When GDPR took effect in May 2018, it sent shockwaves through the email marketing world. Suddenly, the casual approach to email lists that had worked for decades was potentially illegal. Companies scrambled to get consent, purge non-compliant addresses, and rebuild their email programs from the ground up.
Five years later, GDPR remains the most significant privacy regulation affecting email marketers. If you send email to anyone in the European Union—regardless of where your company is based—you need to understand and comply with GDPR's requirements.
The consent requirement
GDPR's most impactful requirement for email marketers is consent. Unlike CAN-SPAM, which allows unsolicited commercial email as long as you follow certain rules, GDPR requires a lawful basis for processing personal data—and for marketing email, that basis is almost always consent.
GDPR consent must be freely given, specific, informed, and unambiguous. The person must take a clear affirmative action to opt in. Pre-checked boxes don't count. Bundled consent (agreeing to marketing as a condition of service) doesn't count. Silence or inactivity doesn't count.
You must clearly explain what they're consenting to: who will email them, what kind of content, how often. Vague language like 'we may contact you with offers' isn't specific enough. 'We will send you weekly product updates and occasional promotional offers' is better.
Consent must be documented. You need to be able to prove that each person on your list actually consented, when they consented, and what they consented to. If you can't prove consent, you don't have it.
Consent can be withdrawn at any time, and withdrawal must be as easy as giving consent. If someone can subscribe with one click, they should be able to unsubscribe with one click.
Legitimate interest: The alternative basis
There's an alternative to consent called 'legitimate interest,' but it's narrower than many marketers hope.
Legitimate interest can apply when you have an existing customer relationship and the marketing is related to products or services they've already purchased. If someone bought running shoes from you, you might have legitimate interest to email them about running gear.
But legitimate interest requires a balancing test. Your interest in marketing must not override the individual's rights and expectations. If they wouldn't reasonably expect to receive your email, legitimate interest probably doesn't apply.
Even with legitimate interest, you must provide an easy opt-out at the point of data collection and in every email. And you must document your legitimate interest assessment—why you believe it applies and how you balanced interests.
In practice, most email marketers rely on consent rather than legitimate interest. Consent is clearer, easier to document, and less likely to be challenged. Legitimate interest is a backup for specific situations, not a general permission to email.
Data subject rights
GDPR gives individuals extensive rights over their personal data, and these rights affect how you manage email lists.
The right of access means people can request a copy of all data you hold about them, including their email history, preferences, and any profiling data. You must respond within one month.
The right to rectification means people can correct inaccurate data. If someone's email address or preferences are wrong, they can demand you fix it.
The right to erasure ('right to be forgotten') means people can request deletion of their data. If someone asks to be erased, you must delete their email address and associated data, not just unsubscribe them.
The right to data portability means people can request their data in a machine-readable format to transfer to another service. This is less common for email but still applies.
The right to object means people can object to processing based on legitimate interest. If they object, you must stop unless you can demonstrate compelling legitimate grounds.
You need processes to handle these requests. Someone on your team needs to be responsible for responding within the required timeframes. Ignoring data subject requests is a compliance violation.
Technical and organizational measures
GDPR requires 'appropriate technical and organizational measures' to protect personal data. For email, this means:
Secure storage of email lists and subscriber data. Encryption, access controls, and regular security assessments. Your email list is personal data; treat it accordingly.
Data minimization—only collect and retain data you actually need. If you don't need someone's birthday for your email program, don't collect it. If you don't need five years of email history, don't keep it.
Vendor management for any third parties who process data on your behalf. Your email service provider, your CRM, your analytics tools—all need to be GDPR-compliant, and you need data processing agreements with each.
Breach notification procedures. If subscriber data is compromised, you may need to notify authorities within 72 hours and affected individuals without undue delay. Have a plan before you need it.
Privacy by design—building privacy considerations into your email program from the start, not bolting them on afterward. This includes default privacy settings, clear consent flows, and easy preference management.
Enforcement and penalties
GDPR penalties are severe: up to €20 million or 4% of global annual revenue, whichever is higher. These aren't theoretical—regulators have issued substantial fines for email-related violations.
Beyond fines, enforcement can include orders to stop processing, which could shut down your email program entirely. Reputational damage from a public enforcement action can be worse than the fine itself.
Enforcement varies by country. Some EU member states are more aggressive than others. But with the one-stop-shop mechanism, a complaint in any EU country can lead to enforcement across the union.
Individual complaints drive many investigations. A single person reporting your non-compliant email practices can trigger regulatory scrutiny. With millions of EU residents aware of their GDPR rights, the risk of complaints is real.
The UK has its own version of GDPR post-Brexit, with similar requirements and penalties. If you're sending to UK addresses, you need to comply with UK GDPR as well as EU GDPR.
Practical compliance steps
Getting GDPR-compliant isn't a one-time project—it's an ongoing practice. Here's where to start:
Audit your current list. For each subscriber, can you prove consent? If not, you need to either re-consent them or remove them. This is painful but necessary.
Fix your signup forms. Clear consent language, unchecked opt-in boxes, links to your privacy policy. Record the consent with timestamp and the exact language they agreed to.
Implement preference centers. Let subscribers control what they receive and how often. Granular preferences reduce unsubscribes and demonstrate respect for their choices.
Review your vendors. Ensure your email service provider, CRM, and other tools are GDPR-compliant. Execute data processing agreements with each.
Train your team. Everyone who touches email data needs to understand GDPR basics. Compliance fails when someone who doesn't know the rules makes a mistake.
Document everything. Your consent records, your legitimate interest assessments, your data processing agreements, your security measures. If you can't prove compliance, you're not compliant.
Frequently asked questions
Does GDPR apply if my company isn't in the EU?
Yes. GDPR applies to processing data of EU residents regardless of where the processor is located. If you email people in the EU, GDPR applies to you.
Can I email existing customers without new consent?
Possibly, under legitimate interest, if the marketing relates to similar products they've purchased. But you need to document your legitimate interest assessment and provide easy opt-out. When in doubt, get consent.
What about B2B email?
GDPR applies to personal data, which includes business email addresses that identify individuals ([email protected]). Generic addresses ([email protected]) may not be personal data, but individual business contacts are covered.
How long can I keep email subscriber data?
Only as long as necessary for the purpose. If someone hasn't engaged in years, you probably don't have a legitimate reason to keep their data. Define retention periods and enforce them.