How to Make Email GDPR Compliant to Boost Trust and Revenue

If you have an email list with subscribers who live in the European Union (EU), you need to comply with GDPR no matter where your business is located or face some stiff fines. Fortunately, GDPR isn’t hard to navigate. Here, you’ll learn how to make email GDPR compliant so you can send out your marketing emails without worry.

Not familiar with GDPR? Don’t worry. In this article, we’ll tell you what you need to know about what GDPR is, how it impacts email marketing, and what you can do to keep your marketing emails compliant with GDPR.

How to Make Email GDPR Compliant to Boost Trust and Revenue:

What Is GDPR?

GDPR (General Data Protection Regulation) is a government regulation designed to protect the privacy of online consumers and those who share personal data online in the EU. GDPR was created to ensure that websites accessible by EU residents follow data privacy protocols.

GDPR was passed in response to data privacy concerns around companies that collected private information both with and without consent, organizations that gathered data without making their data collection methods clear, and other companies that left consumer data open to theft with their lacking security.

Now, businesses must ask for consent when collecting personal data from EU residents or those with EU IP addresses. This gives the power back to the consumer; they can hand over their data on their terms. If you use gated content or lead magnets to grow your email list, this is something to pay close attention to since you can’t require a user to give you their data in order to use your site. Essentially, you can require an email address for the delivery of content, but you can’t use that email for marketing unless the user gives you that permission.

For many businesses, GDPR has resulted in increased trust with consumers and is much better business.

Are you a social media marketer? Check out our article GDPR and social media to learn more about how to use GDPR to your advantage.


This article is made available by Influencer Marketing Hub for educational purposes to provide general information and a general understanding of the law. It does not provide specific legal advice. We recommend consulting a lawyer to better understand how GDPR impacts your business. By using this site, you understand that there is no attorney-client relationship between you and Influencer Marketing Hub.

Does GDPR Apply to You?

If you collect personal data from people living in the EU, you have to be compliant with GDPR. Compliance means business as usual for you. If you don’t comply with the data privacy standards, you could potentially be fined up to 4% of your gross annual turnover (different from your profit). Fines are capped at 20 million Euro, about $27.7 million in the US.

How Does GDPR Impact Email Marketing?

When GDPR was passed, there were many marketers who believed it signaled the end of marketing as we know it. That hasn’t proven to be the case, but there are definitely some ways that GDPR has impacted marketing. Let’s talk a bit about how GDPR has changed email marketing. We’ll get into some of these changes a bit deeper later in the article.

  • No pre-checked boxes on opt-in forms
  • No storing personal data in scattered and non-secure locations
  • No buying email lists
  • Email marketing lists grow more slowly
  • Quality of leads and contacts is much better
  • Trust in brands has increased

We’re excited about what GDPR means for email marketing. It’s so important to build email lists that are filled with subscribers who are genuinely interested and want to hear from you. Complying with GDPR rules is a great idea for all businesses—not just those with EU subscribers.

How to Make Email GDPR Compliant

There are several GDPR rules that directly relate to email marketing. Here’s how to make your email marketing GDPR compliant and build a better email list.

Get Consent

If you use an opt-in to get more subscribers for your email newsletter, that opt-in form is a data collection tool according to GDPR. That means you have to get consent—informed consent—from each user before you can sign them up. Informed consent just means letting the user know what they’re signing up for and getting verifiable consent through a positive action like checking a box or choosing options using radio buttons and the like.

Positive action is very important here. If you’re using a checkbox on your opt-in form to get consent, you can’t pre-check that checkbox. Put simply, you can’t make the default option be giving consent. Instead, the user needs to take action to provide consent. Additionally, the consent must be granular, meaning that separate consent must be given for every planned use of the data you’re collecting. So, if you’re asking a user to opt-in and accept your privacy policy and consent to receive marketing emails, you have to include the ability to give consent for both options separately instead of bundling requests for permission Here’s an example:


One other thing to consider regarding consent to make email GDPR compliant is whether to use single opt-in or double opt-in. Single opt-in means that the user clicks the submit button on your opt-in form and is subscribed to your list (based on their consent) immediately. Single opt-in is GDPR compliant.

There are other email marketers who choose double opt-in. This type of opt-in starts from the same place: an opt-in form to collect user information and get informed consent through positive action. With double opt-in, though, users aren’t automatically subscribed to your email list. Instead, after they opt-in they’re sent an email that asks them to confirm their desire to receive emails from you. Double opt-in creates another record of consent.

To sum things up here’s what consent looks like:

  • Not requiring consent for access
  • Granular consent to get separate positive actions for different items like Privacy Policy, cookies, marketing emails, etc.
  • A positive action opt-in
  • Renewing consent when Terms change
  • Easy to withdraw consent

Establish a Privacy Policy

If you send out emails, GDPR requires that you have a privacy policy providing information about the data you collect from users and how you plan to use it. The privacy policy needs to be available and easily accessible on your website. Many experts recommend including a link to your privacy policy in your website footer as well as including a link to it on your opt-in forms and in your emails.

Here’s what you should include in your privacy policy:

  • What information your company collects
  • How you use the information you collect
  • If you share user data, with whom, and for what purpose
  • How you keep user data secure
  • How you store user data
  • How users can update, change, or correct their user data
  • A reminder to users that they should protect the information they share

Keep Records of Consent

In addition to getting consent from subscribers, GDPR also requires that you keep a record of consent so you can prove that it was given. These records need to include the identity of the user, the date consent was given, what the subscriber consented to, information about the methods used to get consent, whether consent was withdrawn, and a description of what the user was told when consent was given. Without these records, consent will be invalid under GDPR rules.

Don’t Require Opt-in

Under GDPR, you can’t deny access to content because a user doesn’t want to subscribe to your newsletter. Under GDPR, consent must be “freely given.” While you can collect a user’s email address to deliver lead magnets and other gated content, you have to be clear with users that signing up for your newsletter is not a requirement for getting access to the gated content or lead magnet.

Not familiar with gated content or lead magnets? Gated content is content that requires users to share personal data or purchase a subscription before getting access to the content. A lead magnet is a free item or service that is given away in exchange for user data (usually an email address). A lead magnet could be trials, samples, white papers, newsletters, consultations, and a whole lot more. Gated content and lead magnets are often used for lead generation. With GDPR, though, consent must be given by the user to receive anything other than the gated content or lead magnet they’re requesting.

Don’t Rely on a 3rd-Party for Compliance

Even if your email marketing is handled by a 3rd-party email marketing service, you are still the owner of the data. As such, responsibility for legal compliance for managing that user data is on you. While the 3rd-party provider will also have legal obligations such as making sure its own customers meet GDPR’s standards. This typically only extends as far as requiring businesses to have a comprehensive privacy policy.

Make Revoking Permission Easy

Just as you have to get informed consent through positive action, you also have to make it easy for users to revoke consent. One of the easiest ways to do this is to include a visible unsubscribe link in your emails.

After a user revokes their consent you have 30 days to remove them. However, we recommend removing them immediately. Users get frustrated if they’ve opted out of a mailing list and continue to get emails within that 30 days. Opting users out immediately can help you keep client relationships healthy.

Keep Your Content Honest

Another important way to make email GDPR compliant is by keeping your content accurate and honest. GDPR has content guidelines designed to protect users. Take email newsletters as an example. GDPR requires that emails show the identity of the sender, include a physical address, identify what the content is about, indicate whether the message is promotional in nature, and not use deceptive messaging. These rules are intended to make sure that the content you’re sending to users is honest, accurate, and doesn’t mislead them.

Your email content must also contain only the content that the user consented to. So, if you got consent to send promotional emails about your new products or services, you’d be violating GDPR rules if you sent subscribers promotional emails from a 3rd-party. Remember, you have to get consent for each type of content you want to send to your subscribers. You don’t need to create opt-ins for every type of content, but your opt-in form should include granular consent.


It’s also important to remember that you’re still legally responsible for GDPR compliance even if you use a 3rd-party for your email marketing.

GDPR Compliance Benefits Brands and Consumers

There’s a reason that email marketing is still the preferred marketing channel for businesses, despite GDPR restrictions. Making your email GDPR compliant isn’t difficult, it just requires planning and dedication. And the benefits are great.

GDPR effectively forced marketers to improve email marketing best practices and focus more on delivering a better user experience and better content. By giving subscribers more information about the data you collect from them, why you need it, and how you’ll using, you’re giving them the power to decide if staying in touch with your brand is worth it to them.

If you’re focused on quantity rather than content for your email list, this might be scary for you. However, GDPR has shown since its implementation in 2018 that the result of this kind of disclosure and requesting consent builds a better email list filled with subscribers who are genuinely interested in your products, services, and content. These engaged subscribers are much more likely to become customers and eventually, brand evangelists.

About the Author
Jacinda Santora is a copywriter, marketing consultant, and owner of JMS Copy. She enjoys using her SEO expertise combined with experience in and a deep love for all things marketing to create high-quality marketing-related content