GDPRGeneral Data Protection Regulation
The GDPR (General Data Protection Regulation) is the European Union’s data-protection law, in force since May 2018, that governs how any organisation handles the personal data of people in the EU and EEA. For email it changes the default: marketing generally requires freely given, specific, informed opt-in consent that you can prove, and recipients can withdraw that consent as easily as they gave it. It applies to you wherever you are based if you target EU residents.
- An EU regulation with extraterritorial reach: it applies to anyone targeting EU residents
- Marketing email generally needs opt-in consent, the opposite of CAN-SPAM
- Consent must be freely given, specific, informed, and demonstrable with records
- Top-tier fines reach €20 million or 4% of global annual turnover
What GDPR consent means for email
Under GDPR you need a lawful basis to process someone’s personal data, and for marketing email that basis is almost always consent. Article 7 sets a high bar: consent must be freely given, specific, informed, and given by a clear affirmative act. A pre-ticked box does not count, bundling consent into terms and conditions does not count, and consent for one purpose does not cover another.
You must also be able to demonstrate that consent later, which in practice means keeping a record of who consented, when, how, and to what. And because withdrawal must be as easy as giving consent, an unsubscribe has to be one step, not a login or a hoop to jump through. A narrower “soft opt-in” exists under the related ePrivacy rules for existing customers, but the core marketing rule is affirmative opt-in.
The rights it gives recipients
GDPR hands individuals a set of rights over their data that a sender has to be ready to honor:
- Access: the right to know what data you hold about them and to get a copy.
- Rectification: the right to have inaccurate data corrected.
- Erasure (“right to be forgotten”): the right to have their data deleted.
- Object: the right to object to processing for direct marketing at any time, which you must honor.
- Withdraw consent: as easily as it was given, with no penalty.
For an email programme this means your unsubscribe and your data handling have to actually delete or suppress people on request, not just stop one campaign. Honoring these rights is both a legal duty and good list hygiene: people who do not want your mail are the same people most likely to mark it as spam.
Reach and penalties
GDPR’s reach is extraterritorial. Under Article 3 it applies to any organisation, anywhere in the world, that offers goods or services to people in the EU or monitors their behaviour. A company in the US or Asia emailing EU residents is squarely in scope, which is why GDPR matters far beyond Europe.
The fines are tiered. Less severe breaches can reach €10 million or 2% of global annual turnover, whichever is higher. The most serious breaches, including violating the basic principles for consent, can reach €20 million or 4% of global annual turnover, whichever is higher. Because the percentage is tied to worldwide revenue, the ceiling for a large company runs into the hundreds of millions.
Can you send this marketing email under GDPR?
GDPR vs CAN-SPAM
| GDPR | CAN-SPAM | |
|---|---|---|
| Region | EU / EEA (and anyone targeting it) | United States |
| Consent | Opt-in required first | Opt-out after the fact |
| Scope | All personal-data processing | Commercial email only |
| Proof of consent | Required | Not required |
| Max penalty | €20M or 4% of global turnover | Up to $53,088 per email |