receives compensation from some of the companies listed on this page. Advertising Disclosure

GDPR: Email Marketing in the Age of Digital Privacy

Adam Uzialko
Adam Uzialko

Email marketing is becoming more complicated in the age of digital privacy laws like GDPR and CCPA. Here's what you can and can't do in your email marketing campaigns.

Welcome to the age of data privacy, where governments around the world are adopting legislation that limits how companies can collect and use the data generated by individuals. These laws have sweeping effects on virtually every aspect of how businesses engage potential customers in the digital world, including when it comes to practices like email marketing.

If you’re thinking about launching an email marketing campaign, it is imperative you are aware of data privacy laws that apply to your business; failure to do so could result in significant financial penalties and damage to your brand reputation.

What is a data privacy law?

Data privacy laws are legislation appearing around the world geared toward protecting individual users’ rights to a certain standard of data privacy and security. They typically include rules about how companies can collect and use individuals’ data, as well as how companies must inform users about that collection and use. Data privacy laws are often vast and expansive, governing virtually every aspect of how a business engages with consumers digitally – that includes email marketing.

Two of the most publicized data privacy laws are the European Union’s General Data Protection Regulation (GDPR), which set the tone worldwide for a move toward stringent data privacy laws, and the California Consumer Privacy Act (CCPA), which was the first piece of data privacy legislation passed in the U.S.

Understanding these laws as both a compliance imperative for your business today, as well as a bellwether for data privacy trends nationwide, is essential for any business engaged in digital marketing or data collection of any kind.

Editor’s note: Looking for the right email marketing service for your business? Fill out the below questionnaire to have our vendor partners contact you about your needs.

What is GDPR?

The GDPR is the European Union’s overarching legislation on data privacy, which unified the baseline requirements among the 27 member nations. The GDPR applies to businesses collecting and using data on any EU-based user, regardless of where that business is headquartered or operating. That means American businesses collecting data on European users are also subject to the requirements of the law. When it comes to email marketing, the GDPR requires that businesses obtain the consent of anyone prior to contacting them via email. This is known as the “opt-in” provision. Before you contact anyone via email, be sure you have their explicit consent.

Additionally, the GDPR requires that companies demonstrate how consent was obtained and whether any consenting users have since opted out or unsubscribed from newsletters (or other email marketing communications). Also, companies must be willing to delete the personal data of a user upon request.

The cost of GDPR violations

GDPR violations carry steep penalties. Under the law, a company that violates the data privacy requirements could be subject to fines of up to 20 million euros (roughly $23.5 million), or 4% of the company’s annual revenue, whichever is greater. For many small businesses, fines of this magnitude could be fatal; however, it’s worth noting that in many cases of GDPR violations uncovered thus far, the EU data protection authorities have declined to impose the maximum penalties permitted under the law.

Still, the threat of massive fines and lawsuits should be enough to give any company gathering user data pause. While some types of data collection and usage intuitively apply to the GDPR, so, too, do seemingly innocuous activities like email marketing. [Want to learn more about GDPR? Read our guide on how the GDPR has been implemented here.]

What is CCPA?

The CCPA is the State of California’s data privacy law, modeled largely after the GDPR, but with some key differences in language. For email marketing purposes, however, the rules of the law are generally the same.  

Like the GDPR, a user’s email address is considered personal information (or personal data) under the CCPA. That means users must consent to the communication, as well as be able to opt-out at any time. Additionally, data regarding the open rate and click-through rate of each individual user is considered personal information; if a user requests their data be removed, you must not only delete their email address from your list but also any data gleaned from their engagement with your email marketing campaign as well.

The good news for email marketers is that compliance with the CCPA is pretty much the same as the GDPR when it comes to email marketing. Other elements of the law are different, though, so if you’re engaged in other data-collection activities for your business, review both laws with legal counsel to determine whether you are in full compliance with both, because both laws might apply to your business at the same time.

The cost of CCPA violations

Civil penalties for violations of the CCPA can range from $2,500 per unintentional violation to $7,500 per intentional violation. Businesses generally have 30 days to reverse any violations and solve the problem to avoid liability.

While these fines are not nominally as steep as the maximum penalties permitted under the GDPR, it is best to avoid them, as they stack per violation; that means if you repeatedly violate the consent requirement for thousands of email addresses in your email marketing campaign, you could be on the hook for a significant sum.

What is email marketing?

Email marketing is a cost-effective way to stay engaged with an audience that has expressed interest in your product or service by signing up for a newsletter or some other type of communication. Email marketers often use creative ways to drive email sign-ups, such as offering contest entries or a discount code. Once email addresses have been obtained, email marketing campaigns can keep your brand and its value proposition prominently displayed in a user’s inbox.

However, while email marketing might not seem particularly as intrusive as tracking user activity on the web with cookies, for example, data privacy laws still apply to this digital marketing tactic. Running a compliant email marketing campaign isn’t particularly difficult, but it requires that businesses avoid making some crucial mistakes.

Frequently asked questions about email marketing and data privacy

If you have the following questions about email marketing and how it relates to data privacy, you aren’t alone. Here are some of the frequently asked questions entrepreneurs have about their email marketing campaigns and how they can avoid unintentionally violating data privacy laws like GDPR and CCPA.

What does email have to do with data privacy?

While sending an email to someone might not seem like a violation of data privacy, it could be if it is not done properly. It’s important to understand the rules surrounding the collection of user contact information and when you are legally able to send communications to those email addresses. Additionally, users must have a clear way to unsubscribe from your email marketing list.

“Email has everything to do with data privacy and is most often where businesses run afoul of digital privacy laws,” said Harry Maugans, CEO of Privacy Bee.

To protect yourself from unnecessary data privacy violations, you should present users with an easy way to opt out or unsubscribe from your emails and newsletters.

“Opt-outs should be easy and marked clearly, and in no instances should businesses add people to email lists without permission,” Maugans said.

While there are some important guidelines to keep in mind regarding email marketing and data privacy, email is a relatively easy channel to keep in compliance, said Jeff Kupietzky, CEO of PowerInbox.

“Email is a safe alternative to cookies and other forms of tracking where the user hasn’t given permission for the site/marketer to collect their data,” Kupietzky said. “Email is fully opt in. By signing up, subscribers have inherently given you their permission to market to them and use their data to create a more personalized experience.”

Will I run into data privacy laws if I buy email lists?

Data privacy laws generally stipulate that users must knowingly consent to be contacted via email before a company can legally do so. That means buying email lists likely violates the consent requirements of the GDPR and CCPA. Therefore, relying on purchased email lists as a cornerstone of your email marketing campaign is a risky move likely to land your business in hot water. Instead, gather email addresses directly, ideally through a subscription form on your website.

“The best way to ensure GDPR compliance when sending emails is by having an explicit opt-in checkbox on all subscription forms,” said Melissa Sargeant, CMO of email marketing company Litmus. “Through this, a company has the exact time, date, country, and source through which someone opted in, which is important data to have – especially … if they are located in a GDPR country, which would require an alternate strategy.”

Additionally, purchasing an email list of cold leads makes it more likely that key metrics of your email marketing campaign, such as open rate and click-through rate, perform poorly. Since purchased email lists are those of people who have not necessarily expressed interest in your products or services, they are unlikely to perform as well as gathering fewer email contacts organically. Furthermore, many email addresses on a purchased list could be inactive or outdated; you could be risking a data privacy violation just to contact an inbox that will never be used.

What do I need to do to make sure my email marketing campaigns don’t violate data privacy laws?

In many cases, requirements in data privacy laws can be convoluted. However, when it comes to email marketing, the rules tend to be fairly straightforward. Still, abiding by these guidelines is critical to avoiding the penalties for violation laid out in the legislation.

“You can run a compliant email campaign without much trouble, as long as you fundamentally don’t aggressively target individuals who have not expressed direct interest,” said Alexander M. Kehoe, co-founder and operations director of Caveni Digital Solutions. “In many cases, targeting interested individuals is better for your conversions regardless.” 

Here’s how you can avoid running afoul of consumer data privacy laws:

  1. Collect user contact information properly. If you are collecting user’s email addresses, clearly note that when they supply that information they are consenting to being contacted by you via email. Consider including a check box with language like “I consent to receive electronic communications from the company” during email sign up. “Be upfront about how you’ll use that personal identifier and how it will enhance their user experience,” Kupietzky said.

  2. Only collect information you intend to use. Data privacy laws generally permit companies to collect data only when they have received consent from the user and have a clear business-related use case for the data. Collecting data you don’t actually need to use could be considered a violation. “Avoid collecting information that isn’t directly helpful to your marketing efforts,” Kehoe said. “We’ve seen a number of companies get into trouble for collecting information that they never really needed to use.”

  3. Be transparent about data collection. Your company needs to be transparent about the data you’re collecting and why. Make this information easily accessible in plain language to anyone who might want to review it. “Be transparent about the information you collect and make it easily accessible to individuals signed up for your email campaigns or newsletters,” Kehoe said.

  4. Don’t share or sell user data. Sharing user data with another company without explicit user content and a clear business purpose for doing so is likely to constitute a data privacy violation. Never share or sell data to another company without carefully guaranteeing you are in full compliance with the requirements of applicable data privacy laws.

  5. Mind third-party service providers. Under the GDPR, businesses are required to ensure any third-party service providers handling user data also adhere to the legal requirements laid out under the law. Failure to do so could leave the company on the hook for the violations, not just the third-party service provider. “Work only with platforms that are compliant to GDPR/CCPA standards and that value data privacy, integrity and honesty,” Kupietzky said.

Overall, email marketing is one of the simpler processes for complying with the sometimes complex and wide-ranging data privacy legislation emerging around the world. However, it is important to do your due diligence to avoid unnecessary fines and damage to your brand. After all, even once the fine is paid, your customers might remember if you handled their personal data poorly in the past; the true cost of data privacy violations is often far higher than just the fines incurred.

Image Credit: Rawf8 / Getty Images
Adam Uzialko
Adam Uzialko
Staff Writer
Adam Uzialko is a writer and editor at and Business News Daily. He has 7 years of professional experience with a focus on small businesses and startups. He has covered topics including digital marketing, SEO, business communications, and public policy. He has also written about emerging technologies and their intersection with business, including artificial intelligence, the Internet of Things, and blockchain.