GDPR Email Marketing Compliance: A Practical Guide
Navigate GDPR email marketing requirements with confidence. Learn what's required, what's best practice, and how to protect both your organisation and your subscribers.
GDPR has fundamentally changed how organisations approach email marketing. Yet years after implementation, confusion remains about what's actually required versus what's overcautious interpretation. This guide cuts through the noise with practical, actionable guidance for compliant email marketing.
Disclaimer: This guide provides general information, not legal advice. GDPR interpretation can vary, and enforcement continues to evolve. For specific situations, consult a qualified legal professional.
Understanding the Legal Framework
Email marketing in the UK and EU involves two overlapping regulations:
GDPR (General Data Protection Regulation)
GDPR governs how you collect, process, store, and protect personal data—including email addresses. It requires:
- A lawful basis for processing personal data
- Transparency about how data is used
- Rights for individuals to access, correct, and delete their data
- Appropriate security measures
PECR (Privacy and Electronic Communications Regulations)
PECR specifically governs electronic marketing, including email. It's where the detailed rules about consent and opt-outs come from. PECR sits alongside GDPR— you must comply with both.
For churches and religious organisations, see our specific guide on GDPR for Churches in the UK.
Consent vs. Legitimate Interests
GDPR provides several "lawful bases" for processing personal data. For email marketing, two are relevant: consent and legitimate interests.
When You Need Consent
Under PECR, you generally need consent to send marketing emails to individuals (B2C marketing). This is a strict requirement that GDPR's legitimate interests cannot override.
You need explicit consent when:
- Sending marketing emails to individuals (non-business addresses)
- Sending emails to people who haven't previously engaged with you
- The recipient hasn't bought anything from you (no "soft opt-in" available)
When Legitimate Interests May Apply
Legitimate interests may be used for B2B marketing (emails to business addresses), existing customer communications, or non-marketing emails like transactional messages.
You might use legitimate interests when:
- Emailing business contacts at their work email addresses
- Sending service communications to existing customers
- Providing operational updates (not marketing) to members
The "Soft Opt-In" Exception
PECR allows a "soft opt-in" for existing customers if:
- You obtained their email during a sale or negotiation of a sale
- You're marketing similar products/services
- You gave them a clear opt-out opportunity at the time of collection
- You give an easy opt-out in every message
Churches and Nonprofits: The soft opt-in typically doesn't apply to you—it's designed for commercial relationships. For member communications, rely on consent or carefully documented legitimate interests for operational messages.
What Makes Valid Consent
Not all consent is equal. GDPR requires specific qualities for consent to be valid:
The Requirements
Freely Given
People must have genuine choice. Don't bundle marketing consent with service terms. Don't make services conditional on marketing consent.
Specific
Consent must be for a specific purpose. "Receive our newsletter" is specific. "Contact you about our activities" is not.
Informed
People must understand what they're consenting to. Clear, plain language. No hidden terms.
Unambiguous
Requires a clear affirmative action. Pre-ticked boxes don't count. Silence or inactivity doesn't count.
Valid Consent Checkbox Examples
Good Examples
- ☐ Yes, send me the weekly newsletter with church news and events
- ☐ I'd like to receive monthly updates about your work and campaigns
- ☐ Subscribe me to product announcements and offers (maximum 2 per month)
Bad Examples
- ☑ I agree to receive communications (pre-ticked—invalid)
- ☐ Uncheck this box if you DON'T want emails (opt-out, not opt-in)
- ☐ I agree to the terms and want to receive marketing (bundled consent)
- ☐ Keep me informed (too vague)
Opt-In Best Practices
Use Double Opt-In
Double opt-in (confirmation email) isn't required by GDPR, but it's highly recommended:
- Proves the email address owner actually subscribed
- Verifies the email address works
- Protects against malicious signups
- Creates a clear consent record
Keep Consent Records
GDPR requires you to demonstrate consent. For each subscriber, record:
- When they consented (timestamp)
- How they consented (which form, webpage)
- What they were told (version of the consent text)
- What they consented to (which communications)
Separate Consent Types
If you send different types of communications, offer separate consent options:
I would like to receive:
- ☐ Weekly newsletter
- ☐ Product announcements
- ☐ Event invitations
- ☐ Special offers and discounts
This creates a better experience—people get only what they want—and makes compliance cleaner.
Unsubscribe Requirements
Every marketing email must include an easy way to opt out. PECR and GDPR both require this.
What's Required
- Clear visibility: Don't hide the unsubscribe link
- Easy process: One click should be sufficient; don't require login
- Prompt action: Process unsubscribes within 10 days (sooner is better)
- No barriers: Don't ask people to explain why they're leaving
Best Practice: Preference Centre
Instead of just "unsubscribe from everything," offer a preference centre where people can:
- Choose which types of emails to receive
- Adjust email frequency
- Completely unsubscribe if they prefer
This reduces full unsubscribes while respecting user preferences.
Pro Tip: When someone unsubscribes, send a single confirmation email (not marketing) confirming they've been removed. This closes the loop and builds trust, even when the relationship is ending.
Data Retention
GDPR's data minimisation principle means you shouldn't keep data longer than necessary.
Establishing Retention Periods
For email marketing, consider these guidelines:
- Active subscribers: Keep as long as they're engaging. If someone hasn't opened an email in 2 years, they're probably no longer interested.
- Unsubscribed contacts: Keep their suppression record (to avoid re-emailing them), but remove other data after a reasonable period.
- Consent records: Keep for as long as you might need to demonstrate compliance—typically 6 years after last contact (UK limitation period).
Re-Permission Campaigns
If you're uncertain about the validity of old consent, run a re-permission campaign:
- Email your list explaining you're updating preferences
- Ask people to actively confirm they want to continue receiving emails
- Remove non-responders after reasonable time
This is painful—you'll lose subscribers—but it creates a clean, engaged, compliant list.
Privacy Policy Requirements
Your privacy policy must be accessible from any place you collect email addresses. See our privacy policy for an example.
What to Include
- Who you are: Organisation name and contact details
- What data you collect: Email address, name, etc.
- Why you collect it: To send newsletters, marketing, etc.
- Legal basis: Consent, legitimate interests, etc.
- How long you keep it: Your retention periods
- Who you share it with: Email platform, analytics, etc.
- Individual rights: How to access, correct, delete data
- How to complain: Your complaints process and ICO details
Clear Language
GDPR requires transparency, which means clear, plain language. Avoid legalese. Your privacy policy should be understandable to the average person.
Security Requirements
GDPR requires "appropriate technical and organisational measures" to protect data.
Technical Measures
- Encryption: Use HTTPS for websites, encrypted email transmission
- Access control: Limit who can access your email platform
- Strong passwords: Require complex passwords, enable 2FA
- Regular updates: Keep software patched and current
Organisational Measures
- Staff training: Ensure team members understand GDPR
- Access policies: Clear rules about who can access what
- Incident response: Plan for how to handle data breaches
- Vendor management: Ensure your email platform is GDPR-compliant
Choosing Compliant Platforms
When using email marketing platforms, ensure they:
- Offer a Data Processing Agreement (DPA)
- Store data in GDPR-compliant locations (EU/UK or with adequate safeguards)
- Have appropriate security certifications
- Support your compliance obligations (consent tracking, easy unsubscribe, etc.)
Sendifai's email marketing platform includes built-in GDPR compliance features including consent tracking, preference centres, and data export capabilities.
Common Compliance Mistakes
Mistake 1: Assuming Old Lists Are Fine
Lists collected before GDPR may not have valid consent. If you can't demonstrate how and when someone opted in, you may need to re-permission.
Mistake 2: Buying Email Lists
Purchased lists almost never have valid consent for you to email them. The consent was for a different organisation. Don't buy lists.
Mistake 3: Ignoring Unsubscribes
Continuing to email people who've unsubscribed is a clear violation. Process unsubscribes promptly and maintain suppression lists.
Mistake 4: No Consent Records
If you can't prove consent was given, you effectively don't have it. Keep timestamped records of every opt-in.
Mistake 5: Bundled Consent
"By signing up you agree to our terms and receiving marketing emails" bundles different consents. Keep marketing consent separate.
Compliance Checklist
Collection
- ☐ Consent is opt-in (not pre-ticked)
- ☐ Consent text is clear and specific
- ☐ Privacy policy link is visible
- ☐ Marketing consent is separate from service terms
Records
- ☐ Consent timestamps are recorded
- ☐ Consent method is recorded
- ☐ Consent text version is recorded
- ☐ Records are securely stored
Sending
- ☐ Every email has an unsubscribe link
- ☐ Unsubscribe process is simple
- ☐ Sender identity is clear
- ☐ Physical address is included (where required)
Management
- ☐ Unsubscribes are processed promptly
- ☐ Data is retained only as long as necessary
- ☐ Access to data is restricted
- ☐ Platform vendor has DPA in place
GDPR-Compliant Email Marketing
Sendifai's email marketing platform includes built-in compliance features: consent tracking, double opt-in, preference centres, automatic suppression lists, and data export for subject access requests.