Read Time: 10 min

GDPR: What Europe’s New Privacy Law Means for Email Marketers

Currently, local spam regulations in the European Union (EU) differ significantly from country to country under the Directive on Privacy and Electronic Communication (also known as the EU E-Privacy Directive). While the E-Privacy Directive outlines overall goals, each member state is free to translate these goals into local law. The result: Different email laws for each of the 28 EU member states.

The General Data Protection Regulation (GDPR), the EU’s new privacy law, aims to bring order to a patchwork of privacy rules across the EU. As GDPR is a regulation, not a directive, it has binding legal force and will be immediately enforceable as law in all EU member states on May 25, 2018. Greater consistency across European countries should be great news for all email marketers, but GDPR also comes with quite a few changes that impact the email industry.

We sat down with some of the leading experts in the field of email and privacy law to talk about the nitty gritty details of GDPR, and what the new regulation means for email marketers.


 Our experts:

  • James Koons — Chief Privacy Officer at dotmailer
  • Andrew Bonar — co-Founder, Deliverability Ltd
  • Tim Roe — Deliverability and Compliance Director at RedEye. Leader of the GDPR working group, email council of the DMA.


Who does GDPR impact?

GDPR will affect every company that uses personal data from EU citizens. If you’re collecting email addresses and send email to subscribers in the EU, you’ll have to comply with GDPR—no matter where you’re based.

Where are your subscribers located?

Get to know your audience and dive into detailed geolocation data with Litmus Email Analytics.

Sign up for Litmus →

The UK, Germany, France, and other European countries represent valuable markets for many brands. But it’s not just the strategic importance of the market that makes GDPR important for all marketers, it’s also the large number of citizens that the new privacy law will protect.

Whilst Canada and their recently introduced Canadian Anti-Spam Legislation (CASL) were seen to be tough by some, they applied when sending to about 35 million individuals. When sending to businesses, there are loopholes, similar to the Australian regulation. Combined, Australian and Canadian legislation safeguard less than 60 million people. 750 Million people will fall under GDPR’s protective framework, which is 10 times as many people—and European legislation extends almost the same level of protection to business mailboxes.
– Andrew Bonar

What changes will GDPR bring for email marketers?

GDPR touches several aspects of email marketing, especially how marketers seek, collect, and record consent. Here’s what every email marketer needs to know:

Stricter regulations for collecting consent

With GDPR in place, marketers will only be allowed to send email to people who’ve opted-in to receive messages. While this has already been the case in most European countries under the EU Privacy Directive, GDPR further specifies the nature of consent that’s required for commercial communication. Starting in May 2018, brands have to collect affirmative consent that is “freely given, specific, informed and unambiguous” to be compliant with GDPR.

GDPR clarifies that an affirmative action signaling consent may include checking a box on a website, ‘choosing technical settings for information society services,’ or ‘another statement or conduct’ that clearly indicates consent to the processing. ‘Silence, pre-ticked boxes, or inactivity,’ however, is not adequate.
[Tweet this]

– James Koons

In addition, the signup process must inform subscribers about the brand that’s collecting the consent and provide information about the purposes of collecting personal data.

The GDPR demands that the recipient is provided with adequate information on how their data will be used. For example, if you intend to profile someone’s data to determine what offers they receive, you must now tell your customer that is how you intend to use the data and give them the opportunity to object.
– Tim Roe

Put together, many practices that marketers previously used to grow their database won’t be compliant under GDPR. Someone left their email address to download a whitepaper or provided their contact information to enter a contest? If you didn’t tell them you’d use their personal data to send marketing messages—and if they didn’t actively agree that it is okay to use their data for that very reason—it won’t be legal to add those email addresses to your mailing list.

New requirements for consent record keeping

The GDPR not only sets the rules for how to collect consent, but also requires companies to keep record of these consents.

Under the GDPR, the burden of proof that sufficient consent has been given lies with the company. This means that you will need to prove and show reasonable evidence that you have complied with the GDPR if you are challenged. [Tweet this]
– Tim Roe

In some countries like Germany, the burden of proving consent has always been the responsibility of the company that collected the opt-in. For many other marketers, however, this requirement is a new challenge to tackle.

Storing consent forms is something that most data owners have never had to do before, but in the future, all forms will have to be presented if requested.
– James Koons

I suggest it would be sensible for marketers to include a screengrab of the page or app where the consent was obtained. That is something your platform is not likely supporting out of the box today.
– Andrew Bonar

Getting your existing data up to the new standards

Going forward, email marketers will have to change how they collect and store subscribers’ consent. But that’s only half of the story. GDPR also applies to all existing data. If your database includes subscribers whose permissions haven’t been collected according to the GDPR’s standards, or if you can’t provide sufficient proof of consent for some of your contacts, you might not be allowed to send email to those subscribers anymore.

There is no allowance for data captured before GDPR. Once the GDPR comes into play, if you don’t have sufficient consent, you won’t be able to legally process the data. It’s time to bring all of your customers’ data and business processes up to the correct standard. [Tweet this]
– Tim Roe

Facing the challenge of getting their existing database up to the new standards, we’ll likely see many brands running re-permissioning campaigns before the GDPR enters into force in spring 2018.

Do I need to apply changes to my entire email program?

Stricter privacy and opt-in regulations often make marketers fear that they won’t be able to keep growing their database as quickly as they used to. In addition, reviewing and, if necessary, adapting existing opt-in processes is a time- and resource-intensive task.

So isn’t there a way to get around this?

In theory, marketers can delete European addresses and just block all traffic and signups coming from Europe.
– Andrew Bonar

When considering the size and importance of the European market, however, excluding European subscribers won’t likely be an option for most brands that engage internationally.

Marketers who want to send email to EU citizens have no choice but to review their email processes. They have a few options:

  • Set up separate signup processes for subscribers coming from different parts of the world. People coming from the EU would have to go through a GDPR-compliant sign-up process, while for prospects from the United States, for example, things remain the same. However, the costs and complexities of running two separate sets of lists present a significant drawback to this approach.
  • Bring your entire database up to GDPR standards and adapt all of your opt-in processes to match the EU requirements, which might be the best approach. While changes to opt-in processes and re-permission campaigns will likely slow down list growth in the short term, they’ll help marketers to make sure that they only send email to subscribers who really want to hear from them and thus can improve list quality overall.

With EU privacy laws being some of the strictest worldwide, there is another benefit to bringing your email program up to GDPR standards: If your program complies with GDPR, it’s likely that you’re compliant with other international email regulations as well.

What if you don’t stick to the rules?

GDPR not only comes with stricter regulations around consent and the use of personal data, but also with higher-than-ever penalties for businesses that don’t play by the rules. Non-compliance with GDPR can lead to fines of up to €20 Million or 4% of a brand’s total global annual turnover (whichever is higher).

While it’s uncertain what amount authorities may fine those who break the laws, what is certain is that authorities won’t have the bandwidth to go after every brand that’s not fully compliant with GDPR. They will rely heavily on consumers to report breaches, and will likely focus their efforts on the most serious violations.

That’s what happened in the wake of CASL. Enforcement efforts targeted egregious cases such as Compu-Finder, the Canadian training company that was slapped with a fine of CAD $1.1 million in 2015. According to authorities, Compu-Finder had sent emails without consent, as well as messages in which the unsubscribe mechanism did not function properly. Complaints about Compu-Finder accounted for 26% of all CASL complaints submitted against its industry sector.

Resources to learn more about GDPR

For a deeper dive into GDPR, here are a few resources:

Stay on top of the latest email updates

Get the latest in email delivered straight to your inbox. Subscribe to our newsletter.


This post provides a high-level overview about GDPR, but is not intended, and should not be taken, as legal advice. Please contact your attorney for advice on email marketing regulations or any specific legal problems.