Skip to main content

GDPR Compliance in Email Marketing

| Categories: General Obligations; Consumer Rights;

“Don’t miss out on the latest deals”, “subscribe to our newsletter”, “get exclusive offers and personalized tips for shopping” – for many businesses, e-mail marketing is still the primary and most effective customer acquisition channel. Collecting email addresses and sending direct marketing messages to consumers and even B2B contacts triggers applicability of the GDPR and other European laws if the recipient is in the EU, regardless of whether the sender is established in the EU or not (read more about the GDPR’s international scope here).

Enforcement procedures of the European Union make it easy for privacy-sensitive persons to complain against infringements of GDPR requirements, causing severe liability risks for retailers, travel and transport operators, content providers and other businesses relying on email marketing. Data protection supervisory authorities regularly issue penalty notes against companies failing to comply with GDPR and other EU laws. In this article, we will explain what you need to look at to keep your email marketing funnels in compliance with the GDPR.

How to collect email addresses in compliance with the GDPR

Apart from buying leads from third-party sources, two major touchpoints for collecting email addresses should be distinguished:

  • Scenario 1 (lead generation): A user enters her email address into an online form, e.g. in order to create an account, to subscribe to promotions, discounts, exclusives, content-rich newsletters, to access a lead magnet or to participate in a lottery or competition.
  • Scenario 2 (post-sales marketing): A customer orders goods or services and enters his email address during a checkout process, or he signs up to an online service or mobile app.

Collecting email addresses from EU-based (prospective) customers for marketing purposes is governed by the EU General Data Protection Regulation and the ePrivacy Directive which complements the GDPR in the context of direct marketing. The requirements for sending e-mail communications, SMS, MMS, and direct messages through social media depend on the scenario in which the contact details have been collected.

Scenario 1: Lead generation

If no conversion happened yet and the user provides the contact details directly to the advertiser, it is always necessary to obtain the prospect’s explicit consent prior to sending marketing emails. What’s important to understand in the first place is that the mere fact that someone voluntarily enters the email address to subscribe for, let’s say, a newsletter, does not necessarily prove full GDPR compliance. Instead, the numerous requirements for obtaining valid consent practically micro-manage the funnel design.

Here are 7 requirements you should consider:

  • Consent can only be given by the person who holds the email address. – Example: An online retailer offers its website visitors to enter third-party email addresses in order to recommend certain products. Such “tell a friend” feature is unlawful as the third-party receiving the email has not consented to marketing.
  • Consent must be unambiguous. This means that the subscriber actively opts in or otherwise clearly indicates its wish to subscribe. – Example: On a news platform, users can sign up to personalize content. “Hiding” consent to email marketing somewhere in the terms and conditions is insufficient. Valid consent instead requires that the user actively clicks on a separate tick box. If, on the other hand, receipt of emails is the sole purpose of the form (e.g. newsletter subscription) and the other conditions for valid consent are met, it may not be necessary to have a separate tick box in place.
  • Moreover, in order to prove the subscriber’s identity, the advertiser should send a confirmation link which should be activated by the user prior to sending marketing emails (“double opt-in”). – Example: An unknown person subscribes to newsletters with the email address of his archenemy just to annoy him. From the advertiser’s perspective, sending such newsletters without having the email address confirmed via a “double opt-in” procedure causes legal risks.
  • Consent is only valid if related to specific purposes. The description of what the user subscribes to should therefore be accurate and comprehensive. – Example: Providing an email address is a condition for participating in a prize draw. If the organizer intends not only to contact her if she wins the prize but also for marketing purposes on a regular basis, this must become clear from the website.
  • Beyond describing the purposes of data collection, the user must be able to easily identify the advertiser’s identity. – Example: A user enters a specific landing page without clear company branding via Google. When she submits her email address, it should be clear which legal entity is responsible for the data processing under the GDPR.
  • The law requires data controllers to inform the user to withdraw his consent in case he changes his mind. – Example: A newsletter subscription form is accompanied by a text stating that “you can easily unsubscribe anytime by clicking a link at the bottom of each newsletter or by sending an email to”. Such design complies with the ePrivacy Directive.
  • Consent must be “freely given”, meaning that the user has a real choice and does not face negative consequences in case he declines to consent. In detail, complying with this requirement can be tricky (click here for further information on “paywall or consent”-models). A German court ruling, however, recently acknowledged the practice of tying free benefits to the condition of consenting. – Example:  A website visitor can only access a lead magnet if she agrees to receive marketing emails. In such context, it may be argued that she has free choice to decide whether accessing the lead magnet is “worth” it.

Scenario 2: Post-sale marketing

The EU ePrivacy Directive provides an exception from the strict consent requirement if the user has already purchased items or services from the advertiser. Regarding existing customers, the opt-in requirement turns into an opt-out model.

This exception only applies if 3 conditions are cumulatively met:

  • The company obtained the email address in the context of a sale of a product or service. According to a German court ruling, at least under the German provisions which reflect the ePrivacy Directive, this can also include the setting where a customer creates a user account, providing his personal data to the advertiser in exchange for a free service. – Example: A user signs up to a dating platform for a free basic version. This may already be regarded as the sale of a service.
  • The company can only advertise its own similar products or services. Hence, marketing emails may only promote products and services which satisfy the same needs as those initially purchased by the individual customer, including accessories and supplements. – Example: A customer purchased a hockey stick in an online shop. The retailer may then send marketing emails for other hockey equipment but not for ball pens.
  • The customer must have the opportunity to opt out from marketing emails for free and in an easy manner. In the context of collecting the email address (e.g. checkout process) as well as in any marketing email, the advertiser must clearly and distinctly inform the customer about this right. – Example: When creating a user account for a mobile app, the user is given the opportunity to untick a pre-ticked checkbox if she doesn’t want to receive marketing emails. This is an acceptable opt-out design.

How to meet other GDPR requirements

In addition to the requirements mentioned above, advertisers must also ensure that they are in compliance with other GDPR obligations:

  • The use of contact details for email marketing must be reflected within the service’s privacy policy. It should become clear that the user will receive such emails, what sort of products or services will be advertised, and which companies are responsible.
  • Where the advertiser makes use of email marketing services to distribute marketing communications, it should be ensured that the service offers to conclude a Data Processing Addendum under Article 28 GDPR. Many providers such as Mailchimp or Sendinblue include such agreements in their standard terms.
  • Data controllers must be able to comply with data subjects’ rights under the GDPR, such as “the right to be forgotten” and data subject access requests, and maintain appropriate technical and organizational measures for data security.
  • Explanations on how advertisers use this marketing channel must be included in the “records of processing activities” under Article 30 GDPR, where applicable.

Email marketing to EU customers …

… in compliance with EU privacy laws is burdensome but possible. As a key priority, advertisers should verify that their funnel design provides for opt-in consent where required. In order to reduce legal risks stemming from official complaints by customers, it should be ensured that unsubscribe links are easily accessible and working.

GDPR Updates for non-EU companies

Are you compliant with the GDPR?

Under Art. 27 of the GDPR, many non-EU companies must appoint an EU GDPR Privacy Representative. To find out now if your company is subject to this obligation

take the test

Who is EU-REP.Global?

We are data protection service provider based in Germany, focused on compliance services under the EU General Data Protection Regulation. If you want to know more,

go to FAQ

EU Commission Sets Timeline for New SCCs after the “Schrems” Judgement

In a meeting of the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs held in Brussels today, EU Commissioner Didier Reynders delivered remarks on what to expect for the future of international data transfers after the European Court of Justice has ruled the EU-US Privacy...


Data Mapping & the GDPR: "Records of Processing Activities"

Any privacy law implementation program is based a proper data mapping. But is it even a legal obligation? Under the GDPR, the answer is a clear "yes" for most of modern businesses. Article 30 requires companies to maintain so-called "records of processing activities" (also known as RPA or ROPA) with...


GDPR Enforcement: The Real Risks of Non-Compliance

Whereas public supervisory authorities granted an informal grace period to implement the new provisions of the EU General Data Protection Regulation (GDPR) and allocated many resources to awareness-raising campaigns in 2018, their focus clearly shifted towards enforcement in 2019. The risk of...