GDPR and Email Marketing

The new general data protection regulation (EU GDPR) has a direct impact on marketing practices, including email marketing. With GDPR effective date coming on 25 May 2018, all marketers concerned with GDPR need to change rapidly how they seek, obtain and save consent. FirstCMS being an Email Marketing actor, we gathered precious information for you to create this GDPR toolkit. Let our guide help you to understand, prepare and comply to the European regulation before the due date, and even after.

How will GDPR affect email marketing?

Email marketing under GDPR essentially means that, as an email marketer, you need to collect freely given, specific, informed and unambiguous consent (Article 32). To achieve compliance, you have to adopt new practices:

  1. New consumer opt-in permission rules;
  2. Proof of consent storing systems; and
  3. A method through which consumers can ask their personal information removed.

Concerning the impact of EU GDPR on B2B and B2C in 2018, the new European reglementation applies to both business methods. Neither soft opt-in nor soft opt-out approaches are allowed, at FirstCMS we recommend you to use double opt-in to align with GDPR compliance requirements. 

How can I do email marketing under GDPR?

Even though the European regulation changes the marketing landscape, it is still possible to do email marketing. To help accomplish your email marketing objectives, we have elaborated this GDPR checklist of measures for your reference:

a – Take an audit of your current database.
  • Do you know geographically where your contacts are?
  • Do you capture an audit trail of consent?
b – Know your contacts and how you acquired them.
  • Did you follow a double opt-in practice?
  • Do you keep track of where and when your contact’ information is coming from?
  • How did they end up in your database?
  • Do you have enough information on permission and source to hold up in court if needed?
c – Review and disclose your data practices.
  • Do you ask for consent at the point of collecting the data?
  • Do you have a privacy policy that details how you collect, store, transfer and process your data using clear, concise language?
  • Do you communicate this data privacy policy to your recipients?
d – Look at your upcoming initiatives to ensure compliance now.
  • All new initiatives should take into consideration compliance so you don’t have to retroactively go back to adjust your processes.

Can I still send email marketing campaigns to my existing contact list?

The general data protection regulation doesn’t only apply to the data collected on its effective date, May 25th 2018, but also to the data gathered before. Does the consent record of your existing contact lists proves that you have clear authorization to send email marketing campaigns to each contact? Any ambiguous records would mean obtaining new and expressed permission from the outdated contacts, in order to send email marketing communications properly.

Can I buy contact lists under GDPR?

While certain purchased lists with clear affirmative statement of consent within the original subscription may be allowed under GDPR, FirstCMS strongly recommends against this in every way possible for deliverability concerns. What is permitted may not be good for your email strategy.

How can I get my email unsubscription right?

Every email marketers should ensure a proper way for their contacts to unsubscribe, in order to be compliant for the EU GDPR. The unsubscribe process under GDPR needs to be clear and simple. You should include the visible unsubscription link in each marketing email where your subscriber can:

  1. Unsubscribe to this marketing communication
  2. Unsubscribe to all of your communications
  3. Contact a return email address

Allowing your contacts to easily subscribe and unsubscribe are equally important in achieving compliance with EU GDPR. 

Do I need to add a double-opt when adding new subscribers?

The short answer is no. There’s no requirement under GDPR to have a double opt-in process.

Is it a good idea? Definitely yes. Double opt-in may not be a GDPR requirement but we do recommend it as a Permission Marketing best practice. We always recommend a double-opt in process when you are collecting new data – for example, new subscriptions from a website form. It significantly increases the quality of genuine captured data and it avoids collection of data submitted to your forms by online bots or other unscrupulous sources.

Double opt-in is a simple process to implement. The usual process is that on submission of a data collection form an automated email is sent to the submitted email address. The new subscriber data is only confirmed and added to the database on successful receipt and interaction with this email – for example, the clicking of a verification link. This therefore verifies that the email address is both active and actively monitored and that the submitted details are correct.

Many marketers also  include often a thank you type of confirmation that the process is now complete. This can also be used to supply additional introductory information or to encourage the new subscribers onwards to the brand website. New subscribers are generally keen so it’s a good opportunity to advance the relationship. It also serves as a useful positive confirmation to the subscriber that their subscription has indeed been processed.

We don’t always use double-opt in. For new subscribers, definitely, yes. But if you are collecting additional data from existing subscribers (for example updating preferences or collecting additional profile information such as a birthday or location) you might want to consider turning this option off.  Good as it is, double-opt in does add another step to the process and this potentially introduces an additional point at which interest and opportunity might be lost. If in doubt, keep it.

Do I need to contact my existing subscribers to re-establish consent?

Again, the short answer is no.

Assuming that the conditions of consent were originally gathered in a way which is consistent with post-GDPR requirements and that the future intentions for use are also similar, then consent is considered to be continuous. There is no need to go back and re-establish this just because of GDPR.

But is it a good idea? Quite possibly, yes.

Consent is not the only condition for data processing under GDPR but it is one of the pillars upon which justification is built. GDPR requires that unless there is another justification (there are 5 other justification scenarios i.e.  legal obligation, public interest, vital interest, contractual, legitimate use), data processing can only be done with the consent of the data subject. As well as being a fundamental of permission-based marketing, this is actually not dissimilar to the current UK Data Protection legislation. In this respect the principle of consent has not radically changed.

However GDPR does newly extend and clarify the conditions under which consent is given. GDPR now requires that consent must be a clear and affirmative opt-in action, freely given with full knowledge of owner and intended purpose of processing. It can’t be implied, assumed, bundled or otherwise connected and only applies for a specifically identified purpose.

For those already following a robust permission based strategy the new conditions of consent which GDPR brings should introduce little in the way of new difficulty. In many respects GDPR is designed to bring everyone closer to the permission ideal, so it is those who are either ignoring or loosely applying the concept of consent who will need to up their game. In any case, as mentioned before, consent is not the only justification. GDPR also includes a justification under the heading of ‘legitimate use’. This is similar to the so-called ‘soft opt-in’ (or legitimate interest) which is commonly used by email marketers under the current Data Protection laws.

In principle, as long as a clear, genuine and mutually beneficial relationship is in place, and that the processing is anticipated, appropriate and doesn’t otherwise infringe the rights and freedoms of the individual, then data processing can still be undertaken without consent. Many email marketers are commonly applying this scenario, and although consent is still the preferred route, it is likely that this will not significantly change under GDPR. In fact, after much discussion and lobbying the justification of Legitimate Use has been referenced within the GDPR copy as being specifically aligned to the needs of marketers.

However, the other major change with GDPR is that whatever justification you are making for the processing data (consent or otherwise) you need to have made an assessment of the possible impact of this assumption, in advance. This is new.

Having said all that, many people are taking the opportunity to contact their database to either re-affirm consent, or in the cases where (GDPR compliant) consent is not in place, to establish this. Some are specifically referencing GDPR in this process, but others are simply taking this step as a courtesy – after all, permission is a politeness and re-engaging in this way can be used to show that data protection is an important consideration and serve to strengthen an existing relationship.

There’s the danger (in fact a high probability) that some subscribers will also take this opportunity to re-assess their situation and withdraw their consent. So if you take this step, be prepared for losses. However re-engaging in this way will have the double benefit of strengthening the bond with your loyal subscribers and cleaning out those who are unlikely to engage further in the future.


This material is provided for your general information and is not intended to provide legal advice. To understand the full impact of the GDPR on any of your data processing activities please consult with an independent legal and/or privacy professional.


For further information, have a read of our GDPR Overview

Spread the word