News | 25/09/2017

The GDPR guide to email marketing

Posted by Lauren Isaacs

By Lauren Isaacs

Data regulations currently differ from one European country to the next. What the upcoming GDPR will do, is align all of these countries so they are all following the same laws. The GDPR itself is a hefty document made up of 99 articles and 173 recitals. But what exactly does this mean for us email marketers? We’ve dissected the most relevant rulings and given some advice on what you can do to make your email marketing efforts comply in time for May 2018.

The change is coming…

Email marketing has always been a fast paced, ever-changing industry, but the upcoming rulings of the GDPR are by far the biggest to come into effect in recent years. There’s no denying it – it really will affect your entire email marketing strategy. Yes – your lists won’t grow with the speed they have previously but, all is not lost. In fact, quite the contrary. It’s good to note that the changes that we’ll all be making in the next 6 months or so, will eventually mean that your email marketing will become more reliable and effective.

Email marketing


The main focus – consent

You probably know by now that the entire process around collecting consent will be the biggest change to email marketing as we know it. There are three areas that this will encompass; how we seek, how we collect, and how we record consent.

When seeking new email subscribers, we’ve all employed many different tactics over the years to attract sign ups. Whether it’s providing gated content on your site or running competitions with conditional email sign-up – both of these, or any similar techniques you’ve used will incur some changes. The GDPR has introduced a number of requirements that must be applied to the way you’re seeking consent.

Article 7 of the GDPR states:

‘If the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding.’

When collecting valid email consent, you must use plain, unambiguous language that clearly defines what you will do with the data you’re collecting and exactly what the customer will receive. This wording must be set apart from any other information on the page so it stands out and not hidden deep within lengthy T’s & C’s.

Let’s use running a competition as an example for how you’d collect new email sign ups. You’re running a competition to give away an iPhone in return for answering a question. When collecting the entries, you ask for the name and email address for every person that enters. In the past, you might have included that being added to your mailing list was a conditional part of the competition. This might have been written up in the T’s & C’s, and after collecting the contact details, you’d then upload these email addresses into your mailing list.

How this will change:

You’re running a competition to win an iPhone. You collect the email address and name of each entrant when they submit their answer. Under the email address field, you’ll now need to include a tick box (not pre-ticked) which will read Sign up for our email newsletter. Underneath this, will be a description of what the subscriber will receive if they sign up. This will look something like the following:

We’d like to send you our monthly email newsletter packed full of helpful hints and tips on how to make the most out of your marketing. We will keep your data safe and will never share it with anyone else. You can opt-out at any time. To read more about our privacy policy click here.


When it comes to the collection of email addresses, recital 32 of the GDPR states:

‘Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent.’

Are you currently using a pre-ticked box to collect consent upon email sign up or perhaps no box at all? Are you collecting conditional consent as part of a competition or to access gated content? If you answered yes to any of the above, you are not GDPR compliant. To qualify as valid consent from May 2018, a clear, affirmative action has to take place at point of sign up. If your current data has fallen short of this requirement, you’ll have to seek affirmative action to qualify these historic sign ups in order to continue sending to them.

Now – onto recording. This might be the most difficult change to implement. You must record the exact wording agreed to (or a screenshot of the agreement) when your subscribers signed up. This information must be stored in your database so that you can easily show proof, if required, of exactly what the agreement was.

To ensure you’re collecting everything you need to make sure every email subscriber complies with the new GDPR regulations, we suggest recording the following as a minimum for each new email sign-up:

  • Name
  • Email address
  • IP address
  • Opt-in time/date
  • Consent wording
  • Source

Opting-out – as easy as opting-in?

When it comes to opting-out and unsubscribing from email communications, there are some rules around this too. It should be as easy to remove yourself from a list, as it is to join.

Article 7 states:

‘The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.’

‘The right to be forgotten’ comes into play here; when a subscriber wants their information to be removed and forgotten, you must delete the record you hold for them. You are allowed to keep minimal information in order to use as a suppression. So, for email marketing purposes, we’d recommend keeping the email address of the subscriber who has opted out to use for suppression purposes only. All other information you hold on this data subject should be destroyed.

When you’re reviewing your email consent process, it’s vital to keep this advice in mind throughout all three steps of your strategy. Also spare some time to work out what changes you’ll need to make to your database and how you can qualify any data you currently have that doesn’t meet GDPR standards.


  1. Remove any pre-ticked opt-in boxes from data collection points.
  2. Record consent wording subscribers agree to when they sign up.
  3. Check all competitions you have running or have planned to make sure email sign-up isn’t a condition of entry.
  4. Check all competitions that include data collection make it clear what happens with the entrant’s data and this information isn’t hidden in lengthy terms and conditions.
  5. Ensure a privacy policy link is available at data collection points.
  6. Make sure all your sign-up wording describes exactly what you will be doing with subscriber’s data, who it will be shared with and what they will receive.
  7. Review all sign up processes and ensure that they all require an affirmative action.
  8. Ensure you have a process in place to deal with opt-outs to comply with GDPR standards.

Our email department hold an IDM Award in General Data Protection Regulation (created by the DMA). That means they’re perfectly placed to help advise and support you through your consent transition to make sure your sign-up process won’t fall foul of the new regulations. Sign up to our newsletter to keep up to date on all things GDPR and digital marketing or give us a call on 01273 208913 and let’s talk GDPR consent.



Want to do some further reading on how the GDPR will affect email marketing? We recommend the following resources: