GDPR Email Compliance: The Complete Guide for EU Marketing (2026)
TL;DR - GDPR Email Essentials
If you email anyone in the European Union, GDPR applies to you. Key requirements:
- Get explicit, affirmative consent before sending marketing emails
- Explain what you'll send and how often
- Make unsubscribing as easy as subscribing
- Keep records of consent (who, when, how)
- Allow users to access and delete their data
Penalties: Up to €20 million or 4% of global revenue, whichever is higher. GDPR is strict. Compliance is non-optional.
Why GDPR Changes Everything for Email Marketers
The General Data Protection Regulation went into effect in May 2018 and fundamentally changed email marketing for anyone with EU customers.
Unlike US law (CAN-SPAM), GDPR treats email addresses as personal data requiring explicit protection. GDPR fines have reached €50 million for major violations.
The regulation affects:
- Companies based in the EU
- Companies targeting EU residents
- Companies processing EU residents' data
If you're sending marketing emails to people in Europe, GDPR applies, regardless of where your business is located.
Understanding GDPR for Email Marketing
What GDPR Protects
Under GDPR, email addresses are "personal data" deserving special protection. This means you need a lawful basis for collecting and using them.
For marketing emails, that lawful basis is almost always consent.
The Consent Requirement
"Consent" under GDPR means:
- Freely given: Not coerced or bundled with other agreements
- Specific: Clear about what you're consenting to
- Informed: You explain what data you collect and how you'll use it
- Unambiguous: An active, affirmative action (not assumed or pre-checked)
This rules out:
- Pre-checked opt-in boxes
- Assumed consent from business relationships
- Consent buried in terms and conditions
- "Soft opt-in" (with narrow exceptions)
The Six Lawful Bases
GDPR provides six lawful bases for processing personal data:
- Consent - The person explicitly agrees
- Contract - Necessary to fulfill a contract
- Legal obligation - Required by law
- Vital interests - Protecting someone's life
- Public task - Performing official functions
- Legitimate interests - Necessary for your legitimate business interests
For marketing emails, you almost always need explicit consent. The "legitimate interests" basis has strict limitations and is risky for marketing.
GDPR Requirements for Email Marketing
1. Obtain Valid Consent
Your consent mechanism must:
Be clear and separate:
- Consent requests must be separate from other terms/conditions
- Use plain language, not legal jargon
- Explain exactly what you're asking permission for
Require active opt-in:
- Unchecked boxes that users must check
- No pre-checked boxes
- No assumed consent from other actions
Explain data usage:
- What emails you'll send
- How often you'll send them
- How to unsubscribe
- Your data retention policy
Example of compliant consent:
☐ Yes, I want to receive weekly marketing emails from Acme Corp
about new products and special offers. I can unsubscribe anytime.
See our Privacy Policy for details.
Non-compliant examples:
- ☑ Send me updates (pre-checked)
- "By creating an account, you agree to receive emails"
- Consent buried in 20-page terms of service
2. Keep Consent Records
You must prove consent was obtained. Document:
- Who consented (email address, ID)
- When they consented (timestamp)
- What they consented to (exact language)
- How they consented (web form, in person, phone)
- Where they consented (IP address for web forms)
Store these records securely and keep them as long as you're using the data (plus a reasonable period after).
3. Make It Easy to Withdraw Consent
Withdrawing consent must be as easy as giving it.
This means:
- Clear unsubscribe link in every email
- One-click unsubscribe (no login required)
- Process immediately (not 30 days later)
- No questions, no hoops, no guilt trips
You can offer a preference center, but a simple "Unsubscribe from all" must be available.
4. Respect Data Subject Rights
Under GDPR, individuals have the right to:
Access: Request all data you hold about them
Rectification: Correct inaccurate data
Erasure: Delete their data ("right to be forgotten")
Portability: Receive their data in a machine-readable format
Restriction: Limit how you process their data
Object: Object to processing (including marketing)
You must respond to these requests within one month.
5. Implement Data Protection by Design
GDPR requires you to:
- Collect only necessary data (not "nice to have")
- Secure data appropriately (encryption, access controls)
- Delete data when no longer needed
- Have processes for data breaches
- Conduct Data Protection Impact Assessments (for high-risk processing)
6. Appoint a Data Protection Officer (If Required)
You need a DPO if:
- You're a public authority
- You conduct large-scale monitoring
- You process sensitive data at scale
Most small businesses don't need a DPO, but someone should be responsible for GDPR compliance.
The Legitimate Interest Exception
You can use "legitimate interests" as a lawful basis for processing without consent, but only if:
- You have a genuine legitimate interest
- Processing is necessary for that interest
- The person's rights don't override your interests
For existing customer relationships, you may argue legitimate interest for:
- Relevant product recommendations
- Service updates
- Related offers
But this is risky. Courts interpret legitimate interest narrowly for marketing. When in doubt, get consent.
Penalties for Non-Compliance
GDPR has a two-tier penalty structure:
Tier 1 violations (less serious):
- Up to €10 million or 2% of global revenue
- Examples: Inadequate records, security lapses
Tier 2 violations (more serious):
- Up to €20 million or 4% of global revenue
- Examples: Unlawful processing, consent violations
Enforcement is real and increasing. Data protection authorities have issued hundreds of millions in fines since 2018.
Special Cases and Common Questions
Q: Can I email existing customers without consent?
It depends. If you have a legitimate interest and the customer would reasonably expect the email, maybe. But it's safer to get consent.
For new marketing campaigns, get fresh consent. Don't assume old customer relationships grant unlimited marketing rights.
Q: What about B2B email in the EU?
GDPR still applies. Work email addresses at companies are personal data if they identify an individual (jane.smith@company.com).
You may have a legitimate interest argument for B2B, but consent is safer.
Q: Can I use purchased email lists?
Generally no. GDPR requires consent to be freely given and specific to your organization.
Purchased lists can't meet this standard:
- Recipients didn't consent to you specifically
- They likely didn't consent at all
- You can't prove valid consent
Q: What about cookie-based email capture?
If you're tracking website visitors and triggering emails based on behavior, you need:
- Cookie consent (separate requirement)
- Email consent before sending
- Clear privacy notice
Invisible tracking plus automatic emails equals GDPR violation.
Q: Do I need consent for transactional emails?
No. Transactional emails (order confirmations, password resets, shipping updates) are covered under "contract" or "legitimate interests," not consent.
But don't hide marketing in transactional emails. A shipping notification is fine. A shipping notification with "You might also like..." needs consent for the marketing portion.
Q: What if someone gives verbal consent?
Verbal consent is valid if:
- You document it thoroughly (who, when, what was said)
- You can prove it was freely given and informed
- You have a recording or detailed notes
Written/digital consent is much easier to prove and defend.
Q: How long can I keep email addresses?
As long as you have a lawful basis and a legitimate reason. Once someone unsubscribes or you stop using the data, you should delete it unless:
- Legal requirements mandate retention
- You need it for accountability (proving you honored opt-out)
Document your data retention policy and follow it.
GDPR vs. Other Email Laws
If you're marketing globally, you may need to comply with multiple laws:
CAN-SPAM (United States):
- No consent required (opt-out law)
- Less strict on data protection
- Lower penalties
CASL (Canada):
- Requires express or implied consent
- Similar strictness to GDPR
- Different consent documentation requirements
When laws conflict, follow the strictest requirement.
The Email Compliance Checklist (GDPR)
Before Collecting Emails:
- ✅ Consent form uses clear, plain language
- ✅ Opt-in box is unchecked by default
- ✅ Privacy policy is linked and accessible
- ✅ Consent data collection is configured (timestamp, IP, etc.)
For Every Marketing Email:
- ✅ You have documented consent for this recipient
- ✅ Email contains clear unsubscribe link
- ✅ Sender information is accurate
- ✅ Content matches what they consented to
Ongoing:
- ✅ Consent records are backed up and secure
- ✅ Unsubscribes are processed immediately
- ✅ Data is deleted when no longer needed
- ✅ Team is trained on GDPR procedures
- ✅ Privacy policy is up to date
The Bottom Line on GDPR Email Compliance
GDPR email compliance comes down to one principle: respect people's data and choices.
Get explicit permission before emailing. Be transparent about what you're doing. Make it easy to leave. Protect the data you collect.
Companies that treat GDPR as a burden miss the point. Subscribers who actively choose to hear from you are more engaged, convert better, and build your brand.
GDPR forces you to build a quality email list. That's good for business.
Need help ensuring your emails are compliant? Use our Subject Line Analyzer to check for spam triggers and ensure your subject lines match your content.