recorded. If your CRM and your ESP aren't talking to each other, someone who only consented to transactional updates can end up on your promotional list without anyone realising. That's the infrastructure problem granular consent creates. It's solvable, but you have to plan for it.

The upside of doing this right is real. People who only receive what they actually asked for tend to open more, complain less, and stick around longer. Granular consent isn't just a legal hurdle. It's the foundation of a list that actually performs.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Build your granular consent structure

I'm setting up granular consent for my signup form / preference center. My subscribers are based in region or country. I want to offer separate options for [list your communication types, e.g. product updates, newsletters, promotional offers, partner messages]. Can you help me with: 1. Which consent types are legally required vs. optional for my audience 2. The right wording for each checkbox 3. How to structure the data so my ESP and CRM stay in sync 4. What to do with existing subscribers who only gave blanket consent

Edit the yellow boxes, then send to the AI of your choice.