CX Works

CX Works brings the most relevant leading practices to you.
It is a single portal of curated, field-tested and SAP-verified expertise for SAP Customer Experience solutions

Introduction to Permission Marketing

24 min read

Introduction to Permission Marketing

When was the last time you hit the unsubscribe button in a marketing e-mail because the content was irrelevant to you? Or were you ever annoyed by a communication for which you did not opt-in in the first place? And in contrast, when was the last time you were positively surprised by a brand which kept you informed with relevant content at the right time? 

Hopefully, the positive experience is the last one you remember, but chances are high it was the negative one. This is also the situation your customers are in.

In this article, we discuss permission marketing. As a marketer, this can help you to avoid negative consumer experiences and instead create positive surprises. Permission marketing also helps you to stay compliant while increasing your marketing  efficiency.

This article includes remarks to legal regulations, like the EU General Data Protection Regulation (GDPR). This is not to be seen as any form of legal advice or legal consulting. Please involve and consult your legal department and/or data protection officer for any legal aspects related to permission marketing.

This article is an introduction to the general concept of permission marketing, which is solution-agnostic. In cases where remarks are specific to SAP Marketing Cloud, it is explicitly mentioned.

Table of Contents

Definition and Motivation

Permission marketing is a targeted marketing technique in which only contacts are addressed "who have shown interest and who have given permission to be contacted. In contrast, the classical marketing addresses a large amount of contacts regardless of permission ." (1)  

The term permission marketing has been around for two decades. In other words, the concept is not a new one. It got introduced in 1999 by the American author and marketing expert Seth Godin (2) . Despite the long existence of the concept, it is even more relevant today than it was 20 years ago.

Godin based his recommendation for permission marketing mainly on business outcomes, observing that permission-based campaigns perform more successful than traditional methods. While business outcomes are still a valid and important consideration, the past years have surfaced additional aspects which make the usage of permission marketing obligatory. These aspects are the increased sensitivity of customers on usage of their data, as well as the progression of stricter data protection regulations in various regions. A prominent example of such regulation is the European General Data Protection Regulation (GDPR) which came into force in May 2018. We will come back to GDPR in several places in this article.

Permission Types

Before looking at how to design a permission marketing concept, let us clarify in detail what permissions are. For this, we introduce some relevant terms which are being used within this article, taking definitions from GDPR as a reference:

Term(s) General Data Protection Regulation - Article 4 - Definitions (excerpt) Additional Comment
Personal Data & Data Subject

"Personal data" means any information relating to an identified or identifiable natural person ("data subject"). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Data Processing

"Processing" means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

In regards to permission marketing, most relevant data processing is profiling and the data usage for marketing communication.
Profiling "Profiling" means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements. The consent for profiling is closely related to the "inbound permission" which is explained below.
Consent or Permission "Consent" of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. In this article, we use the terms "consent" and "permission" as having the same meaning and being interchangeable.

In summary, a permission is an agreement to the processing of personal data. The purpose of processing needs to be clearly stated. Permissions, therefore, are tied to a certain kind of processing.

To structure these purpose specific permissions, we differentiate between "inbound permissions" and "outbound permissions" (as shown in the image below and explained in the following two sections).  

Please note, "inbound permissions" and "outbound permissions" are terms specific to SAP Marketing Cloud. Nevertheless, they serve the need to differentiate on the purpose of data processing, agnostic to the marketing system.

image one:  inbound versus outbound permission

Inbound Permissions

In many regions, especially if you have to follow GDPR, you need to enforce an essential step before loading any personal data into your marketing system. You need to collect the contact's permission for storing and profiling the personal data for marketing purposes. This is what we call "inbound permission" (see also image one above). The process of collecting inbound permission is typically handled through an external consent management system, like SAP Customer Data Cloud, before the data is sent to the marketing system.

The importance of this step also becomes obvious when you look at the following SAP statement:  "SAP Marketing Cloud and SAP assume that the users of SAP Marketing Cloud, for example SAP customers, companies collecting the data (data collector), have consent from their data subject (a natural person like, for example, customer, contact, or account), to collect or transfer data to SAP Marketing Cloud." (3)

Stay tuned for an additional article within this series, in which we will describe the details on how to link external consent management systems, like SAP Customer Data Cloud, to SAP Marketing Cloud.

Please note, SAP Marketing Cloud also has an internal concept of inbound permissions. However, this concept (release 1905) is currently only for receiving social media posts from channels like Facebook or Twitter. Therefore, it does not cover all aspects of receiving consent for data storage and profiling from any channel. To find more details on the specific use case of integrating social media posts with inbound permissions, please visit the following SAP Help page.

Outbound Permissions

As illustrated in image one, outbound permissions reflect the contact's agreement to receive marketing communication, therefore they are related to the usage of the personal data.

When asking contacts for marketing permission, you should be specific and transparent in your inquiry. The following table helps you to understand the most important elements of outbound permissions and also briefly touches the specifics in SAP Marketing Cloud.

Permission Element Leading Question General Remarks Permission Attribute in SAP Marketing Cloud
Communication Medium Which communication medium do you want to use (for example, e-mail, call, or direct push message)? You should clearly state through which communication medium you want to reach your contacts. Ideally, you give them the option to choose between multiple ways to be contacted.

Communication Medium: This permission attribute is used to distinguish on which medium you are allowed to send to the contact.

Address / Identifier

On which specific address does your contact want to receive the communication (for example,, +44-20-7946-0930, or @twitterusername)?

The address allows you to identify the contact who gave you permission and to know where to send the communication to. For example, a contact provides consent for marketing messages to his/her private e-mail-address, but not to his/her work-related e-mail-address.

Another important aspect is also the combination of communication medium and address. A contact might, for example, give you consent to use the e-mail-address for communication to the e-mail-inbox, but not to use the same e-mail address for personalized advertising on Facebook (by the usage of custom audiences).

Contact ID: This permission attribute i s used to clearly identify to which address your communication is send to.

Generic or Topic-Specific Communication Should your contacts give you permission for general marketing communication, or do you want to give them the option to select topic-specific communication based on their interest?

When asking your contacts for marketing permission, you should keep them informed for which exact purpose you want to send them communication. Is it for general marketing and promotion purposes, or do you want to keep them up-to-date about specific topic areas like events, product launches, or whitepaper articles?

Communication which is based on opt-in to specific topics (and not just on general marketing permission) has a great advantage: You provide your contacts' freedom of choice and show them that you try to target your messages according to their interests. By doing so, you send more relevant content and can expect higher engagement rates and fewer opt-outs. In addition, you can also reach contacts which may not be willing to provide their consent for general marketing messages, but only for certain topics.

Communication Category: This permission attribute is used to identify the topic to which the contact subscribed to.

When the permission is tied to a communication category, this special kind of permission is called a subscription in SAP Marketing Cloud.

In case no communication category is assigned to the outbound permission, it is called a general marketing permission.

SAP Marketing Cloud allows you to use both subscriptions and general marketing permission in combination, giving you greater flexibility in managing your communication. Please also note the additional info-box below.

Organizational Entity Does your company have separate brands or market units for which you collect permission?

In case you have a multi-brand or multi-org business, you might need to collect permissions which are specific to the communication of the individual organizational entities.

Usually this is done by having separate permission request forms per organizational entity and clearly tying this reference to the permission when it is transferred into the marketing system.

Marketing Area: This permission attribute allows you to tie the permission to a specific marketing area (organizational entity). In case a single marketing area is sufficient, then this attribute is set to "global".

Please note, with the current release (1905), the subscriptions in SAP Marketing Cloud can only be used for e-mail as an outbound channel. For this reason, for the time being, a fully fledged preference center with both general marketing permission and subscriptions can only be build up if you limit the communication medium to e-mail.

The outbound permissions are typically collected through a landing page or preference center on which the contact can grant or revoke permission to receive the communication. It is often also necessary to perform an initial migration of outbound permissions from a legacy marketing or customer relationship management (CRM) system. We plan to publish an additional article in this series which will focus on the integration of outbound permissions in more detail.

Now that we have a better understanding on what permissions are, let us look at what to consider during the design of a permission marketing concept. 

Building a Permission Marketing Concept

image two: influence factors on permission marketing

In order to understand the relevant aspects of a permission marketing concept, we look at three main influence factors: legal regulation, internal policy, and individual preference. As illustrated in image two above, think of these factors as a funnel which specifies the addressable audience for your marketing campaigns.

We will explain each of these three factors individually in the following section. Let us start at the top of the funnel and go into detail on legal regulation. 

Legal Regulation

When designing your permission marketing concept, the first aspect which you must consider is existing legal regulation. In many geographic regions, it is the most important influence factor with respect to permission marketing. Legal regulation forces companies to establish compliant processes for processing customer data and conducting marketing communication. Which specific regulations take effect for your business depends on the geographic regions your company is established in, as well as the region your consumers are based in. To make this more tangible, let us take a closer look at GDPR as an example.

Permission Marketing in the Context of GDPR

GDPR is relevant for all kinds of processing of personal data, not only marketing. For all the aspects of GDPR described in the following, we are focusing only on those which we consider as most relevant for permission marketing.

Topic Leading Question Most Relevant Aspects for Permission Marketing
Territorial Scope Which companies are affected by GDPR?

The territorial scope of GDPR applies to:

  1. "a company or entity which processes personal data as part of the activities of one of its branches established in the EU, regardless of where the data is processed; or
  2. a company established outside the EU and is offering goods/services (paid or for free) or is monitoring the behavior of individuals in the EU." (4)
Principles for Data Processing What needs to be considered when processing personal data for marketing purposes?

Relevant aspects in GDPR for processing personal data in the context of permission marketing are:

  1. Lawfulness, Fairness and Transparency
    • Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject. (5)
  2. Purpose Limitation
    • Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. (5)
  3. Data Minimization
    • Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. (5)
Lawfulness of Data Processing When is it lawful to process personal data for marketing purposes?

At least one of the following requirements must be met:

  1. Consent
    • The data subject has given consent to the processing of his or her personal data for one or more specific purposes. (6)
  2. Legitimate Interest
    • Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. (6)
Possible Fines for Violations What are possible fines a corporation might face when violating against GDPR regulation?

"Serious infringements (which) go against the very principles of the right to privacy (...) could result in a fine of

  • up to €20 million,
  • or 4% of the firm’s worldwide annual revenue from the preceding financial year,

whichever amount is higher." (7)

As shown in the table above, the fines which may be imposed when violating against GDPR can be drastic for companies of all sizes. It is therefore a must that you know whether your marketing activities are affected by the regulation and if so, you need to follow the principles for data processing in a lawful way.

Here are a few additional thoughts on the lawfulness of processing personal data for marketing purposes. While consent-based data processing puts the individual's data protection rights at the center, we believe that the data processing based on legitimate interest is to be treated with great caution. Digital marketing based on legitimate interest is an approach which requires a risk-assessment. Here you need to balance between a potential legitimate interest of your company and the individual's data protection rights. This is especially true in the context of B2C marketing where data processing that is not based on consent may be hard to justify. In case you want to find more information on marketing based on legitimate interest, the UK Information Commissioner's Office (ICO) has published a detailed guidance on legitimate interest under GDPR.

General Approach to Legal Regulation

No matter if you are affected by GDPR or any other legal regulation on data protection and marketing communication, you should always conduct an assessment of the legal situation, answering leading questions like:

  • Which legal regulation is currently or in the near future impacting the company's marketing activities?
  • Due to the legal regulation (especially for data collection and sending marketing communication), which processes need to be implemented to stay compliant?
  • What is the risk of being punished for non-compliance and what would be the expected results?
  • What needs to be considered in terms of collecting permissions (both inbound and outbound)?

You should address these questions with your Data Protection Officer and/or legal department. This will provide you with a must-have list of processes which need to be established in your marketing system in order to comply with legal regulations.

A brief example for such a must-have list might look like this (again, this is depending on which legal regulation applies to your company): 

List item

Actions to Perform in Order to Comply with the Legal Regulation

Inbound Permissions

"We have to establish mechanisms which ensure that only contacts who gave their consent for data storage and profiling are loaded into the marketing system."

Outbound Permissions

"We have to make sure that we have a clear and consistent process for collecting and updating marketing permissions in place."

Ability to Demonstrate Compliance

"We have to be able to demonstrate to the authorities that our contacts have consented to the processing of their personal data. Therefore we require a clear log of all permissions, including change history."

Send-out of Marketing Communication

"We must have reliable checks in place that no marketing communication is sent to contacts who did not give their consent for it."

To summarize, introducing processes which help you stay compliant with legal regulations are essential and minimize the risk for high penalties. It is the first step of narrowing down your addressable audience (by not looking at the contacts which you may technically be able to reach, but only at those who you are legally allowed to communicate to).

Internal Policy

Let us move one level further in the funnel (see image two) and look at internal policy.

While legal regulations force companies to establish a certain set of processes in order to stay compliant, many companies go one step further. They establish additional internal policies for their permission marketing which go beyond legal compliance. Typical goals of those internal policies are global process standardization, focusing on engaged contacts, and avoiding over-communication. Let us look at these three objectives to better understand how they may translate into processing rules.

  1. Global Process Standardization:
    • Some global companies which are affected by a strict data protection regulation (like GDPR) choose to roll-out processes to comply with this regulation on a global scale, even in regions for which it would not be legally necessary. This includes asking for explicit permission for marketing communication even in regions where an opt-out based approach would be sufficient. The rationale for such a policy is that a globally unified process for permission handling decreases complexity and allows for re-usability. A landing page or preference center which is designed in a GDPR-compliant way can as well be leveraged in countries with more lax legal requirements. Companies which decide to apply such an internal policy configure all permissions as being explicit and establish consistent opt-in/out mechanisms on a global scale.
  2. Focus on Engaged Customers:
    • Many companies choose to remove contacts from the marketing database after a certain period of inactivity, or if they cannot be reached due to an opt-out to marketing communication (even if consent for data storage is still given). This approach allows companies to concentrate their communication, and the cost involved with it, on the contacts which actively engage with the company. If you are interested in more details on data retention and how to configure it, please take a look at the article, "Implementing Your Data Retention Policy for SAP Marketing Cloud".
  3. Avoiding Over-Communication
    • Companies which send marketing communication on a high frequency face the risk to annoy their contacts with too much and maybe even irrelevant messages. This quickly results in high opt-out rates and ultimately inefficient marketing. To prevent this from happening, we recommend to closely monitor and manage communication frequency to individual contacts. Introducing rules on communication frequency can be seen as one part of the internal policy. In SAP Marketing Cloud, this can be controlled through communication limits and suppression rules. A clear set of rules on when to limit communication can also be seen as a component of internal policies for permission marketing.  

The Suppression Rules app is deprecated from 1911. To avoid annoying contacts by contacting them too often by email, and as a result, reduce the risk of opt-out, you can self-limit marketing communication using the features which described in the SAP Help Portal.

The examples above illustrate how decisions beyond pure legal compliance manifest in internal policies for processing of personal data. The agreement on such internal policies should happen in close collaboration with the marketing business and should be clearly documented.

Individual Preference

Now, we have reached the last element of the funnel (see image two), individual preference. While legal regulation and internal policies are all about staying compliant and establishing efficient processes, individual preference really puts the individual contacts first. It means giving the receivers greater flexibility of choice on the way you communicate to them. The main benefits of this approach have already been called out before such as higher relevance in your communication, increased engagement of the contacts, and lower opt-out rates.

The tool of choice to provide this flexibility is a preference center in which contacts can subscribe and unsubscribe to communication based on topic, select their preferred communication channel(s), and decide in which frequency they want to hear from you.

Building up and maintaining this individualized, preference-based communication comes with challenges: You need to have dedicated teams to create topic-specific content with a certain regularity, and you need to establish additional communication channels beyond simple e-mail marketing. In addition, you should consider conducting surveys in which your customers can provide feedback on your communication approach. This way you can learn from their feedback and adjust your communication to better serve their needs.

Please note, the option for contacts to provide their preferred frequency to receive messages is currently not a standard functionality of SAP Marketing Cloud (release 1905). For the time being, this would need to be implemented on a custom basis.


This article introduced you to permission marketing, why it is important, and how to build a structured concept for it. The three main aspects (legal regulation, internal policy, and individual preference) should be followed in sequence when you define your concept.

  1. Keeping your marketing activities legally compliant by following relevant regulations can be seen as a "must-have" and should be addressed together with your legal department. 
  2. Establishing internal policies to increase efficiency and effectiveness of your marketing activities is a "should-have" and requires close involvement of your marketing business.
  3. Allowing for individual preference is certainly also a "should-have". However, it involves a lot of complexity and should be tackled after you have addressed legal regulation and internal policy.

You want to learn even more about permission marketing?  We are releasing further articles which are related to this subject. Please see the already published articles below:

In case you need further support with your permission marketing concept, please refer to our 'Project and Operations Guidance' service. You will find more details in the fact sheet that is linked in the services section of this article.


(1) SAP Help Portal,  Permission Marketing

(2) Seth Godin,  Permission Marketing: Turning Strangers into Friends, and Friends into Customers , 1999

(3) SAP Help Portal,  User Consent

(4) European Commission,  Who does the data protection law apply to?

(5) General Data Protection Regulation,  Article 5 - Principles relating to processing of personal data

(6) General Data Protection Regulation,  Article 6 - Lawfulness of processing

(7),  What are the GDPR fines?