GDPR And Email Marketing: What You Need To Know If You Send Emails

GDPR And Email Marketing: What You Need To Know If You Send Emails
01 February, 2022 • ... • 4458 views
Sofia Grigoreva
by Sofia Grigoreva

GDPR is a comprehensive data protection law that deals with personal data processing and online user activity. Since its first introduction in 2018, the industry has accumulated more knowledge about achieving compliance, respecting customer rights, and keeping up marketing efforts at the same time. In this article, we’re going to look at some key principles and concepts of this regulation, as well as the best practices concerning GDPR email.

What is the General Data Protection Regulation (GDPR)

GDPR is a regulation that affects the management of personal data of all citizens and residents living on the European Union territory, even if it is processed or stored by companies outside the European Economic Area’s geographical borders. International companies that provide services or track activities inside the EU must also comply.

Personal data is any information that allows for direct or indirect identification of a person that doesn’t require sufficient time or effort. Some common examples include a phone number, an email address, ID, biometric and medical records, IP address, and cookies. For the purposes of email marketing, any customer data you are collecting most likely falls subject to that definition.


Personal data can also mean age, occupation, location, cultural profile, and anything else that can be used to identify an individual. If we know that John Doe is 24, lives in Berlin, and works as an accountant at ABC Law, we’ll be able to identify him, and, therefore, it falls under personal data. Yet, if we only take his first name and age, the information will be considered anonymous.

Personal data processing follows a set of principles. You can read the original text explaining them in Article 5. GDPR is essentially about:

  • Secure, confidential, and transparent data processing: you have to disclose what data you collect and ensure its integrity.
  • Storage limitation: once you no longer need certain data, you have to delete it.
  • Informed data collection: you must obtain freely given and informed consent before collecting user data.
  • Purposeful usage: you may collect data for a legitimate purpose and only in the necessary amount.
  • Accuracy and accountability: you are responsible for updating records and should be prepared to demonstrate compliance.

Companies that fail to comply could face a fine of up to €20 million ($24.1 million) or 4% of annual global turnover, whichever is higher. The authority that is tasked with ensuring compliance is called the Information Commissioner’s Office (ICO). While there are more and more fines issued with time, the chances of them targeting your brand with an adherence check are still relatively low — they mostly follow up on headline-worthy data breaches. Of course, there remains a possibility of the ICO looking into your organization, so the best thing you can do is make the necessary changes now and continue with business as usual.

Rights under the GDPR in email marketing

GDPR has a chapter dedicated to the data subjects’ rights in general terms:

Source: Data Privacy Manager
Source: Data Privacy Manager

The rights give individuals more control and understanding as to what happens to their personal data. You can learn more about how data subjects exercise their rights in the FAQ section on dealing with citizens on the European Union’s official website.

How does it apply to email marketing?

The common practices associated with GDPR rights during email marketing campaigns are:

  1. Updating your privacy policy or adding a data protection statement to your website. Describe everything in simple terms and make sure that the policy is reachable with a single click from anywhere on your website, for example, by adding it to its footer.
  2. Including a link to the privacy policy and an unsubscribe button in the footer of your emails. This gives recipients an opportunity to exercise their rights to object to or completely restrict processing.
  3. Stating that you are using a third-party email marketing software in your privacy policy. You should also sign a Data Processing Agreement (DPA) with an email service provider (ESP) you’re using (if you are).
  4. Enabling automated personal information edits in user account settings. Be prepared to make updates manually, as your customers need to be able to review and change inaccurate or incomplete data under their rights of access and rectification.
  5. Storing all customer records in a uniform, commonly used format. Your data subjects might decide to act on their right to data portability. This can relate to the portability of contact lists, service preferences, etc.
  6. Erasing the records that you no longer use. Notify any third-party services like ESPs that might have had access to them as well to fulfill the customer’s right to be forgotten.

GDPR email requirements for security and retention

GDPR is not only about how you handle data but what data and how you store it. Along with compliance, that means email archive optimization, since all unused messages and contacts will have to be removed. When working with a third-party mailing service, make certain that they are compliant with these policies as well.

Ensuring encryption and security of personal data

Strictly speaking, GDPR does not list encryption as one of the mandatory practices but mentions it in several chapters of the regulation as an additional measure to mitigate security threats. You need to protect any personal information you collect, store, and interact with from unauthorized access and tampering. And encryption is one of the most reliable ways to safely transmit and store data.

There is a website that keeps track of GDPR fines with issue reasons. You can look at records under the corresponding article Art. 32 (1) (b) to see that the financial penalty is quite serious.

Keep in mind that hackers might try attacking even from within your company: most commonly, by sending out phishing emails to your employees hoping to steal their login credentials.

  • To match the external security measures, hold regular trainings on the prevention of cyberattacks.
  • Add two-factor authentication to your staff login process.
  • Consider introducing special technologies to conceal client data while still making it available for marketing managers like masking replaces some of the numbers and letters with asterisks. (John D** instead of a John Doe) and replaces names and numbers with artificial identifiers (De2f-7 instead of John Doe).

Retaining emails for a limited period and purpose

GDPR doesn’t give any exact information on how long you should retain emails. However, it does state that you must only keep any personal data for as long as it serves the original purpose. You should introduce an email retention policy or revisit your existing one to check that you are not keeping excessive amounts of data that can put you at risk. Consider archiving software to set automated retention rules and don’t forget to keep track of other retention period guidelines legally enforced for your industry.

The “the purpose it was originally obtained for” part is important. If a person wishes to unsubscribe from your emails, it’s illegal to keep their address and use it for other unrelated marketing purposes.

How to adhere to GDPR: email compliance and consent

Consent is one of the key concepts in GDPR, and it is essential for email marketing. All subscribers must give informed and unambiguous consent to receive emails. They have to know what exactly they are going to receive — promotional materials, weekly blog updates, monthly content digests, etc. — and be able to choose one or neither of them when leaving their contacts.

Obtain consent with double opt-ins

One of the best practices to achieve that is the use of double opt-ins: first, you need a user to actively tick a confirmation checkbox in the sign-up form, and then click on the link of a follow-up email to verify their intention.

As a first step, include an unticked checkbox in the email sign-up form. There are several ways to encourage subscription without tricking people into it, like email subscription forms on websites or social media posts. If a customer is leaving their email to download a guide or get a quote, you may add an optional checkbox with an invitation to subscribe, but make sure it does not stand in the way of them completing the original action.


A do’s and don’ts example for positive opt-ins. Source: iubenda
A do’s and don’ts example for positive opt-ins. Source: iubenda

Shortly after a user completes the form, send them a follow-up email asking to confirm their address. Keep it short and make sure it serves the single purpose of obtaining repeated consent.

A confirmation email example. Source: Really Good Emails
A confirmation email example. Source: Really Good Emails

Double opt-ins lead to lower subscriber conversion as some people end up skipping the additional confirmation step. Still, they’re not a limitation. At least, you won’t be spending money on inactive email addresses or random subscribers. Campaign engagement and deliverability rates will ultimately be higher. Look at consent as a way to create a long-term relationship with your customers by giving them transparent choices and continuous control over how you handle their personal data.

Separate the consent form from your Terms & Conditions

According to GDPR, requests for consent must be “clearly distinguishable from the other matters” and presented in “clear and plain language”.

As most of us tend to skip Terms & Conditions altogether or simply glance over them before marking that checkbox, don’t leave any room for confusion. Make your consent form stand out with its own checkbox and, most importantly, separate the consent form from your Terms & Conditions.

On the left, a user has to agree to the Terms & Conditions to continue, and contact permission is optional. On the right, unless the person opts in for emails, they won’t be able to continue to the next step, which violates GDPR. Source: iubenda
On the left, a user has to agree to the Terms & Conditions to continue, and contact permission is optional. On the right, unless the person opts in for emails, they won’t be able to continue to the next step, which violates GDPR. Source: iubenda

Ensure that withdrawing consent is easy to execute

Withdrawing consent is also a right under GDPR, so include that option in every promotional email you send. If your users have a subscription management section in their accounts, this is also a good place to notify them of that feature. Consider adding a permission reminder underneath the unsubscribe button, explaining why a subscriber received this offer in the first place.

Grammarly provides a short description of the reasoning behind their emails and states different management options in footers. Source: Really Good Emails
Grammarly provides a short description of the reasoning behind their emails and states different management options in footers. Source: Really Good Emails

If a user has trouble opting out, they may simply mark your emails as spam to stop seeing them in their inbox, which can hurt your deliverability rates. Unsubscribing isn’t a bad thing: people that are no longer interested in the products or services you offer are not your target audience anyway.

Keep evidence of who consented, when, and how

You need to keep a digital log of the date, time, and source for each email address in your database. Usually, the information comes from your sign-up form, but it also can be digitized from, say, filled-in questionnaires or business cards from offline events. Maintain any kind of an archive — in your CRM, mailing service, or other data management system with copies of relevant documents or data capture forms with appropriate timestamps.

Review your consent practices and existing opt-ins

GDPR doesn’t differentiate between your previous and current activities. Review all your subscription forms from before the regulation came into effect. Remove excessive fields that require users to provide data you cannot justify using. Get rid of pre-ticked boxes and add links to your updated privacy policy statement. Look at the do and don’t from this article as references for your opt-in forms.

How to do email marketing under GDPR

Now that we’ve covered the general information on GDPR, we can look at steps you can take to ensure compliant marketing. For a comprehensive overview of the laws and regulations concerning email besides GDPR, you can refer to our dedicated article on email compliance.

Manage your current database

  • Perform an audit of your mailing lists. Check whether there are any records lacking proof of active consent (email preference settings or double opt-in confirmations). In most third-party mailing services, it will be visible as a contact status. For example, this is how your list would look like in a Selzy account:
  • Make a dedicated campaign for unaccounted subscribers asking them to re-opt-in. Remove subscribers that do not give consent.
A dedicated stay-subscribed campaign from Auto Trader directly refers to GDPR. Source: Really Good Emails
A dedicated stay-subscribed campaign from Auto Trader directly refers to GDPR. Source: Really Good Emails
  • If there are too many subscribers that did not opt in, run a re-engagement campaign to gradually reactivate them.

Know your contacts

  • Don’t buy email lists. It is in direct violation of GDPR and can hurt your credibility. Conduct lead generation campaigns instead or use other legal methods to build email lists.
  • Keep records of where, when, and how you obtained each contact. You can store it in any digital form you like, with separate sources indicated for different marketing campaigns. There are little-to-no cases where these archives are reviewed by ISO officers but the possibility is still there.
  • If you use third-party services to gain more contacts, like a marketing agency, ask them about their practices and discuss how you can maintain compliance.

Disclose your data practices

  • During the subscription process, inform your subscribers about the kind of information you are gathering on them and what you intend to do with it. Explain how long you might be storing it and why. This information should be reflected in your data privacy policy, with a link to it included in your subscription forms and the footer of each email.
  • In the privacy policy statement, briefly describe the rights and options that users have and, if possible, offer personal data editing via account management settings.
  • Add a clause stating that children under 16 can only subscribe with their parents’ consent.
  • Make the document easily accessible and visible.

Twitter’s privacy policy is transparent, concise, and user-friendly.

Key takeaways

GDPR is a set of legally enforced regulations on personal data processing that apply to all companies working with EU citizens or residents. Local and international businesses that send promotional emails to clients living in the EU also have to comply.

  • What’s going to happen if a company doesn’t follow GDPR? A major data breach or recurring customer complaints might lead to an inspection from the ICO. If non-compliance is confirmed, you’ll receive a warning, followed by a reprimand and a suspension in case of repeated violations. EU’s data protection authorities heavily enforce the regulations, and the cost of non-compliance is high.
  • What are the main concepts relevant to email marketing? It’s all about freely given and informed consent. Make sure all your subscribers give active consent for receiving emails with double opt-ins. Keep records that prove it in a digital archive or within a third-party mailing service. Include an unsubscribe button and a link to your privacy policy in all your emails.
  • Do we need to update our Privacy Policy? Most likely, yes. Disclose your data practices and be more transparent about the data you are collecting, what you plan on doing with it, and why.  You can look up GDPR-compliant templates and adapt them to your case.
  • Can we be fined for subscribers that joined before GDPR came into effect? GDPR applies to all your existing data and records obtained before the regulation must also be compliant. If you don’t have proof, run a stay-subscribed campaign. Remove users that do not confirm their intention to stay subscribed.
  • What else should we do to ensure compliance? Consider adding encryption for data protection purposes. Look out for both external and internal threats. Retain emails for a limited time and purpose. Review your upcoming initiatives with GDPR in mind.

GDPR is not a limitation for your marketing efforts. If there are subscribers that do not want to receive updates from you, keeping them just for the sake of numbers is ineffective anyway. Stay compliant and focus on building customer relationships based on transparency.

01 February, 2022
Article by

Latest Articles

Selzy Selzy Selzy Selzy