CRM and CX Blogs by SAP
Stay up-to-date on the latest developments and product news about intelligent customer experience and CRM technologies through blog posts from SAP experts.
Showing results for 
Search instead for 
Did you mean: 


When was the last time you were positively surprised by a brand which kept you informed with relevant content at the right time? And in contrast, when was the last time you hit the unsubscribe button in a marketing e-mail because the content was irrelevant to you? Or were you even annoyed by a communication for which you did not opt-in in the first place? Hopefully, the positive brand experience is the last one you remember, but chances are high it was the negative one. This is also the situation your customers are in.

In this article, we discuss Permission Marketing. As a marketer, this can help you avoid negative consumer experiences and instead create positive surprises. Permission Marketing also helps you staying compliant while increasing your marketing effectiveness.


This article is business-focused, non-technical and solution-agnostic. The article includes remarks on legal regulations, like the EU General Data Protection Regulation (GDPR). This is not to be seen as any form of legal advice or legal consulting. Please involve and consult your legal department and/or data protection officer for any legal aspects related to Permission Marketing.

Definition and Motivation

Permission Marketing is a targeted marketing technique in which only contacts are addressed "who have shown interest and who have given permission to be contacted. In contrast, the classical marketing addresses a large amount of contacts regardless of permission ." (ref-1)   

The term Permission Marketing has been around for more than two decades. In other words, the concept is not a new one. It got introduced in 1999 by the American author and marketing expert Seth Godin (ref-2). Despite the long existence of the concept, it is even more relevant today than it was 25 years ago.

Godin based his recommendation for Permission Marketing mainly on business outcomes, observing that permission-based campaigns perform more successful than traditional methods. While business outcomes are still a valid and important consideration, the past years have surfaced additional aspects which make the usage of Permission Marketing obligatory. These aspects are the increased sensitivity of customers on usage of their data, as well as the progression of stricter data protection regulations in various regions. A prominent example of such regulation is the European General Data Protection Regulation (GDPR) which came into force in May 2018. We will come back to GDPR in several places in this article.

Permission Types

Before looking at how to design a Permission Marketing concept, let us clarify in detail what permissions are. For this, we introduce some relevant terms which are being used within this article, taking definitions from GDPR as a reference:

Term(s)GDPR - Article 4 - Definitions (excerpt)Remarks
Personal Data & Data Subject

"Personal data" means any information relating to an identified or identifiable natural person ("data subject"). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Data Processing

"Processing" means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

In regards to Permission Marketing, most relevant data processing is profiling and the data usage for marketing communication.
Profiling"Profiling" means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.The consent for profiling is closely related to the "inbound permission" which is explained below.
Consent or Permission"Consent" of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.In this article, we use the terms "consent" and "permission" as having the same meaning and being interchangeable.

In summary, a permission is an agreement to the processing of personal data. The purpose of processing needs to be clearly stated. Permissions, therefore, are tied to a certain kind of processing.

To structure these purpose specific permissions, we differentiate between "inbound permissions" and "outbound permissions" (as shown in illustration-1 below and explained in the following two sections).

Illustration-1: Inbound vs. Outbound PermissionIllustration-1: Inbound vs. Outbound Permission

Inbound Permissions

In many regions, especially if you have to follow GDPR, you need to enforce an essential step before loading any personal data into your marketing system. You need to collect the contact's permission for storing and profiling the personal data for marketing purposes. This is what we call "inbound permission" (see also illustration-1 above). The process of collecting inbound permission is typically handled through a consent management system, like for example SAP Customer Data Cloud, before the data is sent to the marketing system.

Outbound Permissions

As shown in illustration-1, outbound permissions reflect the contact's agreement to receive marketing communication, therefore they are related to the usage of the personal data.

When asking contacts for marketing permission, you should be specific and transparent in your inquiry. The following table helps you to understand the most important elements of outbound permissions.

Permission ElementLeading QuestionRemarks
Communication Medium

Which communication medium do you want to use (for example, e-mail, call, or direct push message)?

You should clearly state through which communication medium you want to reach your contacts. Ideally, you give them the option to choose between multiple ways to be contacted.

Address / IdentifierOn which specific address does your contact want to receive the communication (for example,, +44-20-7946-0930, or @twitterusername)?

The address allows you to identify the contact who gave you permission and to know where to send the communication to. For example, a contact provides consent for marketing messages to his/her private e-mail-address, but not to his/her work-related e-mail-address.

Another important aspect is also the combination of communication medium and address. A contact might, for example, give you consent to use the e-mail-address for communication to the e-mail-inbox, but not to use the same e-mail address for personalized advertising on Facebook (by the usage of custom audiences).

Generic or topic-specific communicationShould your contacts give you permission for general marketing communication, or do you want to give them the option to select topic-specific communication based on their interest?

When asking your contacts for marketing permission, you should keep them informed for which exact purpose you want to send them communication. Is it for general marketing and promotion purposes, or do you want to keep them up-to-date about specific topic areas like events, product launches, or whitepaper articles?

Communication which is based on opt-in to specific topics (and not just on general marketing permission) has a great advantage: You provide your contacts' freedom of choice and show them that you try to target your messages according to their interests. By doing so, you send more relevant content and can expect higher engagement rates and fewer opt-outs. In addition, you can also reach contacts which may not be willing to provide their consent for general marketing messages, but only for certain topics.

Organizational entityDoes your company have separate brands or market units for which you collect permission?

In case you have a multi-brand or multi-org business, you might need to collect permissions which are specific to the communication of the individual organizational entities.

Usually this is done by having separate permission request forms per organizational entity and clearly tying this reference to the permission when it is transferred into the marketing system.

The outbound permissions are typically collected through a landing page or preference center on which the contact can grant or revoke permission to receive the communication. It is often also necessary to perform an initial migration of outbound permissions from a legacy marketing or customer relationship management (CRM) system. 

Now that we have a better understanding on what permissions are, let us look at what to consider during the design of a Permission Marketing concept. 

Building a Permission Marketing Concept

Illustration-2: Influence factors on Permission MarketingIllustration-2: Influence factors on Permission Marketing

In order to understand the relevant aspects of a Permission Marketing concept, we look at three main influence factors: legal regulation, internal policy, and individual preference. As illustrated in illustration-2 above, think of these factors as a funnel which specifies the addressable audience for your marketing campaigns.

We will explain each of these three factors individually in the following section. Let us start at the top of the funnel and go into detail on legal regulation. 

Legal Regulation

When designing your Permission Marketing concept, the first aspect which you must consider is existing legal regulation. In many geographic regions, it is the most important influence factor with respect to Permission Marketing. Legal regulation forces companies to establish compliant processes for processing customer data and conducting marketing communication. Which specific regulations take effect for your business depends on the geographic regions your company is established in, as well as the region your consumers are based in. To make this more tangible, let us take a closer look at GDPR as an example.

Permission Marketing in the Context of GDPR

GDPR is relevant for all kinds of processing of personal data, not only marketing. For all the aspects of GDPR described in the following, we are focusing only on those which we consider as most relevant for Permission Marketing.

TopicLeading QuestionMost relevant aspects for Permission Marketing
Territorial ScopeWhich companies are affected by GDPR?

The territorial scope of GDPR applies to:

  1. "a company or entity which processes personal data as part of the activities of one of its branches established in the EU, regardless of where the data is processed; or
  2. a company established outside the EU and is offering goods/services (paid or for free) or is monitoring the behavior of individuals in the EU." (ref-3)
Principles for Data ProcessingWhat needs to be considered when processing personal data for marketing purposes?

Relevant aspects in GDPR for processing personal data in the context of Permission Marketing are:

  1. Lawfulness, Fairness and Transparency
    • Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject. (ref-4)
  2. Purpose Limitation
    • Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. (ref-4)
  3. Data Minimization
    • Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. (ref-4)
Lawfulness of Data ProcessingWhen is it lawful to process personal data for marketing purposes?

At least one of the following requirements must be met:

  1. Consent
    • The data subject has given consent to the processing of his or her personal data for one or more specific purposes. (ref-5)
  2. Legitimate Interest
    • Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. (ref-5)
Possible Fines for ViolationsWhat are possible fines a corporation might face when violating against GDPR regulation?

"Serious infringements (which) go against the very principles of the right to privacy (...) could result in a fine of

  • up to €20 million,
  • or 4% of the firm’s worldwide annual revenue from the preceding financial year,

whichever amount is higher." (ref-6)

As shown in the table above, the fines which may be imposed when violating against GDPR can be drastic for companies of all sizes. It is therefore a must that you know whether your marketing activities are affected by the regulation and if so, you need to follow the principles for data processing in a lawful way. A good source to find information about already imposed GDPR fines is the GDPR enforcement tracker.

Here are a few additional thoughts on the lawfulness of processing personal data for marketing purposes. While consent-based data processing puts the individual's data protection rights at the center, we believe that the data processing based on legitimate interest is to be treated with great caution. Digital marketing based on legitimate interest is an approach which requires a risk-assessment. Here you need to balance between a potential legitimate interest of your company and the individual's data protection rights. This is especially true in the context of B2C marketing where data processing that is not based on consent may be hard to justify. In case you want to find more information on marketing based on legitimate interest, the UK Information Commissioner's Office (ICO) has published a detailed guidance on legitimate interest under GDPR.

General Approach to Legal Regulation

No matter if you are affected by GDPR or any other legal regulation on data protection and marketing communication, you should always conduct an assessment of the legal situation, answering leading questions like:

  • Which legal regulation is currently or in the near future impacting the company's marketing activities?
  • Due to the legal regulation (especially for data collection and sending marketing communication), which processes need to be implemented to stay compliant?
  • What is the risk of being punished for non-compliance and what would be the expected results?
  • What needs to be considered in terms of collecting permissions (both inbound and outbound)?

You should address these questions with your Data Protection Officer and/or legal department. This will provide you with a must-have list of processes which need to be established in your marketing system in order to comply with legal regulations.

A brief example for such a must-have list might look like this (again, this is depending on which legal regulation applies to your company): 

List itemActions to Perform in Order to Comply with the Legal Regulation
Inbound Permissions"We have to establish mechanisms which ensure that only contacts who gave their consent for data storage and profiling are loaded into the marketing system."
Outbound Permissions"We have to make sure that we have a clear and consistent process for collecting and updating marketing permissions in place."
Ability to Demonstrate Compliance"We have to be able to demonstrate to the authorities that our contacts have consented to the processing of their personal data. Therefore we require a clear log of all permissions, including change history."
Send-out of Marketing Communication"We must have reliable checks in place that no marketing communication is sent to contacts who did not give their consent for it."

To summarize, introducing processes which help you stay compliant with legal regulations are essential and minimize the risk for high penalties. It is the first step of narrowing down your addressable audience (by not looking at the contacts which you may technically be able to reach, but only at those who you are legally allowed to communicate to).

Internal Policy

Let us move one level further in the funnel (see illustration-2) and look at internal policy.

While legal regulations force companies to establish a certain set of processes in order to stay compliant, many companies go one step further. They establish additional internal policies for their Permission Marketing which go beyond legal compliance. Typical goals of those internal policies are global process standardization, focusing on engaged contacts, and avoiding over-communication. Let us look at these three objectives to better understand how they may translate into processing rules.


  1. Global Process Standardization:
    • Some global companies which are affected by a strict data protection regulation (like GDPR) choose to roll-out processes to comply with this regulation on a global scale, even in regions for which it would not be legally necessary. This includes asking for explicit permission for marketing communication even in regions where an opt-out based approach would be sufficient. The rationale for such a policy is that a globally unified process for permission handling decreases complexity and allows for re-usability. A landing page or preference center which is designed in a GDPR-compliant way can as well be leveraged in countries with more lax legal requirements. 
  2. Focus on Engaged Customers:
    • Many companies choose to remove contacts from the marketing database after a certain period of inactivity, or if they cannot be reached due to an opt-out to marketing communication (even if consent for data storage is still given). This approach allows companies to concentrate their communication, and the cost involved with it, on the contacts which actively engage with the company. 
  3. Avoiding Over-Communication
    • Companies which send marketing communication on a high frequency face the risk to annoy their contacts with too much and maybe even irrelevant messages. This quickly results in high opt-out rates and ultimately inefficient marketing. To prevent this from happening, we recommend to closely monitor and manage communication frequency to individual contacts. Introducing rules on communication frequency can be seen as one part of the internal policy. A clear set of rules on when to limit communication can also be seen as a component of internal policies for Permission Marketing.  

The examples above illustrate how decisions beyond pure legal compliance manifest in internal policies for processing of personal data. The agreement on such internal policies should happen in close collaboration with the marketing business and should be clearly documented.

Individual Preference

Now, we have reached the last element of the funnel (see illustration-2), individual preference. While legal regulation and internal policies are all about staying compliant and establishing efficient processes, individual preference really puts the individual contacts first. It means giving the receivers greater flexibility of choice on the way you communicate to them. The main benefits of this approach have already been called out before such as higher relevance in your communication, increased engagement of the contacts, and lower opt-out rates.

The tool of choice to provide this flexibility is a preference center in which contacts can subscribe and unsubscribe to communication based on topic, select their preferred communication channel(s), and decide in which frequency they want to hear from you.

Building up and maintaining this individualized, preference-based communication comes with challenges: You need to have dedicated teams to create topic-specific content with a certain regularity, and you need to establish additional communication channels beyond simple e-mail marketing. In addition, you should consider conducting surveys in which your customers can provide feedback on your communication approach. This way you can learn from their feedback and adjust your communication to better serve their needs.


This article introduced you to Permission Marketing, why it is important, and how to build a structured concept for it. The three main aspects (legal regulation, internal policy, and individual preference) should be followed in sequence when you define your concept.

  1. Keeping your marketing activities legally compliant by following relevant regulations can be seen as a "must-have" and should be addressed together with your legal department. 
  2. Establishing internal policies to increase efficiency and effectiveness of your marketing activities is a "should-have" and requires close involvement of your marketing business.
  3. Allowing for individual preference is certainly also a "should-have". However, it involves a lot of complexity and should be tackled after you have addressed legal regulation and internal policy.

Closing Remarks

Thank you for reading this article. I hope you found it helpful for diving into the topic of Permission Marketing. Please leave a like or a comment, in case you want to.

Should you need further support with your Permission Marketing concept or other Marketing Operations aspects, we from SAP CX Services are happy to help you with expert guidance.


(ref-1) SAP Help Portal,  Permission Marketing

(ref-2) Seth Godin,  Permission Marketing: Turning Strangers into Friends, and Friends into Customers , 1999

(ref-3) European Commission,  Who does the data protection law apply to?

(ref-4) General Data Protection Regulation,  Article 5 - Principles relating to processing of personal data

(ref-5) General Data Protection Regulation,  Article 6 - Lawfulness of processing

(ref-6),  What are the GDPR fines?