The General Data Protection Regulation (GDPR) has changed how businesses manage their email marketing programs.

Luckily, compliance is not difficult to achieve.

This article will help you make sure your marketing communications are compliant with the GDPR requirements and take you through everything you need to know in order to get there.

Who Does the GDPR Apply To?

The GDPR applies to any organization that collects personal information from EU residents.

For these purposes, personal information refers to "any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person."

In other words, anything from name or gender to geolocation data is considered personal data according to the GDPR.

Even if your business is not located in the EU, if your website or mobile application is collecting any such data or email addresses from EU residents, the GDPR applies to you. This regulation can apply to and be enforced upon almost any business in the world. Failure to comply could result in heavy fines.

The idea of obtaining user consent for email marketing is no new concept. Although anti-spam laws vary from nation to nation, most companies currently employ a soft opt-in, providing users with a pre-checked box that prompts them to accept marketing communications.

This is the method that Starbucks currently uses for its signup forms:

Starbucks create an account form

Another common method is to include a note that says something similar to "By submitting this form you accept future offers from us."

You can see an example of this method below from Etsy:

Etsy registration form

Neither of these methods for adding emails to your marketing list will be considered compliant under the GDPR.

According to the GDPR, consent will be defined as:

"Any freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed."

In regard to soft opt-ins, the document goes on to say that "silence, pre-ticked boxes or inactivity should therefore not constitute consent."

That's pretty specific. According to the above edicts, the following examples are NOT compliant with the GDPR's definition of valid user consent.

Land Rover provides consumers with choices regarding marketing communication, but since the boxes are all pre-checked, they are not compliant with GDPR:

Land Rover contact form with pre-checked boxes

McDonalds' Create Profile form assumes user consent upon submitting the form. This is not considered clear and unambiguous consent:


It's not overly complicated to obtain user consent according to the GDPR's requirements. Here are a few ways to create compliant email signup forms.

  • The double opt-in: After users register an account or sign up to receive email offers, send a confirmation email. Once they click the confirmation link, you'll have a clear record of their explicit consent.

    This confirmation email from Lufthansa is a good example:

  • Lufthansa

  • Check yes or no: When users are filling out a contact or other form, give them two choices. These choices would consist of "Yes, I want to receive special offers via email" or "No, I do NOT want to receive special offers via email." Require them to choose one before submission.

    Here's an example of this tactic from Selfridges:

  • Selfridges create an account form with opt-in for communication

  • Give more options: Provide users with a choice of how they'd like to be contacted for marketing purposes. Depending on your company's capabilities, you might offer them a choice of email, text message, phone, regular mail, or to opt-out of marketing communications altogether.

    Woolworth's provides users with a choice of text or email, but neither of the boxes is pre-checked:

  • Woolworth

One important point to note about the GDPR is that it requires marketers to prove the consent of each and every user they hold information on. This goes for email lists as well.

With this in mind, it's your responsibility to perform a review of your customer database. You'll need to ask yourself the following questions regarding the personal data you have on file:

  1. Did your customers expressly and unambiguously consent to your collection of their information? Remember, a pre-checked box or assumed consent is no longer considered valid.
  2. Do you have an accessible record or proof of consent for each user?

If the answer to these questions is yes, then you have nothing to worry about regarding your list.

If the answer to one or both of these questions is no, then you'll need to perform a re-permission campaign - a communication that goes out to all opted-in contacts on your marketing list to explicitly reaffirm their consent.

This is an example of a re-permission email from Chipotle:

Chipotle re-permission email to get consent

This can be achieved in several ways. In many cases, companies will identify their EU customers first, since the GDPR does not apply to those living outside of the EU. Whether you re-permission your entire list or just the EU residents, here are some possible methods to employ:

  1. The safest way is to provide them with a link to a webform where each user may confirm consent to receive marketing communications and type in their email address manually. This will ensure valid consent and compliance with the GDPR.
  2. You may also simply ask users to reply to an email or text message confirming their consent, but this method comes with the risk of ambiguous replies that do not provide clear consent.

Whatever method you choose to repermission customers, remember never to contact users that have previously opted-out of your marketing communications. Communicating with individuals who have expressly unsubscribed from your email database could result in a fine.

Although you may create a message that is as compelling and persuasive as possible, re-permission campaigns will always result in a smaller list, since those who ignore the message will need to be deleted as well as those who deny their consent.

However, this practice will ensure that your list is current, compliant, and free of liability in the future.

Most importantly, keep a clear record of these and all future user consent affirmations in order to satisfy GDPR requirements.

Inform Consumers of Their Rights and Choices

Another stipulation of the GDPR is that you must be transparent and inform users of their choices regarding the processing of their personal data and marketing communications.

You can provide users access to their data in any way you wish, but these options must be listed in your Privacy Policy.

The Privacy Policy should also include clear information about users' choices regarding marketing communications. Many companies provide a link to a dedicated webform where consumers can choose their communications preferences. This is a good way to prevent them from unsubscribing altogether since they can pick and choose the type of communication they prefer.

Politico gives users different newsletter subject matter to choose from:

List of newsletters from Politico with checkboxes for opting in

Easy-to-understand instructions or a dedicated email address for opting-out is also sufficient.

See this example from Adobe's Privacy Policy:

Adobe Privacy Policy: Communication clause with unsubscribe information

Of course, anti-spam laws as well as the GDPR also require a clear unsubscribe link in all marketing emails, but you likely already knew that. Also be sure to supply a valid return email address in case consumers prefer to opt-out by replying to an email message.

This marketing email from Etsy shows both a direct unsubscribe link and a valid return address:

Etsy email showing unsubscribe link

Examples of GDPR-Compliant Email Marketing

Swiss food giant Nestlé exhibits the proper consent and compliance for email marketing on all points. Their email marketing signup form requires each user to type in contact information manually as well as check the appropriate box to choose their preferred communications.


Note that none of the checkboxes are pre-ticked. Visitors must take a clear, affirmative action to choose their preferred marketing emails.

Nestlé's email messages include a clear unsubscribe link and a disclosure about third-party email services. Although the third-party disclosure is not necessarily required, transparency is always encouraged by the ICO:

Nestle email footer showing unsubscribe link and a third-party disclosure

Nestlé's Privacy Policy lists consumers' rights regarding marketing communication and provides instructions on various methods for opting-out:

Nestle Privacy Policy: Your rights over your personal data clause

All of this helps with GDPR compliance.

Lufthansa also presents visitors with a double opt-in procedure for registering on the website or subscribing to their newsletter. Visitors must manually type in an email address and tick the checkbox to accept marketing emails:

Lufthansa email subscribe form with consent checkbox

Within the Lufthansa Privacy Policy, users will find instructions on how to manage marketing communications:

Lufthansa Privacy Policy: Newsletter consent clause

Inside their account interface, Lufthansa gives users several options for managing their communication preferences:

Lufthansa Communication settings interface

An interface like this makes it easy for your users to adjust their communication preferences, and easy for you to stay compliant.

UK's BBC network implements the 'check yes or no' method for subscribing to email communications during their registration process:

BBC registration form showing email opt-in

Their Privacy Policy provides information on marketing communication and accessing email preferences:

BBC Privacy and Cookies Policy: Contacting for marketing purposes clause

Make sure your marketing communications are GDPR-compliant by:

  • Making sure you have clear, unambiguous consent from anyone you send marketing emails to. Remember to keep records of this.
  • Updating your Privacy Policy with the relevant and required information relating to communications. This informs users of their rights (for example, the right to opt out) as required under the GDPR.

Privacy Policy Generator
Comprehensive compliance starts with a Privacy Policy.

Comply with the law with our agreements, policies, and consent banners. Everything is included.

Generate Privacy Policy