GDPR Email Marketing: Complete Compliance Guide

GDPR (General Data Protection Regulation) affects every business that sends marketing emails to people in the European Union — regardless of where your business is based. Non-compliance can result in fines of up to €20 million or 4% of global annual turnover.

This guide explains exactly what GDPR requires for email marketing and how to comply.

Does GDPR Apply to You?

GDPR applies if you collect or process the personal data of people located in the EU or UK, regardless of where your organization is based. If any of your email subscribers are in the EU or UK, GDPR applies.

The Core Requirement: Lawful Basis

You must have a lawful basis for processing personal data. For marketing email, the only practical lawful bases are:

1. Consent (Article 6(1)(a)) The subscriber has given a clear, affirmative action to receive your marketing emails. This is the most common and most defensible basis for email marketing.

Consent requirements under GDPR:

• Freely given — not bundled with terms of service or required for a purchase
• Specific — for clearly defined types of communication
• Informed — the person knows who is collecting their data and why
• Unambiguous — a clear affirmative action (ticking a box, clicking a button) — NOT pre-ticked boxes
• Documented — you must keep proof of how and when consent was obtained

2. Legitimate Interests (Article 6(1)(f)) Usable for existing customers in some circumstances under the UK's "soft opt-in" rule. You may email existing customers about similar products or services without explicit consent, provided you offered an easy opt-out at the point of data collection.

Note: Legitimate interests is NOT a blanket justification for cold email or prospecting.

Double Opt-In: The Gold Standard

Double opt-in (confirmed opt-in) requires the subscriber to confirm their subscription via a confirmation email. This:

• Creates a clear consent record with timestamp and IP address
• Confirms the email address is valid (fewer bounces)
• Satisfies GDPR's proof-of-consent requirement
• Dramatically reduces spam complaints

MisarMail enables double opt-in by default for all new lists.

What You Must Include in Every Marketing Email

1. Your business identity — who you are and how to contact you
2. Postal address — required by CAN-SPAM; best practice for GDPR
3. Clear unsubscribe link — visible, working, one-click
4. Honest subject line — never deceptive about the email's content

Right to Erasure ("Right to Be Forgotten")

Subscribers have the right to request deletion of all their personal data. You must:

1. Respond within 30 days of receiving a deletion request
2. Delete their email address and all related data from your systems
3. Add them to a suppression list so they are not accidentally re-added

Deletion ≠ simply unsubscribing. You must delete their contact record entirely from your database, not just mark them as unsubscribed.

MisarMail's data export and deletion tools make this straightforward via the contact management interface.

Right of Access

Subscribers can request a copy of all personal data you hold about them. Provide a complete export within 30 days, including:

• Email address and any profile data
• Subscription date and source
• Email interaction history (opens, clicks)
• Preferences and segments

Data Retention

Do not hold subscriber data longer than necessary. Best practices:

• Remove inactive subscribers after 12–18 months of no engagement
• Delete data of people who request deletion promptly
• Document your retention policy

Third-Party Data Processors

Any email platform, CRM, or analytics tool you use is a data processor under GDPR. You must:

• Have a Data Processing Agreement (DPA) in place with each processor
• Ensure processors offer adequate protection
• Not transfer data outside the EU without appropriate safeguards (Standard Contractual Clauses)

MisarMail provides a DPA upon request.

GDPR Email Marketing Checklist

• Consent was freely given, specific, informed, and unambiguous
• No pre-ticked boxes — affirmative action required
• Consent records stored with timestamp, IP address, and form version
• Double opt-in enabled
• Unsubscribe link in every marketing email
• Unsubscribes processed within 10 days (CAN-SPAM) / immediately (GDPR)
• Privacy policy linked in signup form
• DPA in place with your email platform
• Process for handling access and deletion requests
• Data retention policy documented

GDPR vs. CAN-SPAM vs. CASL

Requirement	GDPR (EU/UK)	CAN-SPAM (US)	CASL (Canada)
Consent required	Explicit	No (but opt-out)	Express or implied
Unsubscribe	Immediate	Within 10 days	Within 10 days
Fine (max)	€20M / 4% revenue	$51,744/email	C$10M

If you have subscribers in multiple jurisdictions, apply the strictest standard across your entire list.

See also: How to Grow Your Email List Compliantly

Set up GDPR-compliant email marketing with MisarMail →