GDPR And Email Marketing: What Changed?

GDPR and Email Marketing
Ravi Davda Rockstar Marketing CEO

Written by Ravi

Jan 26, 2022

Share this:

Back in May of 2018, the European Union put into effect a new privacy law known as the General Data Protection Regulation or GDPR for short. Months before it was implemented, many wondered what it would mean for email marketers. Some were even as pessimistic as to predict that email marketing would die as a result of some of the regulatory articles included in the GDPR. However, more than three years later, we can safely say that email marketing is not dead.

We know you might be wondering now since the UK officially left the EU, how and why does GDPR still apply to us? Well, we are about to find out.

What is GDPR?

The General Data Protection Regulation (GDPR) is perhaps the toughest privacy and security law in the world. It covers numerous aspects related to privacy and security online and came as a result of the many breaches that happened over the years to cloud services. It became clear that the victims of these breaches weren’t the companies themselves but rather the people who entrusted their personal data with them.

Now, let us address the elephant in the room, Brexit. Yes, the United Kingdom (UK) has formally left the European Union, but it still created its own UK GDPR, which is the same as the EU one. You can find everything about it in this guide provided by the UK’s Information Commissioner’s Office (ICO).

What makes this law truly effective are perhaps the fines and penalties attached to it. You can get fined for up to £17.5 million or 4% of your annual global turnover, whichever is greater.

So, how does GDPR affect email marketing?


Prior to the enactment of GDPR in the UK, email marketing was regulated by both the Delta Protection Directive (enacted b the Delta Protection Act of 1998) and the Privacy and Electronic Communications Regulations (PECR) of 2003. Now, PECR states that you need to have consent to send marketing emails to people, and the definition of consent was laid out in the DPA.

But what confused marketers the most was the fact that the PECR also states that you don’t really need consent if certain criteria exist. This was dubbed as a ‘soft opt-in’. To put it in a nutshell, ‘soft opt-in’ refers to the situation where even though a business was not truly granted an ‘opt-in’ consent from a user to be sent marketing emails, they could still send them if the user:

  • was previously a client of the organisation in question
  • is able to “unsubscribe” from the service every time they are sent a marketing email
  • was given the opportunity to not be sent emails the moment the organisation notified them that they were going to send him or her emails


Email marketing is considered to be one of the many actions taken online that are mainly based on the processing of personal data. And according to GDPR (as well as the PECR), you will need a lawful basis to process personal data, which includes but is not limited to ethnicity, gender, location, biometric data, religious beliefs, political opinions, web cookies, etc.

So, the main issue at hand when it comes to email marketing and GDPR is whether you can prove that individuals have consented to get marketing emails from you or not. 

GDPR and Email: GDPR-Compliant Email Marketing

GDPR-Compliant Email Marketing

As we have just mentioned, the main issue that email marketers face with GDPR is that of consent. According to the Information Commissioner’s Office (ICO), consent is necessary for two reasons

  • It ensures the preservation of user privacy and security.
  • It helps you, the brand/business/organisation, establish a trustworthy, transparent relationship with your clients.

So, here are some points that you should cover in your email marketing strategy to avoid GDPR-related fines:

No pre-ticked boxes

Under GDPR, for consent to be legally valid, a customer must actively give you consent. The most common example of this is ticking an unchecked opt-in box on your website. Long gone are the days of pre-checked boxes, which assume consent if they aren’t unchecked.

You should also include a link to a privacy statement on your web forms (where the users fill their emails). This ensures that they gave consent while fully aware of the consequences, removing any liability on your side. They should also be informed of how they can withdraw their consent in the future if they wish to do so.

Automation, segmentation and emailing

Over the last couple of years, automation has drastically changed the way email marketing works. It made the processes of regularly communicating with your audience and nurturing whatever leads you have much easier and less time-consuming.

However, with the implementation of GDPR came some question marks in regard to email marketing automation.

For starters, you are not allowed to send automated emails to an individual unless they give an indication of consent.

The same thing goes for segmentation. If you use algorithms to segment customers based on which of them are more likely to not make a purchase, then you are trespassing onto GDPR territory. For example, you decide to change the subscription plan of certain users based on data collected from those automated emails. This is non-compliant with the GDPR and might very well get you into trouble. One way of doing this the right way is sending out concomitant emails. They are basically proof that there is a human re(action) in the decision-making process.

Easy opt-outs

As mentioned, GDPR requires you to give users the opportunity to opt out from receiving emails whenever they wish. One way of doing this is by including the option to unsubscribe in every promotional email that you send out. You will also need to make sure that the opting out experience is a smooth one. Otherwise, you might be reported for spamming.

Log everything

Not only does GDPR set the rules of how you collect consent, but it also requires businesses to keep a clear and concise record of those consents. In other words, you must be able to always provide proof of:

  • Who gave the consent
  • When they gave the consent
  • What information they were provided with at the time
  • Through what model did they consent (a social media form, at checkout, etc.)
  • Whether they have opted out or not

Use double opt-in

Double opt-in refers to the addition of an extra step in the sign-up process. In single opt-in, users are immediately put in your email list the very moment they fill out a sign-up form. Double opt-in, on the other hand, requires users to confirm their subscription via email.

Although the GDPR does not require double opt-in, we still recommend that you use it. That’s because it meets all the criteria of GDPR-compliant email marketing. There are two additional pluses to this. First, it is easier for you to prove that users actively gave you their consent. The second is the fact that your email list will be in a better state.

How? You might ask.

Simple. Anyone who confirms their subscription is most likely interested to hear from you in the near future.

Moreover, having a good email list means that your campaigns will be more efficient, both time and money-wise.

Not sure if your website is GDPR-compliant?

If you’re still not sure if your website is GDPR compliant and want to make it accessible (and marketable) to everyone, throw us a message. We’ll look into it!

GDPR and Email Marketing – FAQs

Share this:


Submit a Comment

Your email address will not be published. Required fields are marked *