GDPR & Email Marketing: A Practical Compliance Guide
GDPR & Email Marketing: A Practical Compliance Guide
Sending marketing email to people in the EU and UK means working within the GDPR. For most marketers this sounds scarier than it is: GDPR email compliance comes down to a handful of repeatable habits — collect contacts fairly, keep proof, make leaving easy, and respect the data you hold. Done well, it doesn’t shrink your list so much as clean it, which usually improves deliverability and engagement.
This is a practical guide to running compliant email programs: lawful basis, the consent vs legitimate interest question, B2B versus B2C nuances, double opt-in, what a compliant signup actually needs, unsubscribe and one-click, data retention and list hygiene, and how to work with the platforms that process data for you. It ends with a checklist you can act on.
This is practical guidance, not legal advice. GDPR interpretation depends on your specifics and on national rules, and the ePrivacy rules that govern electronic marketing sit alongside the GDPR. For anything material, consult a qualified data protection professional.
GDPR basics for email marketers
The GDPR is the EU’s data protection regulation; the UK has its own closely aligned version. The core idea is simple: personal data belongs to the person, and you may only process it for clear, fair, documented reasons.
For email marketing, that translates into a few principles worth internalizing:
- Lawfulness, fairness and transparency. People should understand what they’re signing up for, in plain language, at the moment they hand over their address.
- Purpose limitation. Collect an address for a stated purpose and use it for that purpose. Don’t quietly repurpose a support contact into a newsletter list.
- Data minimization. Ask only for what you need. A name and email are usually plenty to start.
- Accountability. You must be able to demonstrate compliance — which in practice means keeping records of how and when consent was obtained.
An email address tied to a person is personal data. So treat your list the way you’d want a company to treat yours.
Lawful basis: consent vs legitimate interest
Every piece of processing needs a lawful basis. For marketing email, two come up most: consent and legitimate interest.
Consent
Consent under the GDPR must be freely given, specific, informed and unambiguous, given by a clear affirmative action. In plain terms:
- No pre-ticked boxes. Silence or a pre-checked option isn’t consent.
- Separate and specific. Don’t bundle marketing consent into your terms of service. The person should be able to agree to your service without being forced to accept marketing.
- Informed. Tell them who you are and what they’re agreeing to receive.
- Revocable. Withdrawing consent must be as easy as giving it.
Consent is the cleanest, most portable basis for marketing, especially for B2C.
Legitimate interest
Legitimate interest lets you process data without explicit consent when you have a genuine business interest that isn’t overridden by the individual’s rights. It’s more flexible but more conditional, and to rely on it you should carry out and document a balancing assessment (often called an LIA) weighing your interest against the person’s reasonable expectations.
A frequently cited example is the “soft opt-in”: emailing an existing customer about similar products to something they already bought, where they were given a clear chance to opt out at the point of sale and in every message. The rules around this vary by country and are governed by ePrivacy as much as GDPR, so don’t assume it applies universally.
In practice: when in doubt, get consent. It’s the most defensible basis and it travels best across borders.
B2B vs B2C nuances
The GDPR protects individuals, not companies — but most B2B email still reaches a named person at a work address, and that’s personal data. So B2B is not a free pass.
What does differ:
- Corporate addresses (like a generic
info@orsales@inbox) are sometimes treated with more flexibility than an individual’s address, but national ePrivacy rules vary, and many countries apply similar protections to B2B. - Legitimate interest is more commonly relied on in B2B, where a relevant offer to a relevant professional is more likely to fall within reasonable expectations.
- Personal-style work addresses (
firstname.lastname@company.com) are generally treated as personal data, closer to the B2C standard.
The safe posture for B2B is: be relevant, be transparent about where you got the address, and always offer a working opt-out. For a wider view of building list and program quality, see our email marketing guide.
Double opt-in
Double opt-in means that after someone submits the signup form, they receive a confirmation email and must click a link to activate the subscription. It isn’t strictly mandated by the GDPR, but it’s strongly recommended because it solves several problems at once:
- Proof of consent. The confirmation click is timestamped evidence that the address owner agreed — exactly the accountability the GDPR expects.
- Address ownership. It confirms the person actually controls the inbox, blocking typos and malicious signups of other people’s addresses.
- List quality. Confirmed subscribers engage more, which protects your sender reputation and deliverability.
The small cost is a slightly lower raw signup count. The payoff — a verifiable, engaged, lower-risk list — is almost always worth it.
What a compliant signup needs
A compliant signup form is mostly about clarity and proof. At the point of collection, include:
- A clear, unticked consent action for marketing, separate from any other agreement.
- Plain-language description of what they’ll receive (newsletter, offers, frequency if you can).
- Your identity as the sender — who is collecting the data.
- A link to your privacy policy explaining how data is used, stored, the lawful basis, and the person’s rights.
- Only the fields you need. Resist collecting data “just in case”.
Behind the form, keep a record of what they consented to and when. If you ever need to demonstrate compliance, that record is your evidence.
Unsubscribe and one-click
Every marketing email must make leaving easy:
- A clear, working unsubscribe link in every message.
- No friction. Don’t require logging in, re-entering a password, or jumping through a survey to unsubscribe. The bar is “as easy as it was to subscribe”.
- Honor it promptly. Process opt-outs without undue delay.
- One-click unsubscribe. Major mailbox providers now expect bulk senders to support a standards-based one-click unsubscribe (via the
List-Unsubscribeheader) that lets recipients opt out directly from the inbox. Most reputable sending platforms add this automatically — confirm yours does. This overlaps with deliverability requirements covered in our email deliverability guide.
Treat unsubscribe as a feature, not a leak. People who don’t want your mail will hurt your metrics far more if they can’t leave cleanly.
Data retention and list hygiene
The GDPR’s storage limitation principle says you shouldn’t keep personal data longer than you need it. For email lists, that means:
- Define a retention approach. Decide how long you keep subscriber data and inactive contacts, document it, and apply it consistently.
- Prune inactive contacts. Subscribers who haven’t engaged in a long time are both a compliance question and a deliverability drag. Run a re-engagement campaign, then remove those who don’t respond.
- Honor data subject rights. People can request access to their data, correction, or erasure. Have a simple process to handle these requests.
- Keep suppression lists. When someone unsubscribes or asks to be erased, keep the minimal record needed to ensure you don’t email them again — this is itself a legitimate purpose.
Good hygiene serves two masters at once: it keeps you compliant and keeps your list engaged, which protects inbox placement.
Working with processors (DPA)
Your email platform, CRM and analytics tools process personal data on your behalf. Under the GDPR they’re processors, and you’re the controller who remains responsible for the data.
The key requirements:
- Sign a Data Processing Agreement (DPA). This contract governs how the processor handles data on your behalf and is required by the GDPR. Reputable platforms offer one — find and accept it.
- Check international transfers. If a processor stores or moves data outside the EU/UK, confirm there’s an appropriate safeguard in place for that transfer.
- Vet security practices. You’re accountable for choosing processors that protect data adequately.
- Keep an inventory. Know which tools touch your subscriber data; it makes audits and breach response far easier.
Choosing established platforms with clear DPAs and documented compliance practices removes a lot of this burden — it’s one reason platform choice matters beyond features and price.
Compliance checklist
Use this as a working checklist, adapting it to your situation and legal advice:
- You’ve identified a lawful basis (usually consent or legitimate interest) for your marketing email.
- Signup uses a clear, unticked, specific consent action, separate from terms of service.
- The form explains what subscribers get and links to your privacy policy.
- You use double opt-in and keep timestamped records of consent.
- You collect only the data you need.
- Every email has a clear unsubscribe that’s honored promptly.
- You support one-click unsubscribe via the
List-Unsubscribeheader. - You have a data retention approach and regularly prune inactive contacts.
- You can handle access, correction and erasure requests.
- You maintain a suppression list for opt-outs and erasures.
- You’ve signed a DPA with each processor and checked international transfers.
- You keep an inventory of tools that process subscriber data.
Compliance isn’t a one-off project; it’s an operating standard. Build these habits into how you collect, send and maintain your list, and GDPR stops being a worry and becomes a quiet competitive advantage.
FAQ
Does GDPR require double opt-in?
Not explicitly. The GDPR requires consent that is freely given, specific, informed and unambiguous, plus the ability to demonstrate it. Double opt-in isn’t mandated, but it’s the most practical way to obtain that proof and verify address ownership, which is why it’s widely recommended.
Can I email B2B contacts without consent under GDPR?
Sometimes, often relying on legitimate interest, but B2B is not exempt — a named person at a work address is still personal data, and national ePrivacy rules vary. Be transparent about your source, keep messages relevant, and always include a working opt-out. When unsure, get consent.
How long can I keep subscriber data?
The GDPR doesn’t set a fixed period; it requires you not to keep data longer than necessary for your stated purpose. Define and document a retention approach, prune inactive contacts, and keep a minimal suppression record for people who opted out.
Is this legal advice?
No. This is practical guidance to help you build compliant habits. GDPR and ePrivacy interpretation depends on your specifics and national rules — consult a qualified data protection professional for decisions that matter to your business.