“Best practice” is a term often banded around in marketing, and to be honest, we usually like to ignore most of it. However, when it comes to the GDPR rules for email marketing, we make a firm exception.

Many of us remember the absolute panic when the General Data Protection Regulation (GDPR) first arrived in May 2018. Companies across the globe were ditching entire email lists for fear of heavy fines due to “dodgy” opt-in practices. While some of that panic was justified, GDPR fundamentally changed how marketing teams handle data collection for the better.

You might think your small business or specific location exempts you, but GDPR has a global reach. It applies to any business processing the personal data of EU citizens, regardless of your company’s size or physical location. If you have a single subscriber or website visitor from any of the 27 EU member countries, you must comply – even if you are based in the UK, the US, or elsewhere.

You might think your small business or specific location exempts you, but GDPR has a global reach. It applies to any business processing the personal data of EU citizens, regardless of your company’s size or physical location. If you have a single subscriber or website visitor from any of the 27 EU member countries, you must comply – even if you are based in the UK, the US, or elsewhere.

Under GDPR, consent is the “Gold Standard”. To be valid, it must be freely given, specific, informed, and unambiguous.

Active Opt-In

Forget pre-checked boxes or “implied” consent. The user must take a physical action to engage, such as ticking a blank box. If they didn’t click it themselves, you don’t have consent.

The Power of Double Opt-In

While the law doesn’t strictly mandate it, we highly recommend a double opt-in process. Sending a confirmation email where the user must click a link verifies the email address and confirms their intent to hear from you. It builds a much cleaner, more engaged list.

Granular Options

Don’t force a “take it or leave it” approach. Ideally, users should choose the specific types of content they want, such as newsletters versus promotional offers, rather than agreeing to a blanket consent.

Transparency is non-negotiable. You must clearly explain how you collect, store, and protect subscriber data within your Privacy Policy. Furthermore, you must respect the following subscriber rights:

• The Right to be Forgotten: If a subscriber asks you to delete their data, you must erase their personal information from your systems entirely.
• The Right to Access: Subscribers can request to see exactly what personal data you hold on them at any time.

Compliance requires proof. You must maintain detailed records of who consented, when it happened, and which form they used.

Whatever you do, avoid purchased or rented email lists. Consent is not transferable; just because someone opted into a third-party list doesn’t mean they consented to hear from your specific brand. To be fair, this was a poor marketing tactic even before GDPR existed.

Withdrawing consent must be just as easy as giving it. Every marketing email you send must include a prominent unsubscribe link. Once a user opts out, you should process that request promptly—best practice suggests within 72 hours.

The consequences of ignoring GDPR rules for email marketing are severe. Financial penalties can reach €20 million or 4% of a company’s annual global turnover. By focusing on explicit consent and data transparency, you aren’t just avoiding fines; you are building a foundation of trust with your audience that ultimately leads to better engagement and higher conversion rates.