General Data Protection Regulation (GDPR) Guide for Email Marketers

ByNupur Mittal


Linkedin logo
Twitter logo
copy link
Facebook logo
Whatsapp logo
Pinterest logo
mail logo

Email is one of the most used direct communication channels. But, it's also prone to spam and unsolicited email. As email marketing thrives due to the audience's data, it's the sacred responsibility of businesses to protect that data.

Launched in 2018, General Data Protection Regulation (GDPR) is one of the most prominent privacy laws aimed at encouraging marketers to think about their current practices and adjust them to serve their audience better. Not only does it strengthen the audience's right to give consent and get the information they asked for.

This guide will discuss the GDPR and its impact on email marketing.

Table of contents

What is GDPR?

GDPR is a European privacy law enacted on 25 May 2018. The law regulates how businesses collect, process, and use the personal data of European citizens.

These guidelines aim to prevent any misuse of the personal data of email subscribers.

GDPR governs businesses' collection and use of email addresses, so it has great implications for email marketers. The law extends to European companies and companies doing business with any European contact.

Get the State of Email 2024 Report

150+ email experts share their email tips and secrets

The seven principles of GDPR

GDPR's seven principles for the lawful processing of this personal data are:

The seven principles of GDPR

1. Lawfulness, fairness, and transparency

DPR focuses on the three sub-principles while collecting, storing, and processing data:

  • Lawfulness: Collect and use data by the GDPR, such as asking for consent, giving a clear opt-out option, etc.

  • Fairness: Fairness is about not upholding any information from the individual whose data you're using. It aligns closely with the transparency principle.

  • Transparency: Be clear and upfront with your data and its purpose. You must display all the information for the reader to read through your privacy policy.

2. Purpose limitation

GDPR states purpose limitation as the data is 'collected for specified, explicit, and legitimate purposes' only. There should be a clear purpose behind the type of data you are collecting and storing.

The individuals must also be informed about this purpose in the organization's privacy policy.

Furthermore, if you want to use the data you've collected for a new purpose, you must ask for consent again.

3. Data minimization

Collect the data that is relevant to your purpose. The GDPR focuses on minimizing the collection of irrelevant data.

For instance, if you want to collect data for promotional emails, ask for information that'll help you send such emails. Avoid asking for loads of information that you might not use.

4. Accuracy

It's the organization's responsibility to ensure that the data they're collecting is accurate. Setup checks and audits to remove inaccurate, obsolete, or wrong data from your database.

5. Storage limitation

The data stored with an organization should have a specified timeline for when you'll use that data. It must allow the identification of data subjects. Moreover, it can't remain stored longer than is necessary for processing the specified purposes.

6. Integrity and confidentiality

The primary concern is the security of individuals' personal information. The companies must adopt proper measures to protect them from unlawful data processing, destruction/damage, or accidental loss.

7. Accountability

GDPR regulators need a level of accountability to ensure that organizations are complying with the regulations. To do so, you must have appropriate measures, record the data, and document everything. You should be able to show the evidence at any time to avoid penalties.

Who needs to adhere to GDPR?

The act applies to all those companies that collect and process data of any European citizen, whether the company is based in Europe or not.

The law doesn't hold if European citizens live outside Europe during data collection.

What changes will GDPR bring for email marketers?

Email marketers must collect freely given, specific, informed, and unambiguous consent (Article 32) before collecting any private data.

As an email marketer, you have to take into account new practices, which are:

GDPR makes it mandatory to have the individual's consent before sending any email communication.

The regulation specifies the nature of the consent, i.e., affirmative content that is 'freely given, specific, informed and unambiguous' to comply with GDPR.

Some of the affirmative signals that indicate consent to the processing as per GDPR include

  • Checking a box while signing up

  • choosing technical settings for information society services

  • another statement or conduct

Another thing you need to mention is the name of the organization asking for consent and the purpose behind collecting personal data. This information should be given at the time of the signup process.

For instance, if someone gave their email address to download an e-book but didn't clarify, you'll use their email to send marketing emails. In this case, the individual didn't actively consent to receive such email and will be considered a violation if you send them such emails.

GDPR also specifies that every organization collecting EU citizens' consent must record it. As a company, you must be accountable for all the data you're collecting, its purpose, and how you plan to use it.

This record will be handy if GDPR regulators ask you to show evidence that you follow GDPR.

3. Applies to existing user database

Apart from new contacts, GDPR also applies to existing databases. It means if you didn’t get permission from existing users or the permission wasn’t in alignment with the GDPR guidelines, you need to collect consent again as per the consent requirement.

Fines for non-compliance to GDPR email marketing

GDPR imposes financial and non-financial penalties depending upon the breach of compliance. Let's talk about them:

Financial penalties

Two types of fines are applicable under GDPR, depending on the specific part of the regulation that has been breached:

  • Up to €20 million, or 4% of the organization's worldwide annual turnover – whichever is higher.

  • Up to €10 million, or 2% of worldwide annual turnover – whichever is higher.

Read more about the financial penalties and terms of a breach on this page: What is the GDPR Fines?

Non-financial penalties

Data protection regulator in each EU country exercise their power in case of a breach through these three ways:

  • Intervention: You can get a 'stop now' order, requiring you to stop a certain course of activity until you've fixed a breach. Alongside this, they can issue undertakings, i.e., a formal order compelling you to do something to address noncompliance (e.g., specific improvements to your IT security framework).

  • Audit: The ICO can thoroughly assess your organization's setup and procedures to ensure that you follow all the best practices. These audits can either be consensual or prompt.

  • Prosecution: Some breaches of data privacy law constitute a criminal offense. Neglecting to register as a data controller is a good example. It can lead to a criminal conviction for a company (or its directors) and a fine.

These measures can be taken together (e.g., a 'stop now' order hot on the heels of an audit). They can also be taken instead of or alongside a fine.

To know about the detailed version of fines under GDPR, refer to this page Protecting your organization from GDPR fines and penalties.

How to thrive in the post-GDPR email marketing landscape

Here are a few practices you must adopt to comply with GDPR”

1. Use positive opt-in instead of pre-checked boxes

To validate the consent as per GDPR, use an unchecked box on the signup page to get the active consent from the individual. If an individual does not untick the pre-checkbox, that doesn't count as consent as per GDPR Recital 32:

"Silence, pre-ticked boxes or inactivity should not constitute consent."

GDPR positive opt-in example

As per Article 7(1), GDPR gives the following definition:

"Where processing is based on the data subject's consent, the controller should be able to demonstrate that the data subject has given consent to the processing operation."

When you keep a record of the consent, you'll be able to provide the following information:

  • Who consented and when?

  • What did you tell them while asking for consent?

  • How they consented (e.g., via signup form)

  • Whether they have withdrawn consent

3. Make it easy to unsubscribe

Giving an easy and clear option to opt out of promotional emails is a mandatory regulation under GDPR. This regulation is discussed under other major laws, including CASL, CAN-SPAM, and CPRA.

In GDPR' Article 7(3):​

"The data subject shall have the right to withdraw his or her​ consent at any time […] It shall be as easy to withdraw as to give consent."​

If you're already following your country's respective email regulation, chances are you have already added a clear unsubscribe link in promotional emails. Ensure that you're following the right unsubscribe rik practices such as:

  • Make it easy to find the link

  • Please don't confuse the subscribers by leading them to one page after another.

  • Avoid asking them to log in to unsubscribe.

The unsubscribe button can work in your favor as these users might not be interested in your emails anymore. By removing those, you comply with regulations and ensure you reach out to only active and interested subscribers.

GDPR emphasizes the removal of consent when the individual asks. For that, the organization must have records of when the consent was received, through which channels, and the period to remove the consent.

It's been four years since GDPR went into effect, and if you haven't been updating your email list to make it GDPR compliant, you might be in trouble.

If the email address you got falls under the conditions laid down by GDPR, you do not need to worry. But, it's always a good practice to review your email list and check the type of consent you got from individuals.

Recital 171:​

"Where processing is based on consent pursuant to Directive​ 95/46/EC, it is not necessary for the data subject to give his or her consent again if the manner in which the consent has been given is in line with the conditions of this Regulation."​

You can follow these practices to ensure your database is GDPR compliant:

Audit your existing email list:

  • Check whether you got the consent from individuals and have a record of the type of consent. If they opted-in to receive newsletter-only, ensure you're not sending them any marketing emails.

  • Immediately remove contacts who opted out.

Launch a re-permission program:

If you find a lack of consent from the individuals or if consent doesn't fall under the GDPR, you should launch a re-permission campaign. This campaign will allow you to ask subscribers to give their consent if they're willing to continue receiving emails from you.

It can also happen that a few subscribers might not engage with these email campaigns. In such cases, remove them from your email list to prevent penalties.

6. Be clear and transparent in terms and conditions

Use clear language to make individual understands your purpose for collecting consent. The regulation banned confusing or vague language (double negatives or inconsistent language) and disruptive mechanisms.

How does GDPR apply to transactional emails?

To understand the implication of GDPR on transactional email, we need to discuss the data processing principle under GDPR.

When you send transactional emails, you are processing the customer's data - you have the data and use it to communicate with them. Processing a customer's data should align with the principles set out in Article 5 (1) of the GDPR. (seven principles we discussed above)

Furthermore, you can legally send this email under two circumstances: Get consent from the customer, or these emails should be of legitimate interest.

Asking for the recipient's consent from these emails might be difficult compared to receiving marketing emails. These emails keep recipients updated and informed about their accounts and actions. It isn't easy to make them understand their importance and ask them to opt-in to these emails.

That's why the solution to send transactional emails under GDPR is via legitimate interests.

GDPR prohibits the unlawful processing of EU and UK citizens' data. But, transactional emails are acceptable even without consent. They should be necessary and communicate important information with your customers.

For instance, sending them an invoice email is acceptable if a customer signs up for the free trial.

Your Privacy Policy should clarify how the customer's data will be used in the case of transactional email.

At Mailmodo, we clarify the customer's data procession in our Privacy Policy, which goes something like this- We'll use personal data to process and complete payment transactions; provide customer service and support, and investigate and prevent fraudulent transactions, unauthorized access to the Websites and Services (s), and other illegal activities.

Get a sample AMP email in your inbox

Experience the power of interactivity right now

Way forward

Your audience is your greatest treasure, and you must respect their data and precious time. Laws like GDPR shouldn't be seen as an impediment but rather a challenge. Such laws will lead to a better and safer space for the organization and the subscriber.

Even though GDPR applies to EU and UK residents, that doesn't mean you should not get the consent of audiences from other countries. The goal is to encourage you to check who you've been processing the audience's data and whether that aligns with the right practices.

What you should do next

Hey there, thanks for reading till the end. Here are 3 ways we can help you grow your business:

  1. Talk to an email expert. Need someone to take your email marketing to the next level? Mailmodo’s experts are here for you. Schedule a 30-minute email consultation. Don’t worry, it’s on the house. Book a meet here.

  2. Send emails that bring higher conversions. Mailmodo is an ESP that helps you to create and send app-like interactive emails with forms, carts, calendars, games, and other widgets for higher conversions. Get started for free.

  3. Get smarter with our email resources. Explore all our knowledge base here and learn about email marketing, marketing strategies, best practices, growth hacks, case studies, templates, and more. Access guides here.

What should you do next?

Thanks for reading till the end. Here are 3 ways we can help you grow your business:


Get smarter with our email resources

Explore our email marketing guides, ebooks and other resources to master email marketing.


Do better email marketing with Mailmodo

Send app-like interactive emails with forms, carts, calendars, games, etc. to boost email ROI.


Talk to an email expert

Get a 30-min. free email consultation with a Mailmodo expert to optimize your email marketing.

Was this post useful?

Improve your email marketing

With interactive emails, smarter automation workflows, AI-powered email content and higher conversions