GDPR and Email Marketing

GDPR (General Data Protection Regulation) is the EU regulation on personal data protection, enforceable since 25 May 2018. It applies to any organization that processes data of EU residents, regardless of where the organization is based. An email address is personal data under GDPR because it can identify a natural person directly or indirectly. Every operation with email addresses — collection, storage, segmentation, sending — falls under the regulation.

Legal bases for email sending

GDPR defines six legal bases for data processing. Two apply to email marketing: consent and legitimate interest.

Consent must be freely given, specific, informed, and unambiguous. A pre-ticked checkbox does not qualify. Bundling consent with a purchase does not qualify either — subscribing to a newsletter and completing a transaction are separate actions that each need a separate opt-in.

Legitimate interest permits limited marketing to existing customers: for example, emailing a buyer about related products. The controller must run a balancing test documenting that the business interest does not override the individual’s rights. Cold outreach to purchased lists does not survive this test.

Consent collection requirements

The subscriber must take an affirmative action: tick an unchecked box, click a subscribe button, or type their address into a clearly labeled form. Silence, inactivity, or navigating to another page cannot constitute consent.

You must store proof: the date and time of consent, the IP address, the exact text of the form at the moment of subscription, and the version of your privacy policy. If a supervisory authority asks, you must be able to show that consent was obtained correctly.

Double opt-in is not explicitly required by GDPR, but data protection authorities in Germany and Austria treat it as the de facto standard. The confirmation click proves that the address owner actually initiated the subscription. Without it, anyone can subscribe someone else’s address.

Subscriber rights

Right to withdraw consent. Unsubscribing must be as easy as subscribing. If a one-click form was enough to opt in, a five-step process to opt out violates the regulation. Every marketing email must contain a working unsubscribe link.

Right of access. On request, you must provide the person with all data you hold: email address, subscription date, mailing history, segments. Response deadline: 30 days.

Right to erasure. The person can request deletion of all their data. In practice, move the address to a suppression list rather than deleting it entirely. If you delete it outright, it can re-enter the database through a new import — and you end up mailing someone who explicitly asked you to stop.

Right to data portability. The individual can request their data in a machine-readable format (CSV, JSON) for transfer to another service.

Penalties

Two tiers. For procedural violations (inadequate record-keeping, missing data processing agreements): up to 10 million EUR or 2% of global annual turnover, whichever is higher. For substantive violations (sending without consent, refusing erasure requests): up to 20 million EUR or 4% of turnover.

Enforcement varies by country. The Irish DPC, which oversees many tech companies, issued a 1.2 billion EUR fine to Meta in 2023. Smaller companies typically receive warnings or fines in the tens of thousands, but even a 50,000 EUR penalty can threaten a small business.

GDPR and email verification

Sending email addresses to a third-party verification service is a transfer of personal data to a data processor. Under Article 28, a Data Processing Agreement (DPA) must be in place. The processor must not retain addresses beyond what the verification task requires and must implement appropriate technical safeguards.

Cleaning an email list is itself a GDPR-aligned activity. Removing invalid addresses reduces the chance of mailing people who never consented. Suppression list management, bounce handling, and deduplication all reduce unnecessary data processing — which is one of the regulation’s core principles.