8 min to read

How to stay compliant while maximizing the power of email to reach and engage your audience.

Email Marketing in the GDPR

Email Marketing.

Email marketing has changed; for good or worse, the General Data Protection Regulation set some boundaries for using this digital marketing strategy.

Since the many scandals surrounding companies using data and selling it to other companies, consumers have been more concerned about how they interact with brands, and governments are worried about it, too; that's why, since 2018, we have had to play under the rules of the GDPR.

While we as marketers know that the use of this data is only for selling purposes - and not to invade users' privacy - there is no more "easy access" to all of this behavioural data, and now we must ask for it. While this isn't bad for customers' well-being, it leaves us marketers wondering how we can learn more about our customers in a responsible and consenting way and how this will affect Email marketing and how we do it.

If you want to learn more about this topic, keep scrolling as we'll discuss the GDPR, how it affects email marketing, and how we can play under its guidelines to keep exceeding our email marketing strategy.

Keep reading!

What is the GDPR?

The General Data Protection Regulation (GDPR) is a data protection law introduced by the European Union in May 2018. The law aims to offer EU citizens more control over their data and how companies and organizations can use it for any marketing purpose. As you may guess, this law significantly impacts how businesses collect, store and use personal data like email addresses, changing how we approach email marketing.

Ultimately, the GDPR protects users by regulating how companies manage their personal information. 

Under the General Data Protection Regulation, the first thing you'll need to email your list as a business is their consent. So, before sending any promotional mail or newsletter, users must approve their permission. 

The process must be specific, informed and unambiguous to obtain this data , letting customers know what type of data we're using, how we'll use it and with whom we're going to share it. Besides, we must offer customers the opportunity to opt-in or opt out of receiving emails from your company. 

Also, customers expect to know how long will you have their data and, as soon as this time ends, they'll want you to erase it.

Data is more fragile with this law, but let's see what other aspects the GDPR holds.

Source: YouTube.

The rules of GDPR

To get a 360 view of what we must comply with regarding the GDPR, we share the rules or principles you must follow.

Lawfulness and transparency 

Your company must collect and process all customer data lawfully, which means that customers have to have full knowledge of what information they'll share and its use.

Purpose limitation 

The GDPR expects that you only collect and process data for legitimate purposes. Using data for a different purpose will be a direct violation of the GDPR. 

Data minimization 

Now you can only collect the necessary data for your purpose. For example, if you want to send an email newsletter, you can only collect email addresses and shouldn't focus on collecting other personal information like phone numbers or addresses.


If you have inaccurate data, it can incur heavy penalties for your company. To keep it safe, check up on all your stored data occasionally. If you find any incorrect data modify or erase it.

Storage limitation 

As mentioned above, the GDPR commands you to erase any data after a certain period. You could face penalties if you keep it without stating valid reasons for it. The best tip is to delete all the data you aren't actively using. 

Integrity and confidentiality for security 

The General Data Protection Regulation recommends companies keep all user information safe from damage and misuse. Therefore, it's a good idea to invest in a high level of security to prevent any theft from this.


As a business, you have to record evidence that you're complying with GDPR's rules, and this is because the organization itself can ask for this evidence, and if you don't have it, then you know what's going to happen. 

To stay current with this, ensure proper documentation so you don't have anything to worry about.

General Data Protection Regulation.

GDPR Rules.

How does GDPR affect email marketing?

In essence, the main effect of email marketing is that you don't have that "freedom" to send emails to your list. Now, you need permission and consent to do this. Now, your customer's email feed is a restricted zone, and once they allow you to enter, you can share your messages with them. 

If we see it from a perspective, this is a good indicator for us marketers. As we get more permission from our customers, we know they like what we offer, giving us another hand or metric if we want to see it this way.

It's safe to say that sometimes when we send emails that people didn't ask to, we can get perceived as spam, ultimately creating friction between customers and your brand.

Now, to stick with the GDPR, you should apply new practices like:

  1. Consumer opt-in permission rules
  2. Have proof of consent storing systems
  3. Offer customers a method for them to remove any data they want.

We also have to point out that this European regimentation affects B2B and B2C companies so that no one can escape the GDPR rules.

So, now your focus should be on offering enough valuable content for customers so they want to sign in for your email list or newsletters. 

Also, taking care of any third-party data is a priority.

How to stay compliant with the GDPR?

As we look at the GDPR rules, how can we remain compliant with them? We cannot abandon email marketing as a strategy just because of these restrictions, so let's analyze what we must do to stay within the game's rules.

Explicit Opt-In

You must allow users to confirm their consent to your email list actively. To do this, show a check box where they can click to opt-in. This checkbox can't be pre-selected or pre-ticked by default, and users must decide.

Separate consent and terms & conditions

Consent can't be on the terms & conditions; it should be separate. First, customers must 100% of what they consent to receive marketing messages from your brand. Secondly, users usually never read the whole terms & conditions. 

Soft Opt-In exception

Suppose you manage to obtain information about a client through the purchase of a product or service, but they didn't click on the opt-in box. In that case, even the GDPR will allow you to send digital marketing messages to this user based on the data collected during this action. This action is called the soft opt-in, and to use this modality, you have to follow the following terms and conditions:

  • You obtained the information of this contact in the context of a sale of your services or products.
  • The individual did not opt-out when they provided their data. In addition, you clearly and distinctively showed that they could opt out during this process.
  • You can only send emails about similar products or services for which the customer data was collected.
  • In every email marketing communication, you must remind users of their ability to opt-out.
  • The opt-out process should be simple and free of charge through all data collection steps and other communications.

It is good to frame that the condition of "finding user information through a sale" may differ between different members of the European Union.

Most EU countries will allow you to send marketing messages to existing customers with the opt-out checkbox only if they have completed a transaction. It means they bought or paid for your services, and you delivered them. You can't email them if they haven't purchased, registered to your newsletter, participated in conquest, or created a user account.

However, the UK has a slight exception to the soft opt-in process, allowing marketers to start conversations if only negotiations have occurred with the user. Having shown interest in a product is the green light to create an email marketing strategy. This type of negotiation can go from asking for a quote to asking for more details about a product. However, as we have already stipulated, these emails can only refer to products they have shown interest in.

However, in most European jurisdictions, it must be that there has been a completed transaction to start communication with this client. In this case, ensure you are up to date with the conditions of your jurisdiction.

Enable opt-out option

As we said above, letting users know they can unsubscribe whenever they want is essential. 

To do this, you should place a clear unsubscribe button in your emails so they can opt out of emails if they don't want to receive them anymore.

Create compelling copy for your emails.

If you do not specify why you are contacting a user and how your offer is associated with their needs, your emails will not comply with the GDPR. That is why you must focus on creating a compelling enough copy to grab their interest just by reading the subject line.

You need people to be interested in opening your emails, so you must personalize the emails according to the demands of each group within your audience. To create a more compelling copy, check out these tips:

  • Statement: State how you obtained the contact's information in the message so they don't have to worry if their personal information is compromised.
  • Short introduction: Give a clear and concise explanation of why your information is being evaluated and how the evaluation of this information will help you to have a better service, and you do not necessarily use it to invade your privacy.
  • Show instructions on how to modify info: In the email footer, you can also place a small instruction on changing or removing any information the client wants.

Email marketing in the GDPR era

Email marketing/GDPR.

How to do email marketing under GDPR?

Although this European regulation took off many liberties we had as marketers, we can still manage it accordingly. 

We said we can't abandon email marketing as a strategy, and we won't. To help you with this, we list things you should focus on when creating your next email marketing campaign.

  • Take an audit of your current database:
    • Know your list and how you acquired them: 
    • How did they give consent? 
    • Keep track of when and where did that customer come from.
  • Check out your data practices: 
    • Ask for consent at the beginning of every interaction.
    • Create a privacy policy showing how you collect and process data.
  • For every new campaign, ensure to stay compliant:
    • Ensure every new campaign steeks with this process and its requirements.

Final thoughts.

Although access to data is no longer as straightforward as it used to be, certain limitations should be placed on handling user information out of respect for their integrity and privacy. The data scandals in many massive companies have forced the authorities to put these restrictions. As marketers, the best thing we can do is adapt ourselves to the right side of the story and adapt our strategies - such as email marketing - to these new regulations.

Ultimately, we only use the study of user information to provide a more personalized service to our audience. We'll continue using all our knowledge to offer the best we can. If you need more help with digital marketing issues, let us help your business reach the next career step. Contact us now!

About Bruno Gavino

Bruno Gavino is the CEO and partner of Codedesign, a digital marketing agency with a strong international presence. Based in Lisbon, Portugal, with offices in Boston, Singapore, and Manchester (UK) Codedesign has been recognized as one of the top interactive agencies and eCommerce agencies. Awarded Top B2B Company in Europe and Top B2C company in retail, Codedesign aims to foster personal relationships with clients and create a positive work environment for its team.  

He emphasizes the need for digital agencies to focus on data optimization and performance to meet the increasingly results-driven demands of clients. His experience in digital marketing, combined with a unique background that includes engineering and data, contributes to his effective and multifaceted leadership style.

Follow Bruno Gavino on Linkedin

About Codedesign

Codedesign is a digital marketing agency with a strong multicultural and international presence, offering expert services in digital marketing. Our digital agency in Lisbon, Boston, and Manchester enables us to provide market-ready strategies that suit a wide range of clients across the globe (both B2B and B2C). We specialize in creating impactful online experiences, focusing on making your digital presence strong and efficient. Our approach is straightforward and effective, ensuring that every client receives a personalized service that truly meets their needs.

Our digital agency is committed to using the latest data and technology to help your business stand out. Whether you're looking to increase your online visibility, connect better with your audience, get more leads, or grow your online sales. For more information, read our Digital Strategy Blog or to start your journey with us, please feel free to contact us.

CodeDesign is leading:
- Digital Agency
- Digital Marketing Agency
- Digital Ecommerce Agency
- Amazon Marketing Agency


Add comment