Free Calculator
GDPR Consent Rate Impact Calculator
Model the impact of running a re-permission campaign or migrating to documented double-opt-in consent. Typical re-permission rates sit between 50-75%; the engagement uplift on the smaller verified list usually offsets the lost volume within 60-90 days, and the regulatory exposure removed lasts permanently.
Model the impact of tightening consent practices on list size, engagement, and revenue.
Why "smaller list" usually means "more revenue"
The intuition that a 100K list produces more revenue than a 65K list is correct in the abstract, and almost always wrong in practice. Email revenue is concentrated in engaged subscribers; the long tail of unengaged or never-confirmed subscribers contributes very little revenue while damaging deliverability for everyone else. A re-permission campaign cuts the unengaged tail and keeps the revenue-generating core, which produces three compounding effects: better placement at major mailbox providers, lower complaint rate, lower bounce rate. The aggregate effect on revenue is usually positive within 90 days.
The mechanism is the engagement signal at receiving ISPs. Gmail, Yahoo, Microsoft, and Apple all weight engagement heavily in their placement decisions. A list with 18% open rate gets average placement. The same engaged subscribers from that list, with the unengaged tail removed, can produce 30-35% open rate at receivers, which translates to better placement, more inbox visibility, more revenue per send.
The calculator's "expected new open rate" reflects this dynamic. The engaged core was always engaged. What changes is that you stop diluting their signal with non-engaging subscribers, and that change cascades through every reputation calculation the receiving ISPs run on your domain.
What the regulations actually require
The calculator's name references GDPR but the underlying compliance question applies across multiple jurisdictions. Each has its own consent definition and enforcement pattern. The table below summarises the operational requirements that drive re-permission decisions in 2026.
| Jurisdiction | Consent requirement | Practical implication |
|---|---|---|
| EU GDPR | Article 6 lawful basis (typically consent for marketing); Article 7 demonstrable consent records | Documented, time-stamped, granular consent. Pre-checked boxes are not valid consent. Subscribers may withdraw consent under Article 21 |
| UK GDPR / PECR | Same as EU GDPR plus Privacy and Electronic Communications Regulations | Soft opt-in exception for existing customers (B2B/transactional context); B2C marketing requires explicit consent |
| Spain (AEPD enforcement) | GDPR + LOPDGDD national implementation | AEPD has been the most-active EU regulator for email enforcement in 2024-2026; fines up to 4% of global revenue or €20M, whichever is higher |
| USA (CAN-SPAM) | Opt-out required; opt-in not strictly mandated for B2C marketing | Lower bar than GDPR; valid sender identity, working unsubscribe, processing within 10 business days. Gmail/Yahoo bulk-sender requirements (Feb 2024) effectively require one-click unsubscribe regardless of CAN-SPAM |
| Canada (CASL) | Express consent required for commercial messages | Stricter than CAN-SPAM in B2C; documented opt-in. Implied consent allowed for existing business relationships (with time limits) |
| Brazil (LGPD) | Article 8 consent; similar structure to GDPR | ANPD enforcement ramping up in 2025-2026; subjects have rights of access, correction, and deletion |
| Mexico (LFPDPPP) | Privacy notice + opt-out; weaker than GDPR but evolving | INAI enforcement; B2B/B2C distinction less codified than EU |
| Argentina (Habeas Data) | Argentina Data Protection Act | Aligned with EU adequacy decisions; expect tighter enforcement parallel to LGPD trajectory |
The recovery curve: what to expect month-by-month
The revenue dynamics after a re-permission campaign follow a predictable pattern. The calculator's output is the projected steady-state at 60-90 days; the path between current state and that steady-state has phases worth understanding.
| Phase | Timing | What happens |
|---|---|---|
| 1. Re-permission campaign | Days 1-14 | Re-permission email sent to existing subscribers. Confirmation rate 50-75% typical. Non-confirming subscribers suppressed (not deleted — held for compliance record) |
| 2. Initial revenue dip | Days 14-45 | Smaller list produces lower send volume; revenue drops proportionally. Engagement metrics rise as unengaged tail is removed but inertia in revenue lags |
| 3. Reputation recovery | Days 30-60 | Improved engagement signals reach Gmail Postmaster Tools, Microsoft SNDS, Yahoo Sender Hub. Reputation improves; placement shifts from spam to inbox for subscribers who were previously borderline |
| 4. Revenue inflection | Days 45-90 | Better placement plus higher engagement on the verified list begins producing revenue per send above baseline. Revenue meets or exceeds pre-campaign level despite smaller list |
| 5. Sustained outperformance | Day 90+ | Verified list compounds: better placement → better engagement → better placement. Revenue grows from the new baseline; long-term revenue typically 10-20% above pre-campaign level |
Two operational implications. First, plan for the 30-day dip. The financial team will see lower revenue in the month after the campaign; this is expected, not a sign of failure. If the programme cannot tolerate a 30-day revenue dip for compliance gain, the right approach is gradual cohort-by-cohort re-permission rather than full-list at once — spread the impact over a quarter. Second, the recovery happens at the engagement-signal level. If the post-campaign list is still mailing the same content at the same frequency, recovery is faster. If you are simultaneously changing strategy (new content, new frequency, new segments), the signals get muddled and the recovery curve is harder to read.
Common mistakes when running a re-permission campaign
- Doing it during peak revenue periods. The dip in days 14-45 is real. Running the campaign in November before Black Friday produces a measurable revenue hit during the worst possible window. Run re-permission in low-revenue periods (January-February, August-September) so the recovery is complete before high-revenue campaigns.
- Sending the re-permission email only once. A single email captures roughly 30-40% of the eventually-confirmed subscribers. Two emails captures 55-65%. Three emails captures 70-78%. The third email's marginal lift is significant; many programmes leave 15-20% of the engaged subscribers behind by stopping at one or two attempts.
- Confusing "consent" with "engagement." A subscriber who has not opened in 12 months may still re-confirm consent if asked — people forget to engage, not necessarily to want the brand. Segments based on engagement should be re-engaged separately from consent re-confirmation; merging the two campaigns produces poor results on both fronts.
- Not retaining the consent record after suppressing. GDPR Article 7 requires the controller to demonstrate consent was obtained. If a subscriber later complains to a regulator, you need to produce the original consent record — even if they have since unsubscribed or been suppressed. The suppression list is the right place to retain this; never delete the consent metadata.
- Migrating to single opt-in to "fix" the consent rate. Single opt-in produces faster list growth and weaker consent records. The trade-off is wrong for any programme operating in EU/EEA jurisdictions. Double opt-in plus documented timestamps is the operationally safe configuration; the consent rate is what it is.