- The GDPR is an opt-in regulation: you need a lawful basis (typically consent or legitimate interest) before sending marketing email to anyone in the EU/EEA, regardless of where your business is located.
- Consent must be freely given, specific, informed, and unambiguous. Pre-checked boxes, bundled consent, and implied consent do not qualify under GDPR.
- Data subjects have the right to withdraw consent at any time, and you must make it as easy to opt out as it was to opt in.
- Penalties can reach up to 20 million euros or 4% of global annual turnover, whichever is higher. Enforcement is active; fines have been issued for email marketing violations.
- GDPR-compliant email programs consistently show better deliverability because consent-based lists generate higher engagement and fewer complaints.
The General Data Protection Regulation (GDPR) is the European Union's comprehensive data privacy law. It took effect on May 25, 2018, and applies to any organization that processes the personal data of individuals in the EU/EEA, regardless of where the organization is based. For email marketers, this means that sending marketing email to anyone in Europe requires compliance with GDPR, even if your company is headquartered in the United States, Asia, or anywhere else.
Unlike the CAN-SPAM Act in the U.S. (which is an opt-out law allowing unsolicited commercial email), GDPR requires a lawful basis for processing personal data before you send. This fundamental difference makes GDPR one of the strictest email marketing frameworks globally, but the stricter standards also produce measurably better sender reputation and inbox placement.
Who Does GDPR Apply To?
GDPR applies to any organization that:
- Is established in the EU/EEA and processes personal data (regardless of where the processing occurs)
- Is established outside the EU/EEA but offers goods or services to individuals in the EU/EEA
- Is established outside the EU/EEA but monitors the behavior of individuals in the EU/EEA
For email marketers, this means: if anyone on your email list is an EU/EEA resident, GDPR applies to your email program for those individuals. A U.S. company with a global email list that includes European subscribers must comply with GDPR for those subscribers.
The Two Primary Legal Bases for Marketing Email
GDPR requires a "lawful basis" for processing personal data. For email marketing, two bases are most commonly used:
Consent (Article 6(1)(a))
Consent is the most common and safest legal basis for marketing email. Under GDPR, valid consent must be:
- Freely given: Not coerced or bundled with other terms. "Sign up for our newsletter to complete your purchase" is not freely given consent.
- Specific: Consent must cover the specific processing activity. Generic "I agree to everything" does not qualify.
- Informed: The individual must know who will be sending them email, what kind of email, and how their data will be used.
- Unambiguous: Requires a clear affirmative action. Pre-checked boxes, silence, or inactivity do not constitute consent.
Warning: Pre-checked email subscription checkboxes violate GDPR. The checkbox must be empty by default, and the subscriber must actively check it. This is one of the most common GDPR violations in email marketing. Review every signup form on your site.
Legitimate Interest (Article 6(1)(f))
Some EU member states allow marketing email under the "legitimate interest" basis, but this comes with conditions. You must conduct a Legitimate Interest Assessment (LIA) demonstrating that your interest in sending marketing email does not override the individual's privacy rights. Factors include:
- Whether the individual reasonably expects the communication (e.g., existing customers)
- The nature and impact of the processing
- Whether a less intrusive alternative exists
The ePrivacy Directive (which works alongside GDPR for electronic communications) further restricts marketing email. Most EU member states interpret the combination of GDPR and the ePrivacy Directive as requiring explicit consent for marketing email, with a narrow "soft opt-in" exception for existing customers.
The Soft Opt-In Exception
The ePrivacy Directive allows a "soft opt-in" for existing customers under specific conditions:
- You obtained the email address during a sale or negotiation for a sale of a product or service.
- You are marketing similar products or services to your own.
- You gave the customer a clear opportunity to opt out at the time of collection.
- You offer an opt-out in every subsequent message.
This exception does not apply to prospecting, purchased lists, or contacts obtained through means other than a direct business relationship. When in doubt, use explicit consent.
Use double opt-in for all EU/EEA subscribers. While not explicitly required by GDPR, double opt-in provides documented proof of consent (the confirmation click), protects against fake signups and spam traps, and demonstrates compliance in the event of an audit or complaint.
Data Subject Rights That Affect Email
GDPR grants individuals extensive rights over their personal data. Several directly impact email marketing operations:
Right to Withdraw Consent
Subscribers can withdraw consent at any time, and you must make it as easy to withdraw as it was to give. In practice, this means every marketing email must include a clear, functional unsubscribe link. Requiring login, multiple steps, or a waiting period to unsubscribe violates this right.
Right to Erasure (Right to Be Forgotten)
Individuals can request that you delete all their personal data. For email marketers, this means removing the person from your active lists and your suppression lists, unless you have a legal obligation to retain suppression data (e.g., to comply with CAN-SPAM's requirement not to email them again). This creates a tension that many organizations resolve by keeping a minimal suppression record (just the email address hash) while deleting all other data.
Right of Access
Individuals can request a copy of all personal data you hold about them, including email engagement history, segmentation data, preference data, and any profiling. You must respond within 30 days.
Right to Object
If you are processing email marketing under legitimate interest (rather than consent), the individual has an absolute right to object to direct marketing at any time. Once they object, you must stop processing their data for marketing immediately, with no exceptions.
Record-Keeping Requirements
GDPR requires you to demonstrate compliance, not just claim it. For email marketing, this means maintaining records of:
- When consent was given: Date and timestamp of the opt-in.
- How consent was given: Which form, page, or touchpoint was used. Screenshots of the form at the time of consent are valuable evidence.
- What the individual consented to: The specific language they agreed to.
- The individual's identity: Email address and any associated identifiers.
Without these records, you cannot prove consent was given, which means you cannot demonstrate a lawful basis for processing. If a supervisory authority investigates, the burden of proof is on you. "We think they opted in" is not sufficient.
How GDPR Compliance Improves Deliverability
This is where compliance and performance converge. GDPR-compliant email programs consistently outperform non-compliant ones on deliverability metrics:
| GDPR Requirement | Deliverability Benefit |
|---|---|
| Explicit opt-in consent | Higher engagement rates; subscribers actually want your email |
| Easy unsubscribe | Lower complaint rates; subscribers opt out instead of reporting spam |
| Double opt-in | Eliminates fake addresses, typos, and spam traps from your list |
| Data minimization | Cleaner lists with only actively engaged subscribers |
| Right to erasure | Forces regular list maintenance, removing dead addresses |
European senders achieve approximately 89-91% inbox placement rates, significantly higher than the 83-85% global average. This difference is directly attributable to GDPR's consent requirements producing cleaner, more engaged lists. The regulation forces the very behaviors that mailbox providers reward.
Europe's 89-91% inbox placement rate is the highest of any region globally. North America averages 84-87%, and Asia-Pacific trails at 76-80%. The primary driver of this difference is GDPR's consent requirements, which produce lists where every subscriber has actively chosen to receive email.
GDPR vs. CAN-SPAM: Key Differences
| Feature | GDPR (EU) | CAN-SPAM (U.S.) |
|---|---|---|
| Consent model | Opt-in (consent required before sending) | Opt-out (can send without consent) |
| Pre-checked boxes | Prohibited | Allowed |
| Purchased lists | Generally prohibited (no valid consent) | Allowed (with opt-out in each email) |
| Right to erasure | Yes (delete all data on request) | No (only suppress from future sends) |
| Record-keeping | Must document when, how, and what was consented to | No specific record-keeping requirement |
| Maximum penalty | 4% of global revenue or 20M euros | $51,744 per email |
| Scope | All personal data processing | Commercial email only |
| Applies to B2B | Yes | Yes |
If you send to both U.S. and EU audiences, the safest approach is to comply with the stricter standard (GDPR) across your entire program. A GDPR-compliant email program automatically satisfies CAN-SPAM requirements, but a CAN-SPAM-only program will violate GDPR.
GDPR Email Marketing Compliance Checklist
- All signup forms use unchecked opt-in checkboxes with clear language about what the subscriber will receive.
- Consent is specific: separate checkboxes for different types of communication (newsletter, product updates, partner offers).
- Double opt-in is implemented for all EU/EEA subscribers.
- Consent records are stored with timestamp, source, and the language the subscriber agreed to.
- Every marketing email includes a clear, one-click unsubscribe link.
- Unsubscribe requests are processed within 48 hours (GDPR says "without undue delay").
- Your privacy policy explains how email addresses are collected, processed, stored, and shared.
- A process exists for handling data subject access requests (within 30 days).
- A process exists for handling right-to-erasure requests.
- Purchased or rented email lists are not used for EU/EEA recipients.
- Third-party data processors (your ESP, CRM) have GDPR-compliant data processing agreements in place.
- International data transfers (EU data processed in the U.S.) use appropriate safeguards (Standard Contractual Clauses, adequacy decisions, or binding corporate rules).
Frequently Asked Questions
Yes. GDPR protects "natural persons" (individuals), and a business email address like john@company.com is the personal data of the individual named John. Some EU member states apply slightly different rules for B2B under their local ePrivacy implementations, but GDPR itself makes no B2B exception. The safest approach is to treat all EU email addresses as requiring consent.
In limited cases, you can use the "soft opt-in" exception for existing customers if you collected their email during a sale, are marketing similar products, and provided a clear opt-out opportunity. Some member states also allow legitimate interest as a basis for B2B marketing. However, consent remains the most widely accepted and defensible basis for marketing email under GDPR.
Double opt-in is not explicitly required by GDPR, but it is strongly recommended. Double opt-in provides documented proof of consent (the confirmation click), verifies the email address is valid and owned by the subscriber, and protects your list from spam traps and fake signups. German data protection authorities, in particular, consider double opt-in the standard for demonstrating valid consent.
Purchased lists almost always violate GDPR because the individuals on the list did not give consent to your specific organization for your specific purposes. The list vendor's consent (if any) does not transfer to you. Sending to a purchased list of EU contacts exposes you to GDPR fines and will also damage your deliverability through high bounce rates, complaint rates, and spam trap hits.
GDPR applies to all processing of personal data, including transactional emails. However, transactional emails (order confirmations, password resets, account notifications) typically rely on a different legal basis: "performance of a contract" (Article 6(1)(b)) or "legitimate interest." These do not require marketing consent, but the email must be genuinely transactional and not include promotional content.