If you're an internet marketer for the European region or market to customers in the EU, you're probably familiar with the GDPR to some degree.

We've covered what the GDPR entails for most small business and website owners, but what about marketers? In today's business world, marketers rely more than ever on user data and behavioral tracking to capitalize on strong leads and improve conversions.

Unlike some previous privacy laws that could be ambiguous and left some gray areas, the GDPR is strict and concise. ANY entity collecting or processing ANY personally identifiable information from residents of the EU falls under the jurisdiction of the GDPR.

That includes marketers.

Marketers who collect and use information such as names, email addresses, phone numbers, etc. should find out if any of their data subjects are residents of the EU. If so, they should be familiar with the GDPR.

Who is under the jurisdiction of the GDPR?

If you collect or process the personal information of residents of the EU, you fall under the jurisdiction of the GDPR and must be compliant with the regulation.

The GDPR, of course, regulates companies and organizations within the EU. However, the GDPR also applies to companies and organizations outside of the EU.

Unlike previous privacy laws of some countries within the EU, the GDPR applies to companies outside of the EU if they collect or process data of residents of the EU.

Marketing and data collection

The GDPR is very clear that any collection of personal data from residents of the EU is regulated by the guidelines of the GDPR. That means any personal data collected for marketing purposes would be included.

Personal information under the GDPR constitutes any information that could be used to identify a real person. Information that makes data subjects not completely anonymous and could connect that subject to a real person could be considered personally identifiable information.

This means names, email addresses, phone numbers, addresses, and other kinds of data such as this - data that is commonly used by marketers - is regulated by the GDPR.

Email lists

Modern day marketing often revolves around creating email lists. If you're dealing with users in the EU, collecting their email addresses (which is a type of data tied to a real person) is enough to require compliance with the GDPR.

The GDPR also requires consent before acquiring and using an individual's personal data. This means buying or scraping email addresses is no longer acceptable. Marketers must obtain consent before collecting an email address and have consent to contact that person using their email address.

Even minimal marketing practices fall under the jurisdiction of the GDPR, meaning a majority of modern day marketing practices would be regulated by this new set of laws.

So, if your marketing practices collect any sort of identifying information from residents of the EU, even if it is only an email address, you must be fully compliant with the GDPR.

Marketing and data processing

In addition to data collection, the processing of personal identifying information is also regulated by the GDPR. This means that even if you are not collecting the personal data as part of your marketing practices, if you are processing or otherwise using personal data that was collected elsewhere, you will still need to be compliant with the GDPR and have consent to use the information you are processing.

An example of a data processor would be a third party email automation company that doesn't directly collect emails, but processes emails collected by the marketer to send emails.

New marketing practices under the GDPR

In addition to a broader scope and less ambiguous guidelines, the GDPR also regulates how data can be used and collected, and how to go about informing users of your practices when it comes to this.

Here are a few practices that marketers will need to employ to market in compliance with the GDPR:

Under the GDPR, if you choose to rely on consent as your legal basis for collecting personal data, you must get affirmative consent before the data can be collected or used.

Unlike previous laws where soft opt-ins were acceptable (notifying a user you have a privacy policy and cookies policy and leaving it up to them to read them), the GDPR requires affirmative consent in the form of a checkbox or "I accept" button that the user must actively click before data can be collected or used (pre-checked boxes are not sufficient).

Generic sign-up checkbox - GDPR

Here's an example of how to obtain GDPR-compliant consent by getting users to check a box that clearly shows they want to share their email addresses in order to receive your marketing materials:

Lufthansa email subscribe form with consent checkbox

Disclose data collected and used

All forms of data collection and usage must be disclosed under the GDPR.

The best way to do this is with a Privacy Policy where you disclose the various types of data you collect and how you use that data.

There are two main reasons why you need a Privacy Policy:

✓ Privacy Policies are legally required. A Privacy Policy is required by global privacy laws if you collect or use personal information.

✓ Consumers expect to see them: Place your Privacy Policy link in your website footer, and anywhere else where you request personal information.

Generate an up-to-date 2024 Privacy Policy for your business website and mobile app with our Privacy Policy Generator.

One of our many testimonials:

"I needed an updated Privacy Policy for my website with GDPR coming up. I didn't want to try and write one myself, so TermsFeed was really helpful. I figured it was worth the cost for me, even though I'm a small fry and don't have a big business. Thanks for making it easy."

Stephanie P. generated a Privacy Policy

Here's an example of a clause in Canva's Privacy Policy that discloses all of the various types of information Canva collects and how it is used:

Canva’s Privacy Policy: Information collected clause

Companies must also disclose if they share or transfer data to other companies or marketers, and consent must also be obtained from data subjects before their data can be shared or transferred.

Keep your Privacy Policy updated and accurate to always reflect the types of information you are collecting and how you're using it.

Provide opt-out methods

It must also be clear that users can opt out of the data collection and processing that they previously opted-in to, and the methods of how to opt out should be clear.

You can include a note that users can opt out at the time you request consent, such as in this example:

You should also include a section in your Privacy Policy that lets users know how they can opt out of your marketing, even after they've shared an email address or other personal information.

Here's an example of a great opt-out clause from Bed, Bath and Beyond's Privacy Policy:

Bed, Bath and Beyond Privacy Policy: Your Choices clause, sections 1 and 2

Only collect necessary data

The GDPR stipulates that only the data needed for a specific process should be collected. This means that collecting a variety of data about a subject and only using some of it is unacceptable. There must be a reasonable and lawful purpose for collecting and using data.

This ensures that the individual has an understanding of what data is being collected, how it is collected, and for what purpose it is being used.

This also gives companies and marketers the responsibility to collect the minimum of information needed for their purposes.

If you only really need an email address to send the same marketing emails to everyone, don't ask for a birthdate or name of the individual.

Delete information

Under the GDPR, you can only retain collected data for as long as it is needed to fulfill the purpose you collected it for.

The GDPR also gives users the right to opt out, request that their data be deleted and that you cease any processing of that data. This includes common marketing data like email addresses and phone numbers.

If a user ceases to be a user, decides to opt-out, or collected information is no longer needed or being used, a policy should be in place that explains what happens to that data and how long it will be retained.

You should include a clause in your Privacy Policy that lets users know about deletion of personal data and how you handle that.

Here's an example of a Deletion clause from the Bed, Bath and Beyond Privacy Policy:

Bed, Bath and Beyond Privacy Policy: Your Choices clause, section 4

Keep information secure

The GDPR sets forth guidelines on how data must be protected after it has been collected.

Appropriate security measures must be taken to keep data inaccessible from unauthorized personnel, from being processed in unauthorized ways, from loss, from improper alteration, or from disclosure without proper consent.

Certain types of extra sensitive data are further regulated, but these types of data likely do not apply to standard marketing procedures.

Include a clause in your Privacy Policy that lets users know that you're working hard to keep their data secure and protected. Not only is this a general Privacy Policy requirement, but it will help your customers and the people you market to feel more at ease sharing their information with you.

Here's an example from Canva's Privacy Policy:

Canva Privacy Policy: How we store and protect your data: Storage and Processing clause

Keep information up-to-date

The GDPR requires that all collected information is accurate and can be corrected or updated by the data subject if it is inaccurate or incomplete. Make sure your marketing data is accurate and provide a way for users to check or update their information you have on file.

You should also include a clause about this in your Privacy Policy that lets users know that they can access, change and edit their personal information, and give instructions for how they can do this.

Here's how Gamestop does this:

Gamestop Privacy Policy: You May Access, Change or Modify Your Personal Information clause

Keep records

Records must be maintained regarding user consent you've obtained, company policies you have in place and anything else that might be needed to prove compliance. If you aren't already keeping records, you need to start now.

The positive side for marketers

It may sound like the GDPR is requiring a lot more work with stricter regulations about how marketers collect and use data, but there are also many benefits that will come about from the GDPR.

First and foremost, the GDPR strengthens the rights of individuals and helps protect their information and privacy. You could also see this as levelling the playing field among your competition.

The GDPR is cracking down black hat practices that abuse or exploit privacy for the sake of marketing.

If you have ever been tempted by shady marketing practices that work but are frowned upon, the GDPR is a big step toward eliminating the viability of those methods.

Sometimes it seems necessary to bend the rules when your competitors are crossing over into a gray area to improve their results, but those methods will no longer be acceptable which will help improve the image of the marketing field as a whole and regain the trust of everyday internet users.

Transparency is a big focus of the GDPR, ensuring that companies are very clear about what data they are collecting and why they are collecting it. Collecting swathes of data and using an abundance of cookies is no longer permissible without good reason.

If your marketing practices are reputable, honest and of a high caliber, you have nothing to worry about and it's likely that only minor changes will be needed. Those who use questionable methods of marketing will need to make a change or face heavy penalties or even soon be defunct.

So, while you will likely need to make changes in your marketing systems in order to remain compliant under the GDPR, the bright side is that the GDPR is leveling the playing field for reputable marketing tactics that respect the rights of individuals and their privacy.


We have discussed many aspects of the GDPR and how it will affect marketers.

Here are some key points to remember while making your marketing practices GDPR-compliant:

  • Ensure you are acquiring affirmative consent before collecting or processing data from residents of the EU (soft opt-ins and pre-checked boxes are no longer acceptable).
  • Ensure you are acquiring affirmative consent before using cookies to track residents of the EU (soft opt-ins are no longer sufficient).
  • Users have the right to revoke their consent for data collection, data usage, and cookies permission.
  • Users have the right to access data you possess about them, as well as correct and update that data or request its deletion and cessation of use.
  • Data can only be collected, processed and held as necessary to complete the tasks the user has given consent for.
  • Update your Privacy Policy to reflect any changes and cover new requirements by the GDPR.

Privacy Policy Generator
Comprehensive compliance starts with a Privacy Policy.

Comply with the law with our agreements, policies, and consent banners. Everything is included.

Generate Privacy Policy