Business News Daily receives compensation from some of the companies listed on this page. Advertising Disclosure


How GDPR Is Affecting Email Marketing

Adam Uzialko
Adam Uzialko

Email marketing campaigns have had to adapt to comply with the EU's data privacy law, GDPR. Here's how to stay in compliance while improving the effectiveness of your email marketing efforts.

  • The General Data Protection Regulation implemented sweeping changes that unified the European Union's data privacy laws.
  • Those data privacy laws apply to companies outside the EU as well, whenever they collect or process the personal data of an EU citizen.
  • Digital marketing strategies were universally affected by the implementation of GDPR, especially email marketing campaigns.
  • Email marketing is still effective under GDPR, and compliance can actually help you target your audience.

The European Union's General Data Protection Regulation is a sweeping data privacy law that unifies the data privacy regulations of all European Union member states. Under the previous standard, the Data Protection Directive, each member state had its own data privacy laws governing the collection, analysis, usage and storage of users' personal data.

The GDPR changed that, laying out a single set of standards that covers all personal data generated by users within the EU. It doesn't just apply to companies based in the EU; any company collecting, analyzing, using or storing the personal data of an EU-based user must abide by GDPR or face steep penalties.

The GDPR changed the way companies do many things, including how they work with third-party service providers and even organize their internal hierarchies. Naturally, GDPR regulations significantly impact marketing departments, which rely on users' personal data for a wide range of activities. One of the most significant marketing efforts impacted by GDPR is email marketing.

The goal of the GDPR is to protect the personal data of EU citizens. For companies that rely on email marketing campaigns, the law means adjusting your strategy to comply with GDPR. Here's how you can do that while maintaining success in your marketing campaigns.

How has GDPR impacted marketing strategies?

The GDPR is, at its core, about data protection (hence the name). It includes provisions that empower users ("data subjects" in the text of the law) when it comes to the collection and handling of their own data.

Among these provisions are the right to consent to data collection, the right to understand how and why that data is being used, and the right to request the deletion of that data under certain circumstances. It also includes provisions requiring the timely reporting of any data breach, along with a full accounting of which personal data might have been compromised.

While these provisions sound straightforward, implementing the structural changes necessary to meet GDPR requirements was a monumental task for many companies – especially those in the U.S., where data privacy rules are significantly looser than in the EU.

Marketing departments were forced to pay particularly close attention to the GDPR. There is no avoiding the effects of GDPR requirements on digital marketing efforts, especially email marketing campaigns and email lists.

"All marketing activities are likely to be affected by the GDPR in one way or another – that much is obvious," said Oksana Chyketa, marketing specialist at Albacross. "That said, we see GDPR having an exceptionally large impact when it comes to email marketing."

What does GDPR mean for email marketing?

Email marketing is a common advertising tactic that has been easy to implement in the past. But after GDPR, it's another area of business that requires careful consideration.

For instance, companies need to ensure their contacts provide explicit consent before continuing to send emails to them. This calls for a stricter subscription process, which should involve a double opt-in and easy opt-out feature, and exclude involuntary or required opt-ins.

A double opt-in confirms that users are interested in receiving emails, weeding out any fraudulent or accidental requests (for example, a user's failure to uncheck an automatically checked subscription box). If a consumer provides their email address for a subscription, they will have to go into their email and agree to it for a second time.

The double opt-in requirement acts as a safety net for any business sending promotional emails. Anyone subscribing to your emails should be able to do so freely and not feel bribed to do so for a particular product or service. They should also be able to unsubscribe from your email list at any time, with no repercussions.


Editor's note: Looking for the right email marketing service for your business? Fill out the below questionnaire to have our vendor partners contact you about your needs.

How can you profile data under GDPR to send personalized and targeted emails?

The GDPR specifies two types of entities: a data controller and a data processor. A data controller is responsible for determining the purpose and means of personal data processing; this is usually a company collecting personal data for some business application. The data processor is the entity that conducts the actual analysis of that data. In some cases, this is a single business, but in most cases, it involves the use of third-party service providers in conjunction with a business.

As a data controller, you are responsible for the actions of any data processors you work with. In other words, if a third-party service provider you use suffers a data breach or otherwise runs afoul of GDPR requirements, you could be on the hook. However, GDPR regulations offer an opportunity to conduct a full data audit to ensure you are compliant and to help you organize personal data more effectively for your email marketing campaigns.

"Organize a full information audit and review the existing data you have, paying particular attention to where this data came from and who you're sharing it with," said Chyketa. "If you've been marketing to an email list that you obtained using methods that are noncompliant [with] GDPR, you should no longer reach out to individuals on this list, unless they've double-opted in to your communications."

GDPR's effect on engagement and click-through rates

While becoming and remaining compliant with GDPR is a major challenge, there are silver linings. By ensuring your email marketing campaigns only target users who expressed interest through a double opt-in and offered their explicit consent, you should see an increase in click-through rates and engagement.

Data from digital marketing company Acoustic, which was formerly part of IBM, shows that GDPR is already having a positive impact on engagement. The company's 2019 Marketing Benchmark Report examined the marketing data of thousands of brands across 40 countries. Among other results, the report found that email open rates and click-through rates have both increased substantially since 2014, by 19% and 14% respectively.

"Marketers were initially skeptical of privacy and data regulations like GDPR in the U.K. and CASL in Canada, since they restrict how brands may gain access to and use customer data," said Loren McDonald, program director of market research at Acoustic, in a statement. "But our data shows that these regulations are actually improving results by driving change within marketing organizations, many of which are becoming more focused on consumer trust and the customer experience. In addition to improving permission and data management practices, brands are increasingly using AI to personalize emails, dissect and analyze big data, and detect when campaigns aren't performing well."

While the GDPR is definitely a major change for many companies, the work involved in maintaining compliance can be worth it not just for regulatory reasons, but for business reasons as well. After all, digital marketing works best when the audience you reach is actually interested in your products and services. Disinterested users amount to wasted marketing dollars.

Transparency in email marketing campaigns

Your marketing efforts should be transparent to your consumers. Outline exactly what data you're recording and what you plan to do with it. Anytime there is an update to your privacy policy, alert your contacts and offer a way to unsubscribe if they want to. Many consumers opt out when faced with a privacy policy update, but it's better to send messages tailored to your customers than a generic advertisement to a broad audience. So, if you want to recruit and retain contacts, you need to know how to engage them. [Wondering how to choose an email marketing service? Here are our best picks.]

"I think the one thing we're likely to see is that brands may see an increase in unsubscribes and/or requests for deletion," said Jennifer Horner, associate director of retail and consumer goods at DEG Digital. "I feel that when presented with a privacy policy update … customers either ignore the email or, if they're not highly engaged with the brand, take that message as an opportunity to unsubscribe from the emails."

Horner added that consumers now expect personalized communication, and companies should leverage their data to customize messages and advertisements. That way, the contacts you have will be satisfied enough to stay subscribed.

Email marketing just one business process impacted by GDPR

The GDPR is sweeping both in its geographic scope and the requirements it imposes on companies. In 2020, as enforcement increases and the supervisory authorities signal more and larger fines, it is increasingly critical that companies remain compliant. For a closer look at the GDPR and its wider applications, see Business News Daily's guide to GDPR compliance.

Sammi Caramela contributed to the reporting and writing in this article. Some source interviews were conducted for a previous version of this article.

Image Credit: undrey / Getty Images
Adam Uzialko
Adam Uzialko
Business News Daily Staff
Adam Uzialko is a writer and editor at and Business News Daily. He has 7 years of professional experience with a focus on small businesses and startups. He has covered topics including digital marketing, SEO, business communications, and public policy. He has also written about emerging technologies and their intersection with business, including artificial intelligence, the Internet of Things, and blockchain.