GDPR

When does GDPR matter for email?

If you send emails to anyone in Europe, you're under GDPR's jurisdiction. 

The regulation requires you to secure people's data and make it easy for them to control what you do with it. 

Organizations that violate GDPR face fines up to €20 million or 4 percent of global revenue, whichever is higher. That's not a slap on the wrist. 

For email specifically, GDPR changed everything about how marketing and transactional messages work. You can't just buy a list and start blasting. The GDPR requires businesses to obtain clear, explicit consent before contacting anyone by email. That means actual opt-in checkboxes that people actively click, not pre-ticked boxes or implied consent.

But it's not just marketing. GDPR governs your entire email operation. How long you store messages, how you secure them, and what happens when someone asks you to delete their data. It matters more than most people realize.

What GDPR requires

There are four main compliance areas:

Lawful basis for processing. You need a legal reason to collect and use someone's email address. Processing is only allowed if either the data subject has consented, or there is another legal basis. For marketing emails, that's almost always consent. For transactional emails (order confirmations, password resets), you can rely on legitimate interest or contractual necessity instead.

Individual rights. People can request access to their data, ask you to correct it, or demand you delete it entirely. The famous "right to be forgotten" requires you to erase personal data when it's no longer needed. Your email systems need to actually support these requests, not just acknowledge them.

Data security. GDPR requires "data protection by design and by default," meaning organizations must always consider the data protection implications of any new or existing products or services. Email encryption is specifically mentioned as a technical measure you should implement. Five years ago, encrypted email wasn't practical. Now it's table stakes.

Proof of compliance. You need records. When someone opted in, how they did it, what they agreed to. The GDPR requires companies to keep records of consent, including who gave permission, when and how they did so, and what information they were shown at the time. Without documentation, you can't prove compliance during an audit.

Getting email consent right

Consent is valid if it is freely given, informed, unambiguous, and specific. That last part trips people up. You can't bundle consent for marketing emails with consent for terms of service. They're separate things requiring separate checkboxes.

Here's what valid consent looks like: Someone visits your site, sees an unchecked box that says "Yes, send me weekly product updates," actively clicks it, and submits the form. That works.

What doesn't work: Pre-checked boxes. Implied consent is given by making a purchase. Assuming silence means yes. If you don't have explicit, unambiguous consent from the visitor to get marketing messages, then you won't be able to send them messages—or else face heavy fines. 

Double opt-in is even better. Once someone fills out the sign-up form and clicks submit, they're sent an email with a confirmation link, and marketing communications commence only after they've confirmed their consent. It rules out accidental subscriptions and gives you rock-solid proof of consent.

There's one exception: soft opt-in for existing customers. If you obtain your customer's email address during the sale of your product or service, you can use it for direct marketing of similar products, as long as you provide an option to opt out. But you still need that unsubscribe link in every message.

Data retention and deletion

Article 5(e) states that personal data can be stored for "no longer than is necessary for the purposes for which the personal data are processed." Most of us never delete emails. That's now a compliance problem.

You need a retention policy. How long do you keep customer emails? Support tickets? Marketing lists? Whatever you decide, document it and actually follow it. Some email services offer an expiring email option that allows you to set messages for deletion after a designated length of time. 

When someone requests deletion, you have to act. After someone unsubscribes, you should delete their names and personal information from your email list. Keep just enough to remember their opt-out preference, nothing more.

GDPR compliance tips

Most importantly, read the GDPR rules and keep up to date with them on the GDPR website. These rules can change over time so you should periodically check to be sure you are in compliance. 

If in doubt, contract a specialist to help you set up systems which comply with regulations. 

Use double opt-in for all marketing lists. It's the cleanest proof of consent and filters out fake addresses.

Make unsubscribe easy. According to GDPR standards, withdrawing consent must be as easy as giving it. One-click unsubscribe links in every email. No hoops, no guilt trips.

Encrypt email where possible. GDPR specifically mentions encryption as a protective measure. End-to-end encrypted email services exist now and aren't that hard to implement.

Separate transactional from marketing. Different legal bases, different retention rules. Keep them in different systems if you can.

Document everything. Consent records, retention policies, security measures. If you can't prove you tried to comply, penalties are higher.

Review your email lists regularly. Clean out inactive subscribers, verify consent documentation still exists, and check that opt-out requests were actually processed.

Related content

• Privacy Explained
• How to Reduce Email Overload

Related terms

• CAN-SPAM Act
• CCPA
• Email Authentication
• End-to-End Encryption