GDPR and ePrivacy Email Marketing Checklist

GDPR and ePrivacy Email Marketing Checklist - Ligalio

Email marketing is an integral part of any business's marketing strategy. According to Statista research, as of February 2023, there were 4.14bn email users and 319.6bn emails sent daily worldwide. Your business is also likely using email marketing.

But do you know how to do GDPR-compliant email marketing?

You may have heard about the EU's General Data Protection Regulation (GDPR), which may cause dilemmas about your email marketing practices.

The GDPR protects individuals’ personal data and requires companies to protect it. It limits the possibility of using email addresses for marketing purposes. In addition, the EU’s ePrivacy Directive contains some specific rules for email marketing.

In this article, you’ll learn how to do email marketing in compliance with the GDPR and the ePrivacy Directive.

We will start by introducing the most important aspects of the GDPR and the ePrivacy Directive related to email marketing.

Then we will apply that to specific cases.

⬇️ In the end, you’ll have a checklist of what you can and must not do.

How GDPR Email Marketing Rules Affect Your Business

Understanding how GDPR affects email marketing requires learning about the GDPR principles, personal data, the legal bases for data processing, and international data transfers.

GDPR Principles

The GDPR allows you to use emails for marketing within the constraints set to protect personal data. You can even collect emails available on the internet to contact people. But only if you do it in compliance with the GDPR principles.

The GDPR principles apply to email marketing in the following ways:

1. Lawfulness, fairness, and transparency

Lawfulness requires you to have a legal basis for processing email addresses. You’ll most likely rely on persons’ consent or your legitimate interests for email marketing.

You should be fair about personal data processing. For example, you should not trick your users into getting their consent to receive marketing emails.

Transparency means that you must also inform the users about what you do with their personal data. You can explain it in a privacy policy.

2. Data minimisation

You can process only the minimum amount of personal data you need. Process emails only where necessary.

3. Purpose limitation

You can process emails only for the purposes they have been collected in the first place. If you collected an email address only to send the user a free PDF report, you must not send the user any marketing emails afterwards.

4. Storage limitation

Keep the email addresses only until you need them. Delete the email addresses you don’t need anymore. It is a good practice to remove emails from unresponsive customers. If someone unsubscribes, do not contact them anymore.

5. Accuracy

It is your responsibility to ensure that your email lists are accurate. You must take all reasonable steps to erase or rectify inaccurate data without delay, and it may be reasonable to erase the data in some cases.

6. Data security

Always use reliable email marketing tools and protect your profiles with strong passwords. Ensure that your email addresses are safe where they are stored.

7. Accountability

You are responsible for complying with the GDPR, and you must be able to show it. This includes storing the subscribers’ consents, having a visible privacy policy and being able to show other things that you have done to protect personal data.

What is Personal Data?

GDPR applies to personal data – any information related to a natural person that can identify that person, directly or indirectly.

Since an email address is directly related to a single individual, it is personal data protected by the GDPR. Yet, you should know that only a natural person’s email is personal data.

An email address such as john.smith@gmail.com is personal data. It clearly identifies a person.

An email address such as sales@bigcompany.com is not personal data. It does not identify a person. The address john.smith@bigcompany.com, however, identifies a person despite the company domain; therefore, it is personal data protected by the GDPR.

What Are the Legal Bases for Data Processing?

GDPR prescribes six legal basis for data processing:

  • Consent
  • Contractual necessity
  • Legitimate interests
  • Vital interest
  • Public interest
  • Legal obligation

This means you should find one of these legal bases to use the user’s personal data (email, name, surname etc.).

As a general rule, ePrivacy Directive requires prior consent to send marketing emails to a natural person.

An exception to the consent requirement is "soft opt-in". The ePrivacy Directive allows you to send marketing emails without consent if specific criteria are met:

  1. you have collected the email address in the context of the sale of a product or a service;
  2. you use the email address for direct marketing of your own similar products or services;
  3. you have given your customer the opportunity to object to email marketing when the email address was collected;
  4. you give your customer the opportunity to object (unsubscribe) on each email message;
  5. once the customer objects to email marketing, you stop doing it.

Considering the user has the right to revoke consent, the unsubscribe option should be in all your marketing emails.

However, each EU country can adopt slightly different rules from the ePrivacy Directive. For example, the Irish “ePrivacy Regulations” allow using the “soft opt-in” only if the initial marketing email is sent within 12 months after the purchase.

In Germany, the consent must be in the form of a double opt-in. That means you must send your subscriber an email in which the subscriber confirms the email address used for the subscription to the newsletter. This helps you avoid a situation where someone is using someone else’s email to sign up for your newsletter.

Therefore, you should always check if the local laws have additional requirements for your email marketing campaign.

Given these restrictions of the ePrivacy Directive, we can look at the possible GDPR legal basis for using personal data in your marketing campaign.

Consent

If you ask users for consent to use their emails for marketing purposes, the consent must be:

  • freely given;
  • specific for marketing purposes;
  • informed through an up-to-date and compliant privacy policy;
  • unambiguous, meaning you must not assume the user’s consent (e.g., no pre-ticked boxes).

Note that you must keep the consents received to show that you comply with the law.

Legitimate interests

The GDPR mentions that the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest (Recital 47).

Before processing emails based on legitimate interest, you must conduct a legitimate interest assessment. The assessment consists of three tests:

  • purpose test, where you assess whether you have a purpose for processing;
  • necessity test, where you assess whether the processing is necessary; and
  • balancing test, where you assess whether your business interests override the rights and freedoms of the data subject.

We will conduct a legitimate interests assessment further down in the article to give you an idea in what cases you could rely on it.

International Data Transfers

International data transfers are a tricky issue in the GDPR email marketing world, mainly because many email marketing tools come from the US market.

You do not need any additional safeguards if you transfer personal data only to countries within the EU/EEA and countries that have an adequate level of data protection. If you want to transfer personal data to other countries, you need to implement additional safeguards according to the GDPR and the Schrems II decision.

The problem is that the level of data protection in the US is not considered adequate. This is mainly because, according to the US laws, US authorities have quick and easy access to the personal data stored on the servers of US companies. This means that you are at risk if you use US service providers, store personal data in the US or store personal data on servers run by US companies.

That means using Gmail, Mailchimp, ConvertKit, and similar US-based services may bring you into non-compliance with the GDPR email marketing rules if you don’t take additional safeguards to protect the data.

The EU plans to pass an adequacy decision for the US, but it will take time.

To be on the safe side, you can use email marketing service providers that can ensure that the personal data does not leave the EU/EEA or countries with adequate protection for personal data. You need to know these basics to grasp the GDPR better and apply it to email marketing campaigns. Now we can proceed to apply that to email marketing.

GDPR and ePrivacy Email Marketing Guide

This part will show how email marketing laws work in practice.

Here we’ll consider the following situations:

  • You collect emails without a lead magnet
  • You collect emails with a lead magnet
  • Emails to existing customers
  • Cold email outreach
  • Reminders about abandoned shopping carts
  • Buying email lists

Collecting Emails Without a Lead Magnet

Let’s say you have an email newsletter sign-up form on your website. Right above or right below the form, you tell website visitors that they can submit their email to receive your marketing emails. If you do the wording right, you may assume that the subscribers who have signed up consent to receiving further emails.

If you collect emails for multiple purposes, you must allow subscribers to choose what to subscribe for. The checkboxes must not be pre-ticked by default. That way, the subscriber would explicitly consent to receive your emails, and you’ll be able to prove the collection of consent easily. It is also a good practice to provide them with a link to the privacy policy at the consent collection.

Your duty in this email marketing practice is to allow them to easily opt out from receiving your marketing emails. Most email automation tools will enable you to place an “unsubscribe” link at the bottom of each email, which would be enough to comply with this GDPR email marketing rule.

GDPR email marketing template

Collecting Email with a Lead Magnet

If you offer your website visitors a free PDF that you’ll send to their email addresses, it doesn’t mean you can send them marketing emails later. They never consented to receive your marketing emails. They allowed you only to send them the free PDF, and that’s it.

If you want to send them the free PDF and an email marketing sequence later on, you need their explicit consent for email marketing.

The two most common ways to obtain their consent lawfully are:

  • To offer them a checkbox to consent to receive marketing emails. The checkbox must be unchecked and non-obligatory for receiving the free PDF. You’re free to send them marketing emails if they check the checkbox.
  • Ask them for explicit consent in the email you send the PDF. You can attach the PDF to an email saying: “If you want to receive more content on this topic, click on this link.” Clicking on the link will segment the user who clicked it. It also means consent to receive emails from you in the future. These emails can contain your offers to them.

A common mistake marketers make in such a situation is bundling consent with their terms and conditions. Accepting terms and conditions does not mean consent to marketing emails.

GDPR email marketing template

Emails to Existing Customers

You can do email marketing with existing customers. Existing customers are those who have bought a product or a service from you. They are considered to have done a “soft opt-in", meaning that you can assume they consented to receive the emails because they already bought from you and may be interested in buying similar products or services. For example, if you have sold a sofa to a customer, you could send an email about a special offer for sofas or chairs. However, you can’t send special offers about products unrelated to the client’s initial purchase (the sofa), for example, a TV.

Here, you must also let the customers in each email opt out easily, for example, with an "unsubscribe" link.

Reminders About Abandoned Shopping Carts

Often customers start purchasing goods or services and leave the website before finishing the purchase. It may be tempting to send a reminder to the email address the customer typed in during the ordering process. You may want to offer a discount or remind that the customer has not finished the purchase. Such a reminder can be seen as a marketing email.

As we remember, the general rule requires prior consent to send marketing emails. This means you can ask the customer in your order form if the customer wants to receive email marketing emails, such as reminders about abandoned shopping carts.

Justifying such reminders based on “soft opt-in” would be difficult. Your customer may not buy anything from you, and thus you do not have any existing customer relationship. Thus, the “soft opt-in” would not apply to customers who have not bought anything from you.

For example, the Irish Data Protection Commission has also stated that direct electronic marketing cannot be sent to a prospective customer who does not complete a purchase.

The French CNIL has also clarified that a mere user profile creation is insufficient to send marketing emails if no purchase is made.

Cold Email Outreach

To do cold email outreach means contacting people for the first time. There is no way to ask them for consent without using their emails. It is not entirely correct to imply that if they have published their email addresses online, they have agreed to receive your marketing emails.

Also, you do not have any existing customer relationships with people who do not know you. Thus, you cannot rely on soft opt-in.

The ePrivacy Directive does not require prior consent from legal persons. This means you can do cold outreach to emails such as info@company.com. However, you must make sure that any local laws do not require such consent.

Considering this, sending marketing emails to unknown people is not a safe practice. You can do it at your own risk. Ideally, you should evaluate each situation yourself or consult your lawyer, especially if you are about to start an extensive email outreach campaign.

Hiring Someone To Do Email Outreach

If you are hiring someone to do email outreach campaigns on your behalf, discuss where the service providers get their email lists and if they have legal rights to target those email addresses with your marketing emails.

Otherwise, you may breach privacy laws and get a fine for non-compliance.

Ideally, include specific clauses in your contract with the email marketing service provider about personal data protection to protect yourself. Especially mention where the service provider will obtain the email addresses used for email marketing.

Buying an Email List

Although not explicitly forbidden by the GDPR or ePrivacy Directive, there is hardly any way to make it legal. The only exception is if the list seller has obtained the subscribers’ explicit consent to sell their email addresses, which is unlikely done.

Email list subscribers must opt-in to receive emails from you. If you buy the list of subscribers who have never heard about you, it is evident that they haven’t consented to be contacted by you in the first place.

Therefore, buying email lists and sending mass emails is not advisable.

GDPR Fines for Violations of Email Marketing Laws

Non-compliant email marketing practices lead to fines. Here are a few examples to give you an idea of what may happen if you do not follow the rules:

  • The Hungarian data protection authority (DPA) fined a telecom company
    EUR 28 000     for sending unsolicited emails without consent, refusing to stop sending them, and making the unsubscribe process difficult;
  • The French DPA fined a catering company EUR 20 000 for multiple violations, including sending emails without consent;
  • The Belgian DPA fined a company EUR 10 000 for not stopping sending emails to a subscriber who had unsubscribed;
  • The Belgian DPA fined a politician EUR 5 000 for sending promotional emails to a person, with which he violated the purpose limitation principle (the email was obtained for another purpose).

So, how to avoid GDPR fines? Let’s get into dos and don’ts.

GDPR and ePrivacy Email Marketing Checklist

Based on everything we have explained, here's a quick checklist of what you must do to avoid violating the GDPR and the ePrivacy Directive. We’ll start with the most common mistakes to avoid and then turn to the best practices.

The Most Common Mistakes Email Marketers Do

🔴 Assume your website visitors consented to receive your emails

🔴 Pre-tick consent checkboxes

🔴 Buy email lists

🔴 Send marketing emails to addresses collected for other purposes

🔴 Upload your email list to Facebook Audience tool (it violates the purpose limitation principle)

🔴 Store email addresses on servers in unsafe countries

🔴 Keep contacting people who have unsubscribed

🔴 Bundle consent and Terms and Conditions

GDPR Email Marketing Best Practices

🟢 Always obtain consent or use “soft opt-in” when appropriate

🟢 Ask a separate consent for each data processing purpose

🟢 Ensure that your consent checkboxes are not pre-ticked

🟢 Inform users how did you get their emails (e.g., by having a privacy policy)

🟢 Inform users about your privacy practices in general, mainly when you collect consents and emails (a link to the privacy policy is sufficient. You can use the Ligalio self-help tool to generate your privacy policy at an affordable price)

🟢 Ensure that your privacy policy is up to date with your current business practices

🟢 Use email addresses only for the purposes they have been collected

🟢 Let people unsubscribe from the email communication

🟢 Respect people’s choice to unsubscribe from the emails

🟢 Ensure that you store your email addresses in the EU/EEA or a country with adequate protection for personal data

🟢 Ensure that you do not transfer email addresses to an unsafe third country (including the United States) without proper safety assessment and protection

🟢 Rely on legitimate interest only upon a legitimate interest assessment

🟢 Keep records of obtained consent

🟢 Audit and clean your email list regularly

🟢 Remove unresponsive email subscribers from your email list

🟢 Rely on double opt-in if you send marketing emails to Germany

🟢 Use a reliable email service provider

🟢 Separate consent from Terms and Conditions

Other Ligalio blog posts you may be interested in:

Is Google Analytics Illegal in the EU?

Google Play Store Privacy Policy Requirements

Article 6 GDPR and How to Apply It

If you need a privacy policy, check out our privacy policy generator! 🚀