Back to Glossary
Compliance & Legal

GDPR

EU regulation requiring explicit consent and data protection rights for personal data processing.

Definition

GDPR (General Data Protection Regulation) is a comprehensive EU data protection law that came into effect in 2018. For email marketing, it requires explicit consent before sending marketing emails, gives individuals rights over their data (access, deletion, portability), and mandates strict data security practices. It applies to any organization processing EU residents' personal data.

Why It Matters

GDPR has stricter requirements than CAN-SPAM and applies globally to any business reaching EU residents. Non-compliance can result in massive fines (up to 4% of global revenue or 20 million euros). More importantly, GDPR-compliant practices build trust with subscribers worldwide.

How It Works

Under GDPR, you must obtain explicit, freely given consent before sending marketing emails. Consent must be specific (for each purpose), informed (clear about what they are signing up for), and documented. Subscribers have rights to access, correct, delete, and export their data. You must report data breaches within 72 hours.

Best Practices

  • 1Use clear, affirmative consent (no pre-checked boxes)
  • 2Explain exactly what emails subscribers will receive
  • 3Document when and how consent was obtained
  • 4Provide easy access to privacy preferences and data export
  • 5Implement proper data security and breach notification procedures

Frequently Asked Questions

Yes, if you process personal data of EU residents, GDPR applies regardless of where your business is located. This includes sending marketing emails to EU subscribers.

Legitimate interest can sometimes be used instead of consent for existing customers, but it is risky for cold email marketing. Most experts recommend obtaining explicit consent for marketing emails to be safe.

You should only keep data as long as necessary for the purpose it was collected. Define a retention policy, document it in your privacy policy, and delete data when subscribers have been inactive for the defined period.