GDPRGeneral Data Protection Regulation

Definition

The GDPR (General Data Protection Regulation) is the European Union’s data-protection law, in force since May 2018, that governs how any organisation handles the personal data of people in the EU and EEA. For email it changes the default: marketing generally requires freely given, specific, informed opt-in consent that you can prove, and recipients can withdraw that consent as easily as they gave it. It applies to you wherever you are based if you target EU residents.

  • An EU regulation with extraterritorial reach: it applies to anyone targeting EU residents
  • Marketing email generally needs opt-in consent, the opposite of CAN-SPAM
  • Consent must be freely given, specific, informed, and demonstrable with records
  • Top-tier fines reach €20 million or 4% of global annual turnover
At a glance
Jurisdiction EU / EEA
In force since 25 May 2018
Consent model Opt-in (freely given)
Key articles Art. 6 (lawful basis), Art. 7 (consent)
Reach Extraterritorial (Art. 3)
Max fine €20M or 4% global turnover

The rights it gives recipients

GDPR hands individuals a set of rights over their data that a sender has to be ready to honor:

  • Access: the right to know what data you hold about them and to get a copy.
  • Rectification: the right to have inaccurate data corrected.
  • Erasure (“right to be forgotten”): the right to have their data deleted.
  • Object: the right to object to processing for direct marketing at any time, which you must honor.
  • Withdraw consent: as easily as it was given, with no penalty.

For an email programme this means your unsubscribe and your data handling have to actually delete or suppress people on request, not just stop one campaign. Honoring these rights is both a legal duty and good list hygiene: people who do not want your mail are the same people most likely to mark it as spam.

Reach and penalties

GDPR’s reach is extraterritorial. Under Article 3 it applies to any organisation, anywhere in the world, that offers goods or services to people in the EU or monitors their behaviour. A company in the US or Asia emailing EU residents is squarely in scope, which is why GDPR matters far beyond Europe.

The fines are tiered. Less severe breaches can reach €10 million or 2% of global annual turnover, whichever is higher. The most serious breaches, including violating the basic principles for consent, can reach €20 million or 4% of global annual turnover, whichever is higher. Because the percentage is tied to worldwide revenue, the ceiling for a large company runs into the hundreds of millions.

Can you send this marketing email under GDPR?

You want to email an EU resident for marketing
Do you have a lawful basis, normally freely given opt-in consent?
No consent: do not send Consent on record: continue
Can you prove who consented, when, and to what?
Does every message offer a one-step way to withdraw consent?
Compliant: send, and honor any withdrawal or objection at once

GDPR vs CAN-SPAM

GDPR CAN-SPAM
Region EU / EEA (and anyone targeting it) United States
Consent Opt-in required first Opt-out after the fact
Scope All personal-data processing Commercial email only
Proof of consent Required Not required
Max penalty €20M or 4% of global turnover Up to $53,088 per email

By the numbers

4%
Of global annual turnover, or €20 million if higher, the top-tier GDPR fine for the gravest breaches.
2018
GDPR took effect across the EU and EEA on 25 May 2018.
Opt-in
The default for marketing email: affirmative, freely given consent you can later prove.

Common mistakes

Relying on pre-ticked boxes
Consent under GDPR must come from a clear affirmative act. A pre-checked subscribe box, silence, or inactivity is not valid consent, and bundling it into terms and conditions fails the “freely given” and “specific” tests.
Keeping no proof of consent
Article 7 requires you to be able to demonstrate consent. If you cannot show who opted in, when, and how, you cannot rely on it, no matter how the address was actually collected.
Assuming it does not apply outside the EU
GDPR is extraterritorial. If you target or monitor people in the EU, it applies wherever your company sits. “We are not a European business” is not a defence.
Making withdrawal harder than sign-up
Consent must be withdrawable as easily as it was given. Forcing a recipient to log in, reply, or fill a form to unsubscribe breaches GDPR and drives spam complaints.

Frequently asked questions

Does GDPR require double opt-in?
Not explicitly. GDPR requires valid, demonstrable consent but does not mandate a specific mechanism, so single opt-in with solid records can satisfy it. However, double opt-in produces the clearest, time-stamped proof that the address owner actively consented, which is why it is strongly recommended and effectively expected in strict markets such as Germany and Austria.
Does GDPR apply to companies outside the EU?
Yes. Under Article 3 GDPR applies to any organisation, anywhere, that offers goods or services to people in the EU or EEA or monitors their behaviour. A US, UK, or Asian company that emails EU residents for marketing is in scope and must meet the consent and data-rights requirements.
What is the maximum GDPR fine?
The top tier is €20 million or 4% of the organisation’s total worldwide annual turnover, whichever is higher, for the most serious breaches such as violating consent rules. A lower tier of €10 million or 2% of global turnover applies to less severe infringements.
How is GDPR different from CAN-SPAM?
GDPR is opt-in and CAN-SPAM is opt-out. Under GDPR you generally need provable consent before emailing an EU resident for marketing; under CAN-SPAM you may email a US recipient first as long as you offer a clear opt-out and a postal address. GDPR also governs all personal data, not just email, and carries far larger fines.
Reviewed by Jennifer Jackson, Email Deliverability Analyst · June 2026 ← Back to glossary