A good mailing list today requires not only effective lead generation strategies but also compliance with applicable legal regulations. In this article, we explain the key legal requirements for lead generation and provide a step-by-step guide to ensure your contact database does not become a source of costly problems.

1. What has changed and why should you care?
Recent changes in the law (the Electronic Communications Law) have introduced a clear requirement to obtain prior consent for email marketing and all other forms of direct marketing. The new regulations apply not only to B2C relationships but also to B2B. In practice, this means:

• Higher financial penalties – currently, penalties for marketing without the recipient’s prior consent can be significantly higher than before.

• No mitigating circumstances – explanations such as “it was a one-time mistake” or “the data was from a public register, so we thought consent wasn’t required” are no longer acceptable to authorities.

These changes make it essential to review how you obtain marketing consents and generate leads.

2. What do you need consent for?
The general rule is that any commercial message and direct marketing require the recipient’s consent. These concepts include, among others:

• Emails promoting new products or services

• Telemarketing campaigns (e.g. promoting a sale)

• SMS messages for events like Black Friday or containing discount codes

Many companies forget that these regulations also apply to B2B. Under Polish law, there is no exemption for marketing directed to business email addresses.

3. Is consent always required?
Not every message sent to a customer or contractor constitutes marketing that requires consent. There are so-called technical or service messages, such as:

• Notifications about changes to terms and conditions

• Information about a technical interruption of the service

Such content is not considered marketing and does not require additional consent.

However, borderline situations are common, for example:

• Marketing communication with individuals who have previously made a purchase (e.g. offering complementary products)

• A welcome message after purchasing a subscription

• A customer satisfaction survey

• A message about an abandoned shopping cart

In such cases, it is always advisable to assess whether the main purpose of the communication is to encourage a purchase (which regulators describe as “actions intended to generate interest in a business’s offer”). If so, it is safer to obtain the recipient’s clear consent.

4. What should valid consent look like?
Consent must meet several conditions. It should be:

• Freely given – the person must not feel coerced into giving consent (e.g. requiring newsletter sign-up to complete a purchase)

• Specific – the consent must clearly indicate what it covers (e.g. “I want to receive marketing messages at my email address”)

• Informed – the recipient must know who the data controller is and the purpose of processing

• Unambiguous – the consent cannot be pre-checked; the user must actively check the box themselves

• Withdrawable – at any time, without complications

• Accountable – the company must be able to prove that the consent was properly obtained

Also avoid so-called dark patterns, i.e. designing forms in a way that “forces” consent, such as using pre-checked boxes.

5. Frequently asked questions

Do I need to collect separate consents for each communication channel?
In practice, it is safer to separate consents. You can obtain a joint consent for email and phone communication, provided this is clearly stated in the clause and the recipient understands that withdrawing consent applies to both channels.

Are checkboxes always necessary?
Checkboxes are the simplest and most transparent solution. However, they are not always required – for example, if a form is used solely to sign up for a newsletter and its content clearly indicates that the user is consenting to email marketing, an additional checkbox is not needed.

Is double opt-in mandatory?
Polish law does not explicitly require double opt-in, but it is considered a best practice. Confirming the email address strengthens the evidence that consent was informed and unambiguous.

Can I offer discounts in exchange for consent?
Yes, provided that the discount is not so significant that the recipient feels “forced” to give consent. If, for example, a 75% discount is offered on the first purchase, it may be considered so attractive that the recipient effectively has no other choice. In such cases, the consent may not be regarded as freely given.

6. Consent is just the beginning – what next?
Once consents have been collected during the lead generation process, it is important to store and manage them properly. In case of an audit, you must be able to demonstrate:

• Who gave the consent

• What the content of the consent was

• When and under what circumstances it was obtained

• What information about data processing was provided to the individual at the time

• Whether the consent was withdrawn (and if so, when and how)

Depending on the situation, additional technical data may be useful, such as:

• For electronic consents – session ID, IP address, device data

• For voice consents – call recordings

• For written consents – scans of signed documents

7. System integration and ease of withdrawal
Your mailing list should be integrated with your consent management system. When your CRM sends data to a mailing platform, information about withdrawn consents must be updated in real time.
Ensure that recipients always have a simple way to unsubscribe – for example, a link in the newsletter footer (“click here to unsubscribe”). The lack of such an option, or deliberately making it difficult to withdraw consent, can result in penalties from the Data Protection Authority.

8. Outsourcing and legal responsibility
Companies often use external agencies to run lead generation campaigns. However, you remain the data controller and are legally responsible for any breaches.
Efficient information flow about withdrawn consents is essential – if a recipient withdraws consent directly with the service provider, this should be automatically reflected in your database.

9. Which authorities can audit your consents and issue fines?

Office of Electronic Communications (UKE)
For marketing contact without prior consent, UKE may impose a fine of up to 3% of the previous year’s revenue or PLN 1 million – whichever amount is higher.
When imposing a fine, UKE does not take into account previous conduct or the financial capacity of the company.
Examples:
– Tani Opał: PLN 500,000
– Koksztys: PLN 80,000

Personal Data Protection Office (UODO)
May impose penalties of up to 4% of annual turnover or EUR 20 million for GDPR violations, such as lack of information on data processing rules or obstructing the withdrawal of consent.
Example: ClickQuickNow was fined PLN 200,000 for hindering consent withdrawal.

Office of Competition and Consumer Protection (UOKiK)
May impose fines for violating collective consumer interests, e.g. in cases of unlawful marketing contact.
Example: Asmanta Call Center was fined PLN 600,000 for calling consumers without valid consent.

10. What’s next? How to implement legal requirements in practice?

• Audit your existing lead generation process
  Ensure that you have valid proof of marketing consents.
  Check whether your sign-up forms (e.g. for newsletters) are clear and transparent.

• Implement a consent management system
  Each consent should be properly recorded, with the date and full content.
  Plan how to handle consent withdrawal and data deletion requests.

• Update your consent clauses and privacy policy
  Ensure your consent wording is specific, informed, and unambiguous.
  Review your privacy policy to make sure it is up to date and understandable for users.