November 1, 2022

GDPR in Email Marketing: How to Be Compliant and Avoid Fines

Reading time about 12 min

If your company targets the European market, you’d better be GDPR compliant. Otherwise, you’re likely breaking the law.

Failing to comply with the General Data Protection Regulation (GDPR) results in charges, fines, and a damaged brand reputation. And given how easy it is to stay GDPR compliant, there’s no reason you shouldn’t follow the regulations.

In this article, we cover everything you need to know about GDPR email marketing to help you write GDPR-friendly emails and avoid fines.

What Is GDPR?

GDPR is a set of security and privacy laws in the European Union (EU) that regulate how data should be collected and processed.

How does it help? The GDPR protects individuals from:

  • Unnecessary data collection
  • Wrongful use of personal data
  • Personal data breach
  • Biased algorithmic decision making

The data protection rules increase transparency and accountability between businesses and their customers, giving users a better understanding of what their personal data is used for.

Since 2018, all organizations with EU-based audiences must follow the regulations. 

What’s considered “personal data”?

Every piece of information that relates to an identifiable person is personal data. It might be:

  • Person’s name
  • Location data
  • IP address
  • Cookie identifier
  • Username
  • Sensitive personal data, like racial or ethnic origin, political beliefs, health life, etc.

Does GDPR affect you?

The GDPR requirements apply to every company that targets or collects data related to people in the EU.

“If my company isn’t EU-based, does the GDPR affect me?” 

Yes, it does. Since the GDPR rules aim to protect individuals in the EU, it doesn’t matter where you are located as long as you process the personal data of EU citizens or residents.

GDPR and Email Marketing 

How does the GDPR affect your email marketing strategy? 

Since you need to collect users’ contact information to reach them with marketing messages, your email marketing campaigns fall under the GDPR. This means you should follow the key GDPR principles when gathering, processing, and storing user data. (Even if it’s only an email address!)

Contrary to what some marketers expected, the GDPR didn’t kill email marketing. Quite the opposite, GDPR-compliant brands have a chance to strengthen their relationships with their audience, build trust, and improve email engagement. 

Email marketing has become less disruptive and more relevant and trustworthy. Now, companies think twice before sending a promotional email, and customers no longer see marketing communications as irrelevant and intrusive.

7 GDPR Principles You Should Follow

Here are seven data protection principles every email marketer should know.

Lawfulness, fairness, and transparency

When collecting personal data, you should align with three sub-principles of the GDPR:

  • Lawfulness: You have a good reason to gather the data. 
  • Fairness: You don’t withhold information about the reasons behind collecting the data.
  • Transparency: You’re open with data subjects about what your company does and why you need the data.

Users should know where their data goes and how it’s processed. You should add this information right within your data collection form. 

Purpose limitation

There should be a “specified, explicit, and legitimate purpose” behind data collection. For instance, if you state you need the user’s email address to send transactional emails, you aren’t allowed to reach them with marketing communications.

The principle of purpose limitation protects individuals from wrongful use of data, spam, and irrelevant communications.

Data minimization

GDPR strives to minimize the collection of excessive data. To comply with this principle, an organization can only ask for the data they need to achieve the stated purpose. 

This rule makes it easier for companies to manage data and keep it up-to-date. It also minimizes the damage caused by a potential data breach.


A business must also take responsibility for updating the data and erasing incorrect information whenever they spot it. Individuals have the right to request the removal of irrelevant or incomplete information within 30 days.

For instance, when a user opts out of your marketing communications, the principle of data accuracy requires you to remove their email address from your marketing email list.

Storage limitation

The data collected should be stored only for a specified timeline. If you no longer need the data to achieve the goal you previously established, you must delete it from your database. 

You can also archive the data, but you need to indicate the retention period and detail reasons for doing so in your privacy policy.

Integrity and confidentiality

According to the official legal text of EU GDPR, this principle helps to ensure that the data is

“processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.” 

You must adopt proper measures to secure your audience data from deliberate attacks or accidental breaches. For email marketers, this means:

  • Choosing a reliable email marketing service provider that follows email authorization standards
  • Collecting necessary data only
  • Using email encryption (your email marketing platform should do this for you)
  • Allowing access to customer data only to employees who need it


The seventh principle requires you to collect all the necessary documentation that may prove that you meet compliance regulations. This documentation may include:

  • Proof that you have obtained user consent before collecting the data
  • Purpose of data processing
  • Explanation of how the data has been used
  • Data retention policy
  • Information on security measures implemented

Maintaining records of data processing activities allows you to demonstrate your compliance with GDPR, saving you a lot of trouble.

GDPR Fines: What Happens If You Don’t Comply

There’s one significant reason to stay GDPR compliant — large fines for non-compliance.

Under the GDPR, fines can reach €20 million or 4% of the company’s global turnover for the preceding financial year. The fines are flexible and depend on the severity of the infringement which is determined by the nature, gravity, and duration of the GDPR violation.

The biggest ever fine was registered in July 2021. Amazon was again found incompliant with general data processing principles and had to pay a penalty of €746 million. It’s followed by Meta (€405 million), WhatsApp Ireland (€225 million), and Google (€90 million).

GDPR fines

Source: GDPR Enforcement Tracker

But these statistics shouldn’t give you the impression that only corporate giants like Google and Facebook are subject to GDPR penalties. 

In 2022, over 350 healthcare organizations, restaurants, local service providers, educational centers, stores, and other small businesses were charged for non-compliance with the GDPR. Since 2018, over a thousand companies have been fined, and this number is growing. 

How to Send GDPR-Compliant Emails?

The more successful your company gets, the more serious the consequences of non-compliance become. 

Luckily, it’s incredibly easy to build a GDPR-friendly email marketing strategy when you know what to do. Here are eight steps to help create GDPR-compliant emails and stay safe from remediation costs and damaged reputation.

1. Use a reliable email service provider

A good email marketing service provider will do most of the work to help you stay compliant with the GDPR. 

Brevo is an email marketing platform that ensures your GDPR compliance by doing all the hard work for you. To protect you and your audience, Brevo):

  • Provides GDPR-compliant email subscription forms
  • Collects proof of consent
  • Offers a GDPR declaration so you don’t have to create a custom data privacy policy if you don’t want to
  • Supports double opt-in
  • Keeps your email list up-to-date 
  • Makes it easy to email only opt-in subscribers
  • Distinguishes between transactional and marketing emails
  • Has adopted the necessary data protection measures in case of a data breach
  • Keeps users’ archived data safe and secure throughout the retention period
  • Encrypts connections between servers and customer emails

With a secure GDPR-compliant tool in your tech stack, there are very few things you can do wrong. Below are seven more best practices that leave a GDPR inspector no chance to accuse you of policy violation.

2. Always get user consent to collect personal information

A GDPR-compliant subscription form should be the cornerstone of your lead generation strategy. Whenever you collect users’ personal information, your data collection form should include a mandatory GDPR checkbox.

Alongside the checkbox, you should provide some context as to why you collect the data and what users should expect next. If you’re going to use the data for different purposes, make it clear in the form and include several checkboxes. 

Tip: Mark it as a required field so your subscribers don’t forget to check it.

GDPR compliance opt-in - Brevo signup form example with checkbox

3. Write a privacy note

If your service provider doesn’t offer a GDPR declaration like Brevo does, you’ll need to write one yourself.

A GDPR declaration, or a privacy note, is a document that declares your organization’s commitment to the GDPR principles and covers:

  • Types of personal data you collect
  • Methods of processing information
  • Reasons behind collecting personal information
  • Measures taken to secure personal information
  • Automatic data collection methods and cookies
  • Circumstances under which you might share personal information with third parties
  • Your email retention policy
  • Data subject rights

Place a link to your privacy statement near the consent checkbox to allow people to read it if they wish.

Review your privacy and data retention policies at least once every two years to keep yourself away from legal trouble.

4. Stick to your promise

If people don’t consent to marketing emails, don’t try to squeeze newsletters in between account notifications. You can only send them transactional emails.

First of all, it’s against the law. But even worse, your subscribers will notice you’re breaking your promises and mark your messages as spam. None of these is good for a company that wants to achieve its email marketing goals.

5. Let users opt out

According to GDPR regulation, individuals have the right to request data updates, and the inquiry must be fulfilled within 30 business days. 

For email marketers, this means you should make it easy for contacts to unsubscribe from company emails or configure their subscriptions. 

It’s not only irritating but also unlawful when a user can’t access the “Unsubscribe” button within the email content. Make sure to include one in all your emails and don’t forget to actually unsubscribe people who have opted out from your brand communications.

For your protection, Brevo inserts an unsubscribe link automatically in all email templates. 

6. Audit and clean your mailing list regularly

The more data you keep, the more serious the risk is if there’s a data breach. Even if you aren’t worried about a data breach, there’s one more reason for you to keep your email list up-to-date  — the GDPR requires you to do so.

Ideally, your email marketing platform will take care of your mailing list and automatically disable contacts that have clicked the unsubscribe link. But that’s not enough. 

To maintain your sender reputation and keep your list picture-perfect, set up rules for disabling disengaged email addresses or segmenting contacts based on how they interact with your emails. 

By automating list cleaning, you’ll save a lot of time while creating more personalized campaigns and keeping your email marketing GDPR compliant.

Discover more about email list management here.

7. Use double opt-in

Double opt-in is a two-step registration process that requires users to confirm their subscription by verifying their email address. Brevo allows you to set up a double opt-in in a few simple steps.

Although double opt-in isn’t required by the GDPR, it does help you keep your mailing list clean and healthy. It’s also extra proof that your audience has given explicit consent to receive your emails.

8. Keep records of processing activities

To comply with the seventh GDPR principle  — accountability — you’ll need to keep records of your data processing activities. 

The records should include proof of consent, data processing methods, information on third parties involved, and any other data that might help you prove your GDPR compliance.

Be GDPR-Compliant with Brevo

Your email marketing strategy should start with GDPR compliance. To minimize financial and reputational damage, use a quality email marketing service provider that will handle all the technical aspects of GDPR-compliant email campaigns for you.

Future-proof your email strategy with Brevo

Free plan includes access to all core email features, 300 emails/day, 40+ email templates, GDPR-safe signup forms and automated subscriber management.

Open my free Brevo account now >>

Ready to grow with Brevo?

Get the tools you need to reach your customers and grow your business.

Sign up free