Skip to main content

Email marketing, newsletters and GDPR

Are you sending newsletters to your contacts where you share free tips and product news? Certainly, email marketing can be one of the best and cheapest ways for a company to communicate with its target audience. All you need is an email program, a list of contacts and some relevant content.

But are there rules for the protection of personal information that you must be aware of when marketing via emails and when you expand your contact list? This blog is about the implications of GDPR as it relates to email marketing.

Build your contact list properly

GDPR regulates how you collect and use personal information. This includes, for example, names and emails. Growing your contact list will be key to making your email campaigns successful, but make sure you do it in a way that is GDPR compliant.

Note that you will have a little more leeway if your company markets to businesses (B2B) as opposed to private people (B2C). Work emails are set up for business purposes. Therefore, there is an expectation that the emails they send and receive will be commercial in nature. For this reason, there are fewer privacy and ethical issues with sending newsletters, bulk emails and targeted advertising to work emails.

That being said, it is still a good idea to follow GDPR principles when collecting people’s work emails. Why? Because most work email addresses reveal a person’s name and workplace. Therefore, they can often be used to identify the person, and as such, they may qualify as personal data. Personal data always gets GDPR protection. So, make sure you keep all the contact info you collect safe, even work emails.

You need legal basis to collect people's emails

GDPR says you must have a legal basis to collect personal data. When you look at GDPR’s list of 6 potential legal bases, you’ll see that 5 of them repeat words like “necessary”, “required”, and “obligation”.

Of course, getting people’s email addresses just to send them unsolicited messages or newslettters is not a necessity or an obligation. Therefore, it should always be optional for the person. That is why getting consent is the best legal basis to collect new names and email addresses for email marketing. Let’s talk about how to set up consent for a newsletter under GDPR.

Start your GDPR cleanup where it is needed the most

Sensitive data can tends to accumulate in the employees' e-mails. With a GDPR Risk Scan from DataMapper, you get a report that shows any potential GDPR risks in the company's e-mails.

GDPR newsletter consent example

Let’s take the example of a newsletter. Under GDPR, a newsletter sharing news about your products or industry tips will probably not qualify as vital, required, or necessary. So, make sure you get specific, explicit consent from a person before using their email address for newsletters. Here’s how to set up a GDPR newsletter consent properly:

  • Make it clear that you are asking for their email to send them a newsletter.
  • Keep that consent separate from other terms and conditions.
  • Ask for active, affirmative action, like ticking an unticked tick box.
  • Do not make consent for the newsletter a condition for providing goods and services.
  • Make consent easy to withdraw, for example, with an unsubscribe link on each newsletter.

You should get consent this way anytime you collect new names and email addresses for email marketing. If you use email marketing software, choose one that makes it easy to set up this type of GDPR-compliant consent.

Before GDPR, giveaways, sweepstakes entries and other promotions were often used to capture people’s email addresses without telling them so. The person would enter their email to get the freebie and automatically become a new subscriber as soon as their data got into the company’s database. You can’t do that anymore.

It’s fine to offer incentives like free gifts or discounts when someone signs up for your newsletter. However, don’t deceive them about what they are signing up for. And as mentioned above, leave those tick boxes unticked so people can decide for themselves whether to say yes to your newsletter or not. See our newsletter offer below for inspiration. Welcome to sign up while you’re at it.

Next, let’s talk about sending promotional emails to your existing customers. This can be a great way to stay in touch with older clients and keep them interested in your products. And in this case, you’ll have the option to use a different type of opt-in.

Soft opt-in for existing customers

As mentioned above, you should always get explicit consent to collect new emails or leads for marketing campaigns designed to convert new customers. But what about existing customers that have already provided their contact information and proved their interest in specific services/products with a concrete transaction?

Here you can look to another EU regulation called the ePrivacy directive for an alternative to explicit consent. The ePrivacy directive predates the GDPR and deals with electronic communication specifically. The two regulations should be read together and both apply to email marketing.

The ePrivacy directive states that marketing emails should be sent only to subscribers or users who have given their prior consent. However, it adds an exception to the explicit opt-in requirement for existing customers. The exception applies if you have already collected the person’s contact details in the context of a sales transaction.

If the person gave you their contact info as part of a sales transaction, you can send them marketing emails. You will not need to get consent as long as you give them an easy way to opt-out. This is called a soft opt-in, as opposed to explicit consent.

To use the soft opt-in exception, make sure you:

  • Got the person’s contact details in the context of a transaction/sale of a product or service.
  • Only email the person about products or services similar to the ones they paid for. (When they gave you their contact details.)
  • Give them chance to opt-out at the time of the sale, when you collected their details. (And they did not opt-out.)
  • Remind people that they can opt-out in each marketing communication. (The opt-out ability should be simple and free-of-charge.)

In order to fulfil these conditions, you must plan ahead with email marketing in mind. Include a check box to opt out of future marketing in your sales forms. Make the emails you send existing customers interesting and relevant to the products and services they already bought. And finally, keep including the opt-out reminder in all your communications.

Anti-spam laws that complement GDPR

The ePrivacy directive requires safeguards for subscribers against intrusion of their privacy by unsolicited communications for direct marketing purposes in particular by means of […] e-mails […].

Additionally, the UK, US, Canada, and Australia (to list just a few) have their own anti-spam laws that limit and regulate email marketing. Here are some rules they have in common that are worth mentioning as best practices:

  • Do not hide or disguise your company’s identity or the purpose of your emails.
  • Include a proper postal address in all your marketing emails.
  • Do not use address-harvesting software or collect people’s email addresses from websites or any other source without their consent.

These rules are in line with the GDPR principles of transparency, accountability, and lawfulness. So, don’t try to trick people into opening your messages. Be straightforward about who you are and your purpose for sending emails.  Further, you should include your company’s physical address to lend legitimacy and help people exercise their data rights. And finally, as we’ve already discussed, don’t get people’s emails without their consent.

Get our Newsletter!

In our newsletter you get tips and tricks for dealing with privacy management from our founder Sebastian Allerelli.

When you sign up for our newsletter you get a license for one user to ShareSimple, which will give you a secure email in Outlook. This special offer is for new customers only, with a limit of one freebie per company.

How to be compliant while doing email marketing

At the end of the day, you want to spend your advertising resources on people who are really interested in your products. This is exactly where email marketing has an advantage compared to other forms of advertising like social media. You can target the messages to specific groups of people that you’ve already made contact with. So, first, make sure that you only email:

  • New leads who give you explicit consent to contact them with promotional materials.
  • Current customers who have proved their interest in your products with their wallets.

Remember, being careful who you direct your email marketing to is not just about complying with GDPR, it is also more effective. Of course your goal is not to simply collect a longer and longer list of people to spam with unsolicited ads. It’s about sharing the right information with people who are truly interested in it. Then, before you send out your emails, make sure you:

  • Identify yourself clearly
  • Do not use misleading subject lines
  • Give people an easy way to opt-out
  • Don’t leak or sell names and emails

If you want to know more about how to get a safe email, click here.

Sebastian Allerelli
Founder & COO at Safe Online
Governance, Risk & Compliance Specialist
Follow me on LinkedIn to get tips on GDPR →


How to handle sensitive personal data


How to find personal data with datamapping tool


How to prepare for a data audit