9 GDPR and Email Marketing Myths That Are Holding You Back

GDPR is just the latest in efforts to protect the data of consumers. It’s been in place since 2018 and since then, there have been tons of misunderstandings about how the law impacts email marketing. That’s why we’re tackling 9 GDPR and email marketing myths so you have a better understanding of what you have to do and how you can improve your email marketing success.


9 GDPR and Email Marketing Myths That Are Holding You Back:


How Has GDPR Impacted Email Marketing?

There’s no doubt about it: GDPR has had an impact on email marketing. Before we get into the GDPR and email marketing myths, let’s take a closer look at a few ways GDPR has changed email marketing.

Fast Adoption Wins

Brands who dove headfirst into GDPR compliance seem to have enjoyed some pretty great improvements on their email marketing metrics. For many brands who were early adopters of GDPR rules online purchasing, targeting, and participation in customer loyalty programs all improved, as did ratings, customer satisfaction, and trust (Yieldify). Further supporting the benefits of GDPR compliance, Marketo reported that marketers who took a “marketing first” approach were 72% more like to exceed their business goals than marketers who took a “legal first” approach to GDPR compliance. The difference? “Marketing first” marketers saw GDPR as an opportunity to build trust and strong relationships with their subscribers and customers.

Email List Cleanup

Did you know that your email marketing list declines by about 22% every year? How often do you clean it up? Many email marketers with subscribers in the EU have seen better email marketing KPIs since GDPR was implemented with 67% of marketers reporting increased deliverability, 74% reporting increased open rates, 75% reporting increased click-through rates, and 67% reporting increased conversion rates from their email marketing campaigns (DMA Marketer Email Tracker report). On top of that, unsubscribes and spam complaints decreased (41% and 55%, respectively).

This is largely because email marketers had to get opt-ins from their email marketing lists when GDPR was first implemented. This reduced their email lists, yes, but it also means that the subscribers who opted to remain on those lists were the subscribers who really value the emails they’re getting. These subscribers are going to be more open to marketing from the brands whose lists they’ve stayed on which leads to better engagement, more sales, and more opportunities to turn regular customers into brand evangelists.

Data Value

Thanks to GDPR, consumers now have a better understanding of how valuable their personal data actually is to businesses. When you consider that 53% of consumers are willing to share their data for a “fair exchange” (DMA Consumer Attitudes to Privacy report), it shouldn’t come as a surprise that marketers have worked to improve the quality of their emails and provide more “value” content rather than strictly promotional content. “Value” content could be email newsletters offering news relevant to the industry, tips, advice, resource guides, and more content that is valuable to subscribers and not necessarily designed to sell.


9 GDPR and Email Marketing Myths

Now that you have a better understanding of some of the ways GDPR has impacted email marketing, let’s turn our attention to the GDPR and email marketing myths we’ve seen pop up. We’ll be covering 9 of the GDPR and email marketing myths that are the most common.

Remember that this blog post is for informational and educational purposes only. It should not be considered legal advice. Please seek legal counsel to find out how GDPR applies to you.

Myth #1: “I have to use double opt-in to be compliant with GDPR.”

To start off our list of GDPR and email marketing myths we’re going to talk about consent, whether double opt-in is required, and whether or not single opt-in is GDPR compliant (spoiler: it is).

Double opt-in means that your subscribers have to take an additional step after subscribing to your list to confirm that they really do want to subscribe. So, they fill out your opt-in form and then get an email asking them to confirm their subscription. Here’s an example:

It’s a great way to ensure that only the most engaged consumers actually make it onto your list. And while many experts are saying that GDPR requires double opt-in to “prove” consent, that’s not actually true.

Yes, GDPR requires that you keep a record of consent to prove that you’re actually getting informed consent through positive action (like clicking a checkbox). However, it doesn’t really matter how you go about getting that consent. You could use single opt-in which immediately adds new subscribers to your list and as long as you can show that the subscriber agreed to receive the type of emails you’re sending them, you’re fine.


Myth #2: “I have to get consent from everyone on my email list again.”

As far as GDPR and email marketing myths go, this one does have some truth to it. Many email marketers are using GDPR as a chance to clean up their email marketing lists and pare them down to only the most engaged subscribers but as long as you can prove consent from your subscribers, or have other lawful grounds for processing personal data, you’re in compliance with GDPR. Essentially, it boils down to three questions:

  • Did I explain how I use subscribers’ personal data and what content they can expect from me on my opt-in form?
  • Can subscribers easily unsubscribe from my list?
  • Did the subscribers on my email list opt-in (and can I prove it)?

Did you answer “no” to any of the questions? Then you’ll want to send a re-engagement campaign asking your subscribers to opt-in to your email list again. If they don’t opt-in, remove them.


Myth #3: “Since I use a 3rd-party service provider they’re responsible for GDPR compliance.”

This is another GDPR and email marketing myth that has a bit of truth to it. Data processors (your 3rd-party email marketing service) and data controllers (you, the owner of the data) do share responsibility for maintaining GDPR compliance. However, the data controller (you) has control over how the data you’ve collected is used. Many email marketing services work hard to ensure that their customers are complying with GDPR rules, but when it comes down to it, you are responsible for the data you collect.


Myth #4: “I need to change all of my opt-in forms to include checkboxes.”

This is one of the easiest GDPR and email marketing myths to dispel. Simply put, no, your opt-in forms don’t need to be changed to include checkboxes. GDPR doesn’t require an opt-in form to include checkboxes in order to be GDPR compliant.

What GDPR does require is clear communication from you to the subscriber about how you’ll be processing, using, or sharing the subscriber’s personal data. You always have the option to get consent using a checkbox, but it’s not required. If you don’t want to use checkboxes, you can let subscribers know how you’ll be using their data through a sentence or two.

If you’re requesting consent for multiple communications, GDPR requires that consent must be granular, not bundled. So, if you’re asking for consent for multiple purposes, it’s best to use checkboxes or another way for subscribers to choose which communications they’re consenting to and which they aren’t. Important to note: if you’re using checkboxes, they can’t be pre-checked.


Myth #5: “GDPR doesn’t apply to nonprofits, charities, or social organizations.”

GDPR applies to every business and organization that operates in the EU or collects data from residents of the EU. While GDPR caused a panic for “big data” businesses, data security is required of every business.

We encourage you to look at your current data protection practices to ensure that they are GDPR compliant. This means taking the time to document what data you’re collecting and how you’re using it to make sure that you have a lawful basis for each use of the data. Once you have that outlined, you’ll want to update your organization’s documents that make reference to data collection practices such as your privacy policy, data protection and data breach policies, and your data retention and destruction policies.

  • Privacy Policy: explains to consumers or employees what data is collected, how it’s collected, how it’s used, and how to revoke consent.
  • Data Protection Policy: details your internal procedures for how you handle personal data. This will include what you do when data is compromised.
  • Data Breach Policy: provides a record of where security has been breached, the actions taken, whether the data breach has been reported to the ICO (Information Commissioner’s Office), the data breached, and reasons why you made the decisions you made for this data breach.
  • Retention and Destruction Policy: details how long consumer data will be kept and how the information will be deleted or destroyed.

Depending on the size of your organization and how much data you control, you may have more policies to create. For most organizations, though, these four policies are a great place to start on your road to GDPR compliance.


Myth #6: “The data I collected prior to May 25, 2018, is grandfathered in and GDPR doesn’t apply.”

This is another of those GDPR and email marketing myths that’s got a simple answer: GDPR covers all personal data collected, regardless of whether or not it was collected prior to GDPR’s effective date of May 25, 2018. If you can’t prove consent for your existing subscriber list, you should send a re-engagement campaign to get that record of consent as we mentioned in Myth #2.

GDPR also addresses the difference between relevant and irrelevant data. According to GDPR, any data that’s not deemed relevant should be deleted—including whatever irrelevant data you already have. Yes, that means you’ll likely have some data cleanup to do. However, keeping only relevant information will let you create targeted marketing messages without having to sift through the details that don’t matter to your email marketing strategy.

Quick note: this doesn’t apply to anonymous data used in aggregate for statistical purposes, so your Google Analytics data is fine.


Myth #7: “Smaller businesses are exempt from GDPR.” or “Businesses that operate outside of the EU don’t have to comply with GDPR.”

As we’ve mentioned before, all businesses—no matter their size or purpose—must comply with GDPR if they operate in the EU or if they have subscribers in the EU. If you collect or process a consumer’s personal data, you have to take steps to become GDPR compliant.


Myth #8: “We’ve put GDPR policies in place so we’re set forever.”

GDPR isn’t a “set it and forget it” kind of thing. Technology and your business are constantly growing and changing, so it only makes sense that your policies keeping you in compliance with GDPR might change. It’s your responsibility, as a collector and controlling of consumer data to understand best practices in data protection.

It’s helpful to regularly review your policies to make sure they’re still relevant and that you haven’t shifted practices away from them. Your eye should always be on improving your policies to keep your subscriber and customer information safe and ensure that your email list isn’t bogged down with unengaged subscribers.


Myth #9: “GDPR will ruin my email marketing ROI.”

When GDPR first went into effect, many email marketers were concerned that the new regulations would decrease their email marketing ROI. However, that hasn’t actually been the case. According to Litmus’ research, brands in the US generate an average return of 38:1, less than EU countries’ average ROI of 39:1, despite the fact that the anti-spam laws in the US are much laxer.


Don’t Get Caught Short by GDPR and Email Marketing Myths

If you’re not following GDPR regulations, you’re doing a disservice to both your business and your subscribers and customers. It’s important to consider the purpose of GDPR, which is protecting user data. With that in mind, brands can then grow their email list intentionally, based on the quality of leads rather than quantity.

With these 9 GDPR and email marketing myths busted, you’re better equipped to collect user data and use it in a way that builds trust. This, in turn, will show up in a better bottom line for your brand.

About the Author
Jacinda Santora is a copywriter, marketing consultant, and owner of JMS Copy. She enjoys using her SEO expertise combined with experience in and a deep love for all things marketing to create high-quality marketing-related content