<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1822615684631785&amp;ev=PageView&amp;noscript=1"/>

GDPR Email Marketing: What You Need to Know

GDPR Email Marketing

Email marketing in the European Union has gotten trickier thanks to GDPR.

However, by adopting some easy-to-follow practices, you can ensure that you comply with the EU’s GDPR email marketing requirements.

In this article, I’ll first briefly explain what GDPR is. I’ll then cover its implications for email marketing and highlight five best practices for GDPR compliant email marketing. Later, I’ll describe what impact GDPR may have on your email policy.

As a bonus, I’ll also answer two GDPR email FAQs.

This Article Contains:

(Click on links to jump to specific sections.)

Disclaimer: This article is meant to provide a high-level overview of how GDPR affects emails. It’s not a substitute for legal advice

For legal advice and specific questions on email regulations, please reach out to your attorney or talk to your data protection officer.

Let’s get started.

What Is GDPR?

GDPR means General Data Protection Regulation.

It’s a European Union data protection and privacy law that regulates how the user data of individuals in the EU can be collected, stored, and processed.

There are three key things you should know about GDPR:

  1. GDPR applies to any organization (referred to as the “data processor” or “data controller”):
    • Operating within the European Union
    • Outside the European Union, but offering goods and services to people in the EU
    • Outside the European Union, but processing the personal data of EU individuals
  2. Under GDPR, an EU individual (referred to as the “data subject”) can monitor, control, and delete any user data relating to them. These provisions are applicable even when an organization has a legitimate interest in processing customer data. If a data subject were to object to data processing, the organization would have to respect the individual’s choice and delete their data.
  3. Violation of this personal data protection law can result in hefty fines — up to €20 million or 4% of the organization’s total global turnover.

Essentially, GDPR protects the data privacy and data security of individuals in the EU, levying hefty fines on organizations that violate its rules.

Go back to Contents

Now, let’s go over how GDPR impacts email marketing:

What Does GDPR Say about Email Marketing?

The connection between email marketing and GDPR may not be evident at first glance. And even when you explore GDPR, you don’t see many references to email requirements per se.

Does that mean GDPR has nothing to do with email marketing?
No — GDPR does apply to email marketing.

GDPR mandates that organizations must:

  • Ask recipients for an affirmative opt-in to receive direct marketing communications
  • Provide recipients with a clear, unambiguous way to opt-out of marketing communications
  • Offer a method by which customers can request the deletion of their personal data

In short, GDPR seeks to ensure that consumers receive only direct marketing communications to which they’ve consented and that add value to their lives.

Note: If you email an existing customer about similar products, you may not require express consent according to a lawful basis under GDPR. However, it’s always better to stay on the safe side.

Go back to Contents

Now that you know what GDPR says about email marketing, I’ll go over what it says about cold emailing your prospects:

Is Cold Emailing Allowed under GDPR?

The answer is a conditional yes.

Under GDPR, marketers can send cold emails to people at companies — aka B2B cold emails. But this doesn’t mean that you can send cold email campaigns to any person in some random company.

Your business should be logically connected to the business activities of the prospect’s company. And you’ll need a solid basis to claim how the prospect’s company can benefit from your services.

Moreover, you’ll need to add a disclaimer in your email copy informing the cold email recipients:

  • What personal data you’re collecting about them
  • How you’ll store their personal information
  • How you intend to use customer data
  • How the recipient can remove their user data from your email list

That’s not all.

You shouldn’t process or store the lead’s personal data longer than necessary. To stay on the safer side, consider deleting the personal data of leads who don’t respond to you after 30 days.

Note: While you’re allowed to send B2B cold emails, businesses cannot send cold emails to individuals (B2C) — for lead generation or other marketing purposes — according to GDPR.

Go back to Contents

Next, we’ll take a look at some email best practices you can follow to ensure that you’re complying with GDPR.

5 Best Practices for GDPR Compliant Email Marketing

Here are five best practices you can follow for email compliance with the GDPR:

Best Practice #1: Get Re-Permission from Your Email Subscribers

Your mailing or subscriber lists may include EU residents you added before GDPR came into effect (May 25, 2018).

These are your legacy contacts, and you’ll need to check how you got these subscribers.

You may encounter two categories of people in your mailing list:

  1. People who have explicitly opted-in to receive your marketing communications — in this case, you can continue to send them direct marketing emails and don’t need to ask for permission again.
  2. People who got automatically opted-in (for example, from a pre-checked box or purchased email lists) — in this case, you’ll need to ask for their explicit consent to send them marketing communication messages.

To get GDPR consent in case #2, you have to send re-permission email campaigns asking subscribers whether they’d like to re-opt to your email list.

After your re-permission campaign, any subscriber who has consented to receive your email marketing messages should be added to your new mailing list. People who haven’t responded will need to be removed.

How to Send Re-Permission Email Campaigns

When sending re-permission campaigns, personalizing your emails can encourage existing subscribers to re-subscribe to your mailing list. But doing all of this can be tedious and error-prone, which is why you would use a robust email marketing service like GMass.

With GMass, you can:

Best Practice #2: Be Clear about Your Communication and Privacy Policies

Building a list of email addresses using lead magnets on landing pages is a common marketing strategy.

For example, let’s say your website offers a free ebook on “How to Do a Keto Diet.” To gain access to the ebook, a visitor needs to complete an online form on your website by providing details such as their email address.

Now, this raises a simple question: does this violate GDPR?
That depends.

I’ll cover two scenarios to illustrate when you may be in the clear concerning GDPR and when you violate GDPR:

Scenario A

Your opt-in form includes:

  1. A link to your comprehensive communication policy, which clearly specifies the kind of emails you’ll send (transactional emails, marketing or promotional emails, etc.)
  2. A link to your detailed data privacy policy, which unambiguously explains how you use and safeguard user data
  3. The relevant checkboxes (not pre-ticked) an individual can click to indicate that they consent with your communication policy, data privacy policy, and other terms & conditions.

In this scenario, you’re likely compliant with the GDPR regulation.

Scenario B


  1. Communication policy is ambiguous or is unnoticeably tucked in within your terms and conditions
  2. Privacy policy doesn’t mention for what purpose you’ll use user data
  3. Webform contains pre-ticked boxes that indicate implicit consent but don’t ask for explicit consent

In this scenario, you’re likely violating GDPR rules.

Essentially, you need to provide — clearly and openly — all the details consumers may need to make an informed decision. Moreover, you shouldn’t trick potential customers into agreeing to your terms and conditions.

Best Practice #3: Include an Unsubscribe Link in All Your Marketing Emails

GDPR emphasizes the consumers’ right to reclaim ownership of their data and easily opt-out of marketing communications.

Now, you probably send emails only to people who’ve explicitly consented to receive your marketing communication messages.

But what if an existing customer or subscriber wishes to opt-out?
You need to give them the option to unsubscribe!

Not just that. You must also make it straightforward for the existing customer (or subscriber) to opt-out.

For this, you can include an unsubscribe link when you’re marketing by email.
Something along the lines of:

  • Click here to stop receiving emails from us.
  • Unsubscribe from all our marketing communications.
  • Opt-out of our emails.
  • You may unsubscribe to stop receiving our emails.

Unsubscribe option

And when someone clicks on the unsubscribe link, you must remove them from your email list and delete all data you’ve stored on the data subject for marketing purposes.

Additionally, you can provide subscribers with options to customize their email subscriptions.

You can let subscribers decide what kind of marketing communication (new products, offers, etc.) they’d like to receive and how often they’d like to receive them. This way, the subscribers have better control over the communications they receive from your marketers.

Best Practice #4: Rethink Your Marketing Automation Strategy

With the right tool, automating your email marketing activities is effortless.

However, in light of the GDPR regulation, you may need to rethink how you leverage marketing automation software in your campaigns.

For starters, you can’t send automated emails to people who haven’t explicitly consented to receive your marketing emails.

There’s also the issue of how you may segment and process your mailing list.

For example, let’s say you’re a company that offers a suite of marketing tools. Under the EU GDPR, you can send targeted emails to customers (who’ve signed up for your mailing list) with location-specific special offers.

However, let’s assume that you use an algorithm to process the customer’s personal data to identify users who’ve been heavily using your tool and could benefit from your other offerings.

As a result, you use marketing automation software to send targeted emails (with discount offers) to these people.

Doing so could be a violation since the GDPR regulation limits how organizations and businesses can use user data to profile European customers and make automated decisions.

But this is a gray area, and the legality can vary on a case-by-case basis.

Anyhow, it’s best to evaluate how you segment your mailing list and any associated info.
Then, check to see if there are any potential vulnerabilities in how you process consumer data for your automated marketing campaigns.

Best Practice #5: Create a GDPR Compliance Checklist

Ensuring that your email marketing efforts comply with GDPR rules can be tricky.

That’s why I strongly recommend you create a GDPR compliance checklist to evaluate your email marketing strategy.

Here is a list of questions you can use to get started:

  1. Have you received consent from subscribers to send them marketing emails?
  2. Are you aware of which data is protected under the EU GDPR?
  3. Do you maintain detailed records showing evidence of consent from your subscribers?
  4. Do you have a clear idea of how each contact ends up on your mailing list?
  5. Are you aware of where your email subscribers are located?
  6. Do you share your marketing communication and privacy policies with subscribers before signing them up?
  7. Does your communication policy clearly describe what kind of emails you’ll send to subscribers?
  8. Does your privacy policy clearly explain how you’ll collect, process, safeguard, and retain data relating to your email subscribers?
  9. Do all your marketing emails contain an opt-out link?
  10. Do you ensure that all your new email initiatives are in compliance with GDPR requirements?

Go back to Contents

Next, I’ll explain how GDPR requirements can impact your email policy.

How GDPR Affects Your Email Policy

Your organization may need to make some changes in its email policy to comply with GDPR rules.

These changes include:

A. Email Encryption

The European Union’s General Data Protection Regulation (GDPR) requires that your organization adopts suitable, proactive measures to ensure data security.

And one feasible way to secure user data is through encryption.

But is it possible to encrypt your emails?
Email encryption is a given when you’re using an end-to-end encrypted email provider like ProtonMail and Tutanota or other cloud-based, secure email services.

Alternatively, you can send encrypted emails using Gmail or Outlook.

Note: Gmail uses TLS encryption preventing hackers from reading your message while en route to the recipient, but Gmail can still read your messages. With Outlook, you can use Message Encryption in Office 365 to ensure that only the recipient can read the email.

B. Organizational Email Security

Your organization must take proactive measures to protect the user data of EU residents and individuals and your employee data against a data breach, accidental loss or destruction, and so on.

How is this different from email encryption?
Unlike email encryption, email security isn’t just about adopting technical measures to protect consumers’ personal data. Instead, your organization needs to develop and put into practice internal policies regarding email safety best practices.

For example, your email and data security policy can specify how to proceed when employees receive emails with a suspicious From address, or how to report phishing or malware emails.

C. Email Retention

Data erasure is one of the key data protection principles under the EU GDPR.

And there are mainly two sides to this principle:

  1. Organizations may retain (or store) data only for as long as necessary for the purpose for which the consumer data was collected.
  2. People in the EU have a “right to be forgotten,” meaning that individuals can request immediate deletion of their personal data.

Wondering how this impacts emails?
We generally don’t delete our emails, especially at work. And there are valid reasons for this, such as:

  • We want to maintain a record of our activities.
  • We wish to retain emails for any potential litigation.

In any case, the more emails you store, the more sensitive data (consumers’ personal data, employee data, etc.) you collect, and the higher the risk in case of a data breach. As a result, your organization might consider reviewing the emails it stores and deleting any non-essential emails.

Go back to Contents

Next, I’ll answer some frequently asked questions connecting GDPR and email.

2 GDPR Email FAQs

Here are the answers to two commonly asked questions regarding GDPR requirements and how they affect emails:

1. Should All My Outbound Emails Include an Unsubscribe Link?

GDPR specifies that your outbound or email marketing message must provide an easy way for recipients to opt-out of receiving your emails.

Now, GDPR doesn’t explicitly state that you need an unsubscribe link.

But including an unsubscribe link in your marketing message is standard practice. It allows your recipients to opt-out of receiving outbound and marketing emails. For that reason, I’d recommend that you include the unsubscribe link in all your email marketing campaigns.

2. If I’m Based in the United States, Do I Still Need to Be GDPR Compliant?

The answer to this question depends on whose data you may be processing.

If your company has absolutely nothing to do with storing or processing the personal data of people in the EU, you don’t need to be GDPR compliant. On the flip side, you’ll need to comply with GDPR requirements if your company’s subscribers, prospects, partners, or clients are EU residents or individuals.

Moreover, if you’re a data processor (or data controller) company processing the personal information of an EU citizen or individual, the GDPR applies to you. And this is regardless of whether the data processing activity occurs within the EU or outside.

Not just that.

Generally, GDPR also applies if you’re a business in the EU, and your client is not an EU citizen or resident but has purchased your product/service while in the EU — for example, a tourist traveling in France.

Final Thoughts

For email marketing in the EU, email marketers must obey the personal data protection law — the GDPR.

And this includes sending re-permission campaigns to get explicit consent from your EU subscribers, telling recipients how you’ll be processing customer data, adding unsubscribe links inside your marketing emails, and more.

By implementing the best practices I’ve covered above, you’ll have no trouble enacting GDPR compliant email marketing going forward!

See why 99% of users say they’ve had their best deliverability ever with GMass

Email marketing, cold email, and mail merge all in one tool — that works inside Gmail


Download Chrome extension - 30 second install!
No credit card required
Love what you're reading? Get the latest email strategy and tips & stay in touch.

1 Comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Start your free trial of GMass now

Install in 30 seconds — no credit card or sign up form required

Try GMass for free Then check out the quickstart guide to send your first mail merge email in minutes!


Share This