GDPR logo on a computer screen with a security padlock

GDPR Compliance in 2021: What Email Marketers Need to Know Now

If you work in the email marketing industry you probably won’t need any introduction to GDPR. For a number of months leading up to its implementation, a little more than three years ago now, it’s all any of us spoke about.  However, a lot has happened since GDPR compliance first became a concern. So, it’s worth re-visiting the regulations, seeing what’s changed, and reminding ourselves why it is so important that we all remain GDPR compliant.

The General Data Protection Regulation (GDPR) shook up everyone’s email inbox back in 2018 when the European Union (EU) implemented it as part of wide-reaching reforms governing how organizations collect, manage, and secure the personal data of EU citizens.

What types of data require GDPR compliance?

While the scope of GDPR is extensive, “data” can refer to anything used to identify an individual, such as a name, address, bank details, health records, or a photo. For email marketers, the main focus of GDPR is based on the permission they have to contact people using their email addresses.

GDPR compliance shouldn't have caused any reputable email marketers any problems. Permission marketing is, after all, a pillar of email’s success and already governed by existing anti-spam legislation around the world, such as the US CAN-SPAM act of 2003 and the Canadian CASL, which went into effect in 2014.

Despite this, many email marketers played fast and loose with the perception of consent. If an individual had surrendered their email address when making a purchase or simply requesting information from an organization, they were considered to have opted in.

And let’s not forget about the practice of buying or otherwise somehow acquiring data. For many years, parts of the email marketing industry resembled the wild west of the marketing world.

Initial challenges with GDPR compliance

GDPR changed the rules by demanding list owners demonstrate that full permission had been given and any email addresses hadn’t simply been acquired. While these rules only covered email addresses belonging to citizens in the European Union, this highlighted another problem — many list owners didn’t have a clue where their subscribers lived.

The fact is, if you did any business with a citizen of an EU state (whether you knew it or not), you had to comply with GDPR. This more than freaked out a lot of companies, and some actually started blocking visitors from EU countries their websites.

And so it was with a degree of irony, in the months leading up to the implementation of the regulation designed in part to reduce the number of unsolicited emails people received, millions of emails were sent asking "subscribers" to confirm their consent.

Recent GDPR violations and fines

Marketers had every reason to be afraid of non-compliance with GDPR. The EU threatened to hit organizations that didn't comply with huge fines. These fines could be as much as €20 million, or up to 4% of an organization’s global turnover of the preceding fiscal year, depending on which is higher.

Even before the implementation of GDPR, the EU had form for going after large organizations that didn’t conform to its rules. Intel and Microsoft had previously felt the wrath of the EU for abusing their market dominance and received respective fines of €1.06 billion and €1.46 billion.

Just to prove the EU wasn’t making idle threats with the promise of hefty fines for breaching GDPR, they’ve already knocked on the doors of several large organizations.

While many of the more considerable fines related to data breaches (British Airways - €22 million, Marriott – €20 million), several companies have had more than a slap on the wrist for their dodgy marketing activities.

An Italian telecom company was fined €17 million for spamming people without their consent and providing incorrect contact details so that consumers were unable to unsubscribe from its lists. Similarly, a German health insurance company was fined €1.24 million for using its customer’s personal information, including health insurance details, for marketing activities without their consent. In some cases, to make matters worse, they had attempted to acquire permission from their customers and proceeded anyway when it wasn't given.

How GDPR impacted email marketing

GDPR was just the latest unwarranted anxiety in a long line of so-called “email killers” that ended up dramatically improving the channel. The fear of fines made email marketers more honest, and they brushed up their best practices.

While GDPR compliance couldn’t eradicate email spam completely (career criminals don’t really care about the threat of fines), the various email clients were already doing a reasonably good job identifying the worst culprits and blocking them. This meant that it suddenly became more manageable for the consumer to find the space to breathe in the email inbox. 

Inboxes suddenly became easier to navigate as irrelevant and unwanted commercial emails disappeared overnight. This meant that marketers didn't have to compete in such a crowded environment. Consumers could be confident that the emails they were receiving would be relevant, engaging, and timely enough for them to care.

GDPR and Brexit: What was the impact?

There's a long and a short answer to this question. The short answer is not a lot. The long answer recommends you should seek professional legal advice (which this article almost certainly doesn't offer) if there is anything you are still unsure about relating to GDPR.

Of course, a lot has happened in the European Union since the implementation of GDPR. This is particularly true in the English-speaking corner of the continent with the UK’s “Brexit” from the European Union.

Brexit doesn't mean that email marketers operating or targeting consumers in the UK can suddenly relax when it comes to GDPR.

While the EU’s version of GDPR is no longer applicable for the UK, the UK government has created its own version of the regulation, imaginatively titled UK GDPR. If you want to get into the full detail of the UK GDPR, you can check out this helpful guide produced by the UK Information Commissioner’s Office (ICO).

However, for the purpose of email marketing, the rules of UK GDPR are pretty much the same as they are in the EU, and, you’ve been warned, the potential fines are just as hefty.

It's also worth remembering if you are targeting EU citizens, the old rules still apply.

GDPR compliance: A refresher for email marketers

Consent is at the heart of both the EU and UK versions of the GDPR. The following bullet points should keep you on track.

Positive Opt-in

Consent in email marketing requires a positive opt-in from the consumer. It’s not OK to use a pre-ticked box or add contact details to your list just because they have purchased something. It's also important to remember; consent should not be assumed as a precondition for offering a service.

Statement of consent

Explicit consent requires a clear and specific notice of consent explaining precisely what you will do with a consumer's data and what they can expect to receive in return for their permission. Your consent statement should also include the details of any third parties you share data with.

Terms and Conditions

Consent requests should be kept separate from other terms and conditions.


Consent is not transferable to another product or service you offer. There is no such thing as blanket consent.

Document Everything

Evidence of consent must be kept showing who, when, how, and what you told people.

Withdraw Consent

It should be easy for consumers to withdraw consent, and you'll need to tell them how.

Again the ICO in the UK offers a useful checklist to help you comply.

Delivering the best email experience

GDPR compliance forced many email marketers to take a long hard look at their activities and conform to the industry best practices that they’d probably been giving lip service to for years.

While GDPR might have been daunting at the time of implementation, it made us all better email marketers by focusing on what should be the industry's core mantra: Sending the right message, the right person at the right time.

Nothing beats email marketing when it is done correctly, and that's why it is always worth taking your time to ensure every campaign you send hits its mark.

Email on Acid’s pre-deployment service, which checks your campaigns for issues relating to inbox display, email accessibility, image validation, links, and spelling, is just the first step any email marketing professional should take to ensure the quality of their output.

Now that your GDPR compliant email lists are perhaps much more targeted (smaller) than they used to be, email deliverability is also a major consideration. If a significant number of your emails are incorrectly routed to spam folders, your campaigns will never truly be optimized.

With most ESPs, you won’t know about spam issues until after you’ve hit the send button. However, with the deliverability features Email on Acid’s automated deliverability checklist, any pre-send deliverability issues will be identified before sending, meaning more of your emails will arrive as intended. Did GDPR compliance make you a better email marketer? Let us know in the comments section below.

Improve Deliverability to Hit More Inboxes!

Nothing ruins a polished email’s ROI potential like a trip to the spam folder. Run a Spam Test right within your Campaign Precheck workflow so you can land in more inboxes and increase email ROI. With Sinch Email on Acid, you can check your email against 23 of the most popular spam filters and your domain against the most popular blocklists before you hit “send”. Sign up for a free trial and try it out today.

Start a Free Trial