GDPR email marketing

GDPR compliant email marketing? What do we know about it almost two years after?

According to THE RADICATI GROUP Email Statistics Report, 2017-2021:

By the end of 2021, the number of worldwide email users will be over 4.1 billion.

In 2017, the number of email users topped 3.7 billion. Approximately half of the global population, which means email marketing is a channel you can not afford to disregard.

A lot of emails we receive daily are a part of email campaigns. Living in a digital (marketing) world, this shouldn’t come as a shocker. However, how many of those are sent in a GDPR compliant way?

More importantly, do companies even care about GDPR compliant email campaigns, and what does that even implies?

The truth is, switching to the GDPR compliant email campaigns caused many companies to lose a lot of their contact database, but were those databases any good to begin with, is an entirely different story.

For some, it is company profits before GDPR compliance. For others, those two are one and the same. However, many companies that have put emphasis on PRIVACY are thriving.

I decided to deploy my own mini-research (and I encourage you to do the same) to see how many companies are compliant on a simple newsletter opt-out.

I unsubscribed from a handful of newsletter lists and watched to see what happens. The results were very surprising, but more about this later.

Let’s go back to basics and address the questions regarding GDPR and email marketing.

Get 14-days Free Data Privacy Manager Trial

GDPR and Marketing

GDPR compliant marketing means respecting the privacy of your contacts and their GDPR rights.

Not contacting people who have opted-out from your marketing communications, deleting contacts when there is no reason to keep their records. It means not having pre-ticked consent boxes and having a record of consent for each and every purpose.

GDPR marketing should be transparent, trustworthy and straightforward when communicating what you do with personal data of your contacts.

compliant gdpr email marketing list

GDPR email marketing means this and so much more.

It is a marketing strategy and company policy. How to conduct GDPR compliant email marketing should be propagated and educated inside the Marketing departments and with the assistance of a DPO.

How does the GDPR affect email marketing?

Introducing a regulation like the GDPR in marketing did ruffle some feathers. Working with other marketers, the general feeling was that the only thing they want to do is business as usual.

Meaning pre-ticked consent boxes, buying email lists (even though I hope this is a practice that is dying), personal information stored in excel and scattered across departments and inboxes, along with other non-compliant practices.

This is the reality.

I am not sure if marketers recognized the perspective that GDPR could bring to their marketing strategies, that some (dare I say more privacy-advanced) companies are fully utilizing.

Sometimes the tendencies to cling onto the numbers prevail us from exploring new opportunities and letting a few of your subscribers go, for the benefit of compliant marketing lists and honest and open communication.

Having GDPR compliant contact lists means your database will build slower, but the quality of your contacts will improve dramatically.

We have talked about how customers respond to privacy and trust issues, be sure to check that out:

Read the blog: Data breach and Reputation Management

If you don’t move with the changes, you are going to be eaten by them. Being compliant is not optional, so make sure you:

 ✔️ have a compliant consent collection points
✔️ have a proof of consent (who consented, when did they consent, how they consented, to what they consented, and if they have withdrawn the consent)
 ✔️ implement a self-service interface for managing privacy settings or another method where your contacts can revoke or manage their consents and preferences

GDPR Research 2019: Operationalization of the GDPR processes in Organizations

Who has to comply with the GDPR?

Check if you are obligated to comply with GDPR.

According to Article 3 of the GDPR, any organization that processes personal data of the EU citizens or EU residents has to align with the GDPR, regardless of wheatear the processing of personal data is taking place in the EU or outside the EU.

The GDPR applies to you if the processing activities are related to:

▶️ The offering of goods or services, irrespective of whether a payment of the data subject is required, or
▶️ The monitoring of EU citizens’ or residents’ behavior as far as their behavior takes place within the Union.

This applies to two groups:

▶️Companies located in the EU
▶️Companies outside the EU, if they offer their goods and services to the residents of the EU or they monitor their behavior (For example your company has a website that is accessible to the citizens of EU or you have your website in any EU members state language)

Is GDPR affecting cold emailing?


Your marketing communication from now on will require consent from your data subject.

Sending emails for the purposes of direct marketing may only be allowed in respect of subscribers who have given their prior consent or on the bases of legitimate interest. However, legitimate interest needs to be proven.

There is an exception to the rule of obtaining prior consent when we are communicating your products and services to existing customers.

You may use your existing customer contact details for direct marketing of similar products or services provided that customers clearly and distinctly are given the opportunity to object, free of charge and in an easy manner, to such use of electronic contact details when they are collected and on the occasion of each message in case the customer has not initially refused such use.

Avoid the practice of sending email disguising or concealing the identity of the sender or without a valid address to which the recipient asks for the cease of such communication.

Choose the right data strategy for your marketing

Even though GDPR is applied only to the EU citizens, it is very complicated and time-consuming to maintain two email lists. Dividing your subscribers to EU and non-EU. Not to mention that it is challenging from a technical point of view.

If you are going to divide your lists, you have to take this into account when building your marketing strategy.

However, I don’t believe this is the right way. When choosing the right data strategy between offensive and defensive, the industry you are in is going to play a big part.

In the first months of the GDPR, some websites decided to ban EU citizens from entering their website or deleted their entire contact database (defensive data strategy), but that is like saying goodbye to a big chunk of the world market (513 million people).

6 Guidelines to GDPR Compliant GDPR Email Marketing

In order for your email marketing to be GDPR compliant, you will have to support each and every one of your contacts with the legal basis for processing.


After the enforcement of the GDPR, you can process personal data under only 6 legal bases for processing. In most cases, you will need consent for email marketing.

However, do you always need consent to send an email?

No, there are situations where you can send emails to your contacts on the bases of legitimate interest.

▶️ Firstly, to your customers. However, only if you need to notify your customers about new features of the product, new policies being applied and updates that they could benefit from. Basically, the information that they have an interest in knowing.

Also, if you are offering downloadables on your website, you can use legitimate interest as your lawful basis. It is implied that the data subject gave you his/her email address so you can send them the content. However, you can’t use that personal information in your marketing campaigns later. Once an e-mail with downloadable content arrived to your contacts’ inbox, it is the end of the road.

Remember, don’t ask for more information then it is necessary. For example, ask for an email address and first name, so you can send downloadable and personalize the subject of an email.

If you must collect more data for the personalization of experience (you have more newsletter lists that are aiming different industries, so for instance, you collect the name of the company) do not make those fields required on your submission forms. Always think about how much data do you really need. For example, if you are offering free consultation via phone and someone applied, you will also need their phone number, but you don’t need their phone number to send them a newsletter.

▶️ There was one more situation where you could send emails without consent. You could send one more re-consent mail to your contacts that did not give you explicit consent for a specific purpose, after 25 May 2018. Meaning you could ask for their consent one more time. However, that time is long gone.

At that time, I got a lot of emails that went something like this:

GDPR email marketing re consents

Bear in mind, this is no longer a compliant strategy.


If you are collecting contact info on your website, make sure you explain who collects data, which data is collected and for what purposes, how are you going to process that data and if there are any third-party involved.

In the research “State of Connected Customer” by Salesforce, 86 % of surveyed individuals said that explaining how a company is using their information to give them a better customer experience, makes them more likely to trust that company with their personal information.

You don’t have to stuff all that info in your consent box, elaborate them in your Privacy Policy, and refer your contact to learn more about how you process their personal data. For the consent box it is enough if you have something like this:


You have to remember that you have to enable your contacts to opt-out (unsubscribe) as easily as they opted-in (subscribed). Ideally, it is done through the self-service interface, that creates unique hashed links for each data subject, and allows your contacts to manage their requests and communicate their preferences in a GDPR compliant way.

This takes a little bit of pressure off the Marketing department.

If that is not an option, provide enough info in your privacy policy on how to unsubscribe and make sure you have the “unsubscribe” button in your emails.


Pre-ticked consent forms are a big NO! Even if everything else is non-compliant, make sure this is not the issue. Marketing platforms make it easy for you to set this up. This option assures you (to some point) that the contact left his consent on purpose.

GDPR opt-in example:


This is an important GDPR data minimization principle, which means that you have to limit personal data you collect, store or use to data that is absolutely necessary for you to provide service or fulfill a specific purpose.

For example, if you have a newsletter subscription form on your website, it would be compliant if you would only ask for an e-mail, and possibly name (if you have personalized email campaigns). You don’t need to know anything else about the contact in order for you to send an email.

Make an email address required field, while name can be given optionally.


The most common marketing practice before the GDPR was to combine all consents together, along with privacy terms and conditions.

For example, the consent text would be: “By clicking the submit button below, you agree to receive marketing communication, personalized ads, and you agree to our terms and services.”

GDPR compliant version would let the contact choose which one of those consents he/she is willing to give. This is explicit consent.

If your website offers downloadable content like e-book, templates or whitepapers, you can not condition downloading the content by leaving consent for marketing communication.

For example, on our webpage, you can download the materials without leaving consent, but you have the option to subscribe if you like.

If the contact did not opted-in for marketing communication, he/she would receive the downloadable, but that is it.


For you to be able to conduct your GDPR email marketing campaigns, you will have to keep track of your consents. It is not just about collecting them, you have to manage consents. This means keeping track of contact preferences, opt-ins, and opt-outs. The unsubscribe button is a MUST.

Remember, every email you send, that has no lawful basis is in violation of the GDPR.

Unfortunately, when a contact unsubscribes, that information stays “locked” in that system, meaning Marketing uses a list that is not automatically updated across multiple marketing layers.

How do I know this?

Other than personal experience, let’s get back to my GDPR email marketing research.

Read the blog: 5 things you need to know about Data Privacy

Operationalization of GDPR in email Marketing

As I mentioned before, I decided to unsubscribe from a few marketing lists. The unsubscribe button was present on almost every newsletter (that’s right, ALMOST).

Of course, you should never let this happen when conducting an email marketing campaign. Missing the unsubscribe button was definitely something I frowned upon, but I was willing to let it slide.

Not because I don’t care about my personal data, but because I am sympathetic and know that operationalization of GDPR in email marketing can be challenging.

There were 9 companies that I have unsubscribed from, among these companies were:

1. Multinational sportswear manufacturer
2. Very well know website for sharing and downloading stock photography
3. Marketing start-up company

So we have a nice variety of big, to small and medium-sized companies. I have to say I didn’t have to wait long for my rights to be violated.

Just a few hours later, the company that I was least expecting it, a large sportswear manufacturer, sent an email that violated my rights.

I was so sure that I messed something up, that I opened an email and hit the unsubscribe button to opt-out again. However, I was unsubscribed, but emails kept coming for the next few days.

This happened more than a few times. 

An example of how my preferences said I was unsubscribed. However, I still received emails.

So why do they let such a BIG PRIVACY RISK happen?

Because they don’t have a consent management platform. That can be the only explanation. Why don’t they have it? I doubt it is because of the budget.

I believe it is because they didn’t (yet) find an issue with it. Nobody reacted.

Problem with the unsubscribe button is when your subscriber opted out from marketing communication, the system acknowledges it, but the lists that your marketing department uses for everyday mailing is not automatically updated.

I opted out from 9 different companies, and needless to say, my rights were violated 6 out of 9 times.

data privacy manager demonstration


This blog only provides a high-level overview of email consent, but is not legal advice and should not be taken so. There are different interpretations of the GDPR compliant marketing, and this is just one of them. Please contact your supervisory authority or legal experts for GDPR related advice.