Email Marketing Under GDPR: Guide for 2021

In a fast-paced digitalised world, data is arguably the world's most important commercial resource besides oil. This view is supported by the fact that data principally informs multiple verticals and sectors, especially with how it affects consumerism, customer experience and trade in general.

More than 306 billion emails are sent each day (with this number expected to arrive at 333 billion messages by 2021). And because data is so significant to the world, it is also prone to misuse and abuse and this has ultimately prompted consumers to become highly inquisitive about how companies leverage and store their personal information.

GDPR, a relatively new and intricate legislation created to essentially protect consumers in the UK has been the subject of discussion in the marketing industry for over three years. With multiple prerequisites and implications that are sometimes 'open to interpretation’, it has remained a gray area for many marketers.

Fortunately, we’ve got your back. Once you’re done reading this, you’ll be equipped with everything you need to know about GDPR and email marketing. Let’s dive in!

What is GDPR law?

The General Data Protection Regulation (GDPR) came into effect on May 25th 2018. Principally, this legislation was expressly designed to reconcile the different data information guidelines across the EU. As a result, give consumers more say and control over the information they divulge to third parties.

Fundamentally, GDPR influences how associations store, process and utilise client information. Most simply put, this implies that organisations are presently required to incorporate privacy settings into their websites and digital products sites by default.

Furthermore, this translates into a need for organisations to conduct extensive privacy impact assessments, reinforcements in the way they seek permission to use the data, as a well as a means of documenting the ways they use personal data and improving the way they communicate data breaches.

Failure to adhere to GDPR rules can lead to hefty fines as businesses can be fined up to 4% of their annual turnover if they infringe GDPR. That being said, GDPR creates the expectation of better quality of consent for consumers and subscribers, and thus poses the imperative question of how to suitably collect and store consent for email marketers.

How does GDPR affect email advertising?

Email marketing is still the most favoured marketing channel for B2B organisations. However, GDPR was designed as a data protection mechanism to keep organisations of all shapes and sizes accountable for their actions. The idea behind this legislation was to avert instances where companies would misuse individuals’ information for their own benefit without transparency.

The email advertising landscape has not been negatively affected by GDPR impositions. For the most part, there are three areas that advertisers have to contend with regards to GDPR: data permission, data access and data focus.

Essentially, Data permission relates to how email marketers manage email opt-ins. GDPR dictates that consumers need to express consent in a ‘freely given, specific, informed, and unambiguous’ manner that is reinforced by a ‘clear affirmative action’.

Consequently, this implies that leads, clients and partners, need to authentically show that they want to be reached. Email marketers essentially need to ensure that they have gained authorization (permission) from their subscribers, prospects or clients. Hence, previous pre-ticked boxes that automatically opted customers in ar no longer sufficient – but rather, an ‘opt-in’ needs to be a conscious and deliberate choice.

Data access primarily revolves around the 'right to be forgotten'. This means individuals have the option to have outdated or inaccurate personal information removed from any website.

Basically, the introduction of GDPR essentially offered consumers the ability to oversee how their information is gathered and utilized, including the capacity to access or eliminate it – in accordance with their ‘right to be forgotten’.

This means that email advertisers must ensure that their clients can undoubtedly get to their information and eliminate consent for its utilization (if they so desire)

Finally, for Data focus, GDPR expects email marketers to legitimately justify the processing of the personal information they gather. This caveat means that marketers are encouraged to avoid collecting any unnecessary data they don’t need in contrast to soliciting immaterial information from consumers.

It is worth noting that the main emails subjected to GDPR and being referred to are principally marketing emails. These are regularly sent via email marketing engines and software like Enginemailer. However, GDPR also similarly applies to plain text promotional emails sent from private email accounts. As we shall later see, though GDPR applies to all these emails, there is a fundamental distinction in the type of consent a marketer would need to gain, contingent upon whether the beneficiary is a personal, individual or a business contact.

Are there separate guidelines for B2B email marketing under GDPR versus B2C?

While marketers should have a lawful premise to email both B2C and B2B recipients, GDPR focuses on two forms: consent, and authentic business interest.

Generally, B2C (business to consumer) entities are the most impacted when it comes to GDPR. Because they directly engage private consumers with emails, they are the most liable to GDPR’s rules.

On the other hand, marketing emails to B2B email contacts from limited companies, government institutions, PLCs, incorporated partnerships, or local authorities are not subject to the same stringent requisites as B2C companies.

The strict GDPR regulatory oversight has exposed B2C companies to several legal risks, settlements and litigation battles in instances where an email was sent incorrectly. Exacerbations that organisations should truly manage without!

What does GDPR say about transactional emails?

All things considered; transactional emails are exempt from most GDPR requirements. This exemption is simply dependent upon the prerequisite of truthful routing of information and already-agreed-upon transactions.

Emails that effectively deliver goods or services as a part of a transaction that a user already consented to (for instance, a License key) fall in this category.

However, it’s worth remembering that GDPR still institutes that transactional messages should be employed in a lawful, reasonable, fair and transparent manner. Hence, before sending a transactional email without consent, always ask yourself the following questions:

  1. Does my client truly need this email?
  2. Does my transactional email contain promotional content?
  3. Would it be a good idea for me to give my clients an unsubscribe option?
  4. Do I have a good privacy policy?
  5. Will my clients understand why they are getting this email?

Things to know about email consent under GDPR

GDPR guidelines enforce that brands gather confirmed consent that is "uninhibitedly given, explicit, informed and unambiguous" to be fully compliant. In practice, this consent has to be freely given and recordable. Consent should be the basis of any email marketing campaign that involves B2C recipients. So, to satisfactorily fulfil GDPR consent requisites, here is our miniature email GDPR compliance checklist for marketers.

The customer must check in an unchecked “opt-in” box

Since GDPR consent must be freely given, unambiguous as to the intention and recordable. This means that it cannot include unticking pre-ticked boxes, and failure to opt-out is not the same as opting in.

Fundamentally, consumers are mandated to have the option of an unchecked ‘opt-in’ box in order to make an active decision that they want to receive marketing emails. In summary, for consent to be valid under GDPR rules, a customer should effectively affirm their consent by ticking an unchecked box.

Do not mix consent requests with common Terms & Conditions

Email consent should be openly given via clear and open avenues, if a subscriber genuinely decides to do so. This means that in the event that subscribing to a newsletter is necessitated to download a whitepaper, for instance, at that point that consent isn't unreservedly given.

As has been previously highlighted, under GDPR, email consent should be independent. This means that consent should never be paired,merged or intertwined with a company’s terms and conditions or privacy notices.

Provide easy options for consent withdrawal

Notwithstanding, every promotional email sent by a marketer should incorporate a choice to withdraw for recipients. The opt-out process should be readily deducible without: charging an expense, soliciting for any information beyond an email address, necessitating subscribers to log in, or prompting subscribers to visit more than one page to submit their opt-out request.

Keep record of consents

Importantly, GDPR goes beyond setting the standards for how to collect consent, but also expects organisations to keep records of consents.

Keeping proof of GDPR consent implies that marketers maintain records of: who consented or agreed, when they gave the consent, what they were told at the instance of consent, how they agreed, whether they have withdrawn consent or not.

Limit the personal data collected

Advertisers can be guilty of gathering more information from an individual than they need. GDPR encourages a level of consciousness that fosters a culture where marketers only pick information that is pertinent to their needs. Essentially, consumers are more interested in their privacy nowadays, and aren’t always interested in targeted offerings.

That being said, more organisations should get into the habit of deleting all the superfluous personal data from their CRM systems in order to focus on aggregated non-identifiable data to produce generic marketing campaigns, and thus reduce the risks of exploitative fines or loss of reputation.

What is a GDPR compliant newsletter?

Put simply, a GDPR compliant newsletter is one that offers a double opt-in to record consent from subscribers before sending emails, institutes an easy to use opt-out option, informs subscribers of how their data will be used, and stores user data in an encrypted format for maximum security.

Is GDPR a threat to email marketing?

Generally speaking, GDPR poses no real threats to the email marketing domain despite the myths and the risks of fines. On the other hand, it can be seen as an extraordinary opportunity for marketers and advertisers to shape better targeted and focused marketing campaigns.

This is because marketers now have the opportunity, through consent, to gain valuable insight into individuals’ interests to provide them with the exact information that they desire to receive. Thus, the enhanced ability to better section and fragment customers. Consequently, this also creates opportunities for better automation management and decision-making


In summary, GDPR was intended to reinforce a consumer’s rights with regards to how their data is taken care of. This data protection law essentially reconciles data protection rules across the EU through more grounded GDPR email security standards.

For the most part, GDPR has changed the way companies operate in EU countries while handling personal data, for the better. Keep in mind, that GDPR was not designed to prevent organisations from engaging with their clients. An incredible inverse, contrarily, as it has led to a general dramatic improvement in data quality and handling across the EU.

The article is a part of our comprehensive guide on “Email Marketing in the UK”.