With the General Data Protection Regulation (GDPR) right around the corner, organisations everywhere are changing how they seek consent and present their privacy policies to customers and clients. Here, we discuss how a range of businesses have informed their customers of changes and offer tips to enhance the experience for your users.

The General Data Protection Regulation (GDPR) will affect all businesses and organisations that use or handle the data of EU citizens, regardless of where they are based. Similarly, if you process personal data within the EU, it doesn’t matter where the data comes from - it will be governed by the GDPR. We’ve given a GDPR summary before, but the key thing to note is that if you don’t comply you run the risk of reputational damage and a fine of either €20 million or 4% of your global turnover.

With that in mind, it’s a shock that over half of UK businesses still aren’t prepared for GDPR. Moreover, City AM also reports that small businesses are the least prepared for the new data protection rules. With SMEs contributing £1.9 trillion of combined annual UK turnover and 16.1 million jobs, the fact that these businesses aren’t prepared for GDPR is very worrying.

But all is not lost. If you haven’t prepared for GDPR, there’s still time to change your privacy policies and how you organise data. At Cyber-Duck, one of our many specialisms is our GDPR auditing service, designed to ensure your privacy policies and data architecture is GDPR compliant. Likewise, we can help you communicate these changes to your users.

That’s because a key aspect of the GDPR is that you will need to obtain explicit consent to use your users’ personal data or market to them. Here, we share the best (and worst) GDPR consent examples we’ve found so far to help you make your organisation GDPR compliant.

Consent Under GDPR

But first, let’s look at what consent under GDPR means. After all, obtaining consent from users to continue marketing to them has worried a lot of businesses. The GDPR legislation is dense and its phrasing is often vague or confusing, so it’s hard to tell exactly what qualifies as ‘explicit consent’, which is why businesses are worried. But in a nutshell, it means you should implement:

  • Granular options to consent to different types of processing
  • Unbundled consent forms, so that consent isn’t tied to agreeing new terms and conditions
  • Active opt-in, where pre-ticked consent boxes are a thing of the past and users must actively opt for marketing material or for you to use their data
  • Easy to withdraw consent, with users knowing exactly how to withdraw consent and can easily do so

The GDPR is a very ethical and progressive piece of legislation when it comes to the rights of the individual. To adhere to its rules, you’ll need to reflect that, providing information about your policy changes in a transparent manner.

Now that we’ve looked at what consent and the GDPR look like, you can find a range of GDPR email examples below. These companies have changed their policies and processes to become GDPR compliant, but we’re interested in how they’ve sought to maintain customer consent using persuasive techniques to balance business goals with user ones.


As far as design and copy go, Subway have gone all out to ensure their GDPR email grabs your attention and encourages you to opt in to its marketing. Its copy aims to engage you by assuming a friendly tone, and its persuasive design draws attention to the opt-in button.

Where this email fails to meet the ethical standards of GDPR is that although it is transparent about why it is sending this email, it only refers to data protection after the consent button. It encourages readers to opt in before they have read about what they are opting in to or why. Although the email is generally compliant with GDPR, we recommend having your layout ordered differently.

Subway 'Stay in the Know' on an iPhone

In Subway's email update, they tried to persuade users to resubscribe to emails before telling them why.


  • Present users with information first, then ask for consent
  • Use persuasive copy and an inviting colour scheme


Asos takes a different course. It seeks to reconfirm consent for marketing emails by riffing on FOMO. The great thing about this email is that the choices are very clearly labelled at the bottom of the email. Users have a clear choice to make about whether they want to opt in or out or adjust their preferences.

But where it falls short is that it doesn’t provide information about why it’s re-seeking consent. It doesn’t communicate what rights the user has. Nonetheless, Asos does have an exceptional privacy policy on its website, with a design that is granular and easy to process. It’s just a shame that this information or a link isn’t provided in the email.

ASOS Want to Miss Out page on a Macbook

Asos provide clear options for their users at the bottom of the page, but it isn't clear where changes to the privacy policy are flagged.


  • Use emotive copy to ensure users engage with your content
  • Remember to provide links to your privacy policy and communicate them clearly

The Guardian

In a proactive move, the Guardian takes a different approach to acquiring consent. For many reasons, it’s pretty ingenious. As users visit the website, they are greeted with a banner ad that contains a countdown to 30th April, the Guardian Today email highlighted as a product, and a clear opt-in button. Its placement means that users can see the high quality content they’ll receive direct to their inbox if they opt-in.

But where we think it goes above and beyond is in how proactive it is. Not only does the Guardian email users, it doubles down and encourages new visitors to its site to sign up to the Guardian Today. Consent and marketing combined - a brilliant example of GDPR implementation in action.

The Guardian's 4 Days Left on a MacBook

The Guardian took a proactive approach to enticing users to sign up to continued marketing - they brought it onto their homepage too.


  • Look for innovative ways you can use GDPR to market your business
  • Be proactive in seeking consent; do you have to rely solely on email?


For Rock+Run, the GDPR was seen as a different kind of marketing opportunity. To entice its users to update their preferences and opt-in, Rock+Run is running a competition. Anyone who updates their preferences and, specifically, opts in to marketing emails, will receive 20% off on purchases after the GDPR is enforced.

It sounds like a smart way of encouraging users to sign up, but we have quibbles about the order of content. First of all, just how much is the user going to engage with the content below this? Some users might just see the offer and sign up. But the GDPR says that consent must be unbundled, so you can’t tie it to a competition like this. It perhaps would have been better to include opt-in and opt-out buttons and just made the email look inviting to meet the GDPR requirements.

Rock Run 20% offer on an iPhone

Rock & Run bundles consent for email marketing with a 20% discount offer. While it seems like smart smart marketing, it isn't a GDPR compliant method!


  • Provide clear options for users to opt-in or out of marketing
  • To encourage users to sign up, communicate a benefit of opting in - but don’t bundle it with something else!

Privacy Policy

Another key area to look at is how organisations are updating their privacy policies in the face of GDPR. How the top organisations present their privacy policies is changing to become more transparent. We’ve briefly talked about how they will have to change elsewhere, but here we’re more concerned about how they’ve shown it.


Unlike Subway, Sonos nails the ethical side of the GDPR. This is a great GDPR privacy notice example. It’s transparent about why it’s updating its data protection policy, it provides all the information you need to learn more about the updates, and it offers to help those who need more information or clarification about the changes.

But where it truly shines is how its updated privacy policy will apply to all Sonos users, regardless of whether they are an EU citizen or not. In particular, Sonos’s FAQs around the GDPR are very good.

While we’re here, it’s also worth noting that reports suggest Facebook is not applying the GDPR globally. Unlike Sonos who will apply their new policies for everyone, Facebook will move the data of 1.5 billion non-EU users away from Ireland, where they are currently processed. That means all non-EU users who fall under the International arm of Facebook - including Australia, Latin America, Asia and Africa - will be governed by more lenient US privacy law. But if it does segment user data like this, Facebook could run a greater risk of mishandling an EU citizen’s data. We believe Sonos’s decision makes more business sense and is great for its reputation.

Sonos Privacy Policy on an iPhone

Sonos takes a straight-forward approach to announcing its changing privacy policy. It does so clearly and ethically.


  • Notify your users of changes to your privacy policy in a clear, concise way
  • Offer your users assistance to ensure they understand what the privacy policy means
  • Don’t segment your business - ensure all of your data processes are homogenised to avoid data breaches


Front and centre of Microsoft’s GB privacy statement is its commitment to transparency and the values the GDPR champions. Microsoft has had these changes in place for a while now in preparation for the GDPR, but it’s a great way of communicating with users.

For instance, the ‘six key privacy principles’ block communicates the exact values Microsoft now holds. These reflect the same core principles that define GDPR: Lawfulness; Data Minimisation; Purpose Limitation; Accuracy; Storage Limitation; and Integrity and Confidentiality.

Six Privacy Principles from Microsoft on a MacBook

In one fell swoop, Microsoft addressed the six principles of GDPR. It now adheres to these throughout its company.

But where Microsoft is aeons ahead of its competitors is its animations. Throughout the page, there are various gifs to illustrate the privacy area the copy addresses. It’s a great way of breaking up the dense content and can keep readers going through the page. As a result, it furthers Microsoft’s aims to be transparent.

Microsoft's engaging GDPR animations on a MacBook

For every policy area, Microsoft stimulated engagement through unique animations.


  • Can you illustrate your policy updates? Animations can make content easy to digest
  • Ensure your privacy policy is granular and transparent

Combating User Fatigue

But noting the different ways businesses have notified their users of a change to their policies is only half the battle. That’s because nearly every organisation is doing it, especially now in the run up to the GDPR’s enforcement on May 25th. With user inboxes full of consent and privacy policy updates, the trick is ensuring your users actually engage with the information.

The fact that the BBC has written an article about why privacy updates are flooding inboxes speaks volumes. Simply put, a lot of people won’t know why they are receiving this information. To ensure that your users understand and engage with your content, you need to get smart. Follow our tips and you’ll be more likely to overcome user fatigue, engage your users and entice them to opt in to your services.

At Cyber-Duck, we specialise in creating exceptional experiences. We utilise innovative research techniques and creative design to engage users in ways you know will bring results in. Find out more about how our GDPR training and data protection audit services can help you prepare for May 25th. Contact us today for help to achieve full GDPR compliance.

You can also check out our handy guide to the GDPR, Navigate the GDPR Labyrinth, now.