How Does GDPR Affect My Email Marketing Campaigns?

The Ever-Changing World of Data Privacy

Fellow small business United States companies,
Unless you do business with customers in the European Union, you are safe from the General Data Protection Regulation (GDPR)… for now. However, if you collect data in any form (names, email addresses, purchase information, etc.) from customers in the EU, you need to be in compliance with GDPR ASAP. Learn more here:

For the rest of us, with data collection policies strengthening overseas and Facebook privacy debates in the news at home, we can foresee privacy laws tightening here too. One place where these policies are extremely relevant, but often overlooked, is in email marketing.

Email addresses are private information, and storing them in email marketing software like MailChimp or Constant Contact, means you are processing personal data. While less strict, the United States does have a policy – CAN-SPAM – that applies to email marketing. So with all the talk of data security and privacy, now is a great time make sure you’re taking appropriate actions to be in compliance.

So what’s the difference between CAN-SPAM and GDPR? We’re glad you asked.

Email Marketing Regulations:

This list is certainly not all-inclusive, but hopefully it will give you a better idea of some of the major similarities and differences between the U.S. and Europe’s data security policies.

1. Opt-in

CAN-SPAM: Emails can be sent to anyone, without permission, until the recipient explicitly opts-out.

GDPR: You need to have “clear, unambiguous affirmative consent” before collecting name and email address.

In simplest terms, users need to opt-in to receive emails. Both of the following examples comply with GDPR because they clearly state the results of entering your information and require the user to explicitly click something allowing the opt-in.

Note: Having the box above pre-checked would NOT comply with GDPR because they aren’t taking any action to give consent – they’d have to take action NOT to give consent, which is not the same thing. Similarly, if it is required to have that box checked in order to download the e-book, it doesn’t comply with GDPR because there is no affirmative consent – they are forced to comply.

In addition, all opt-in information must be separate from all other terms and conditions, and it’s required to keep a record of who opted-in to receive your emails – when they did, how they did, and what they were told. Therefore, under GDPR, if you don’t currently have a record of how your email list opted-in, you’ll need to run a re-permission campaign to make sure you have proper record of opt-ins. We’ll get into that later.

2. Opt-out

CAN-SPAM: You must provide a clear way to opt-out from future emails that is “easy for an ordinary person to recognize, read, and understand.” You can have subscribers opt-out in two ways: one, have them reply to an email, or two, have them visit a single web page. You cannot:

  • Charge a fee
  • Require the subscriber to give any personal information other than email address
  • Make subscribers take any additional steps, including logging in or clicking through multiple web pages

It also specifies that you must honor their opt-out request within 10 business days.

GDPR: Again, you must give subscribers a clear way to opt-out of emails. The good news is that if you are in compliance with CAN-SPAM, you likely are already in compliance with GDPR.

3. Narrow Data Focus

CAN-SPAM: This doesn’t specify what data you can collect.

GDPR: You are required to justify the data you collect, should you be asked. This means the days of asking for additional data “in case you need it” are over. You should only be collecting the essentials and avoid any unnecessary questions.

What is a Re-Permission Campaign?

Though you may not be familiar with the terminology, I’m sure you have a pretty good idea of what a re-permission campaign is. It’s that flood of emails in your inbox with subject lines like: “We miss you,” “Stay connected,” “Keep in touch,” or “Updating our privacy policy.” The content in the email will highlight some of the benefits of re-subscribing… exclusive offers, first to know, savings, etc.

It’s important to note that a full-blown re-permission campaign isn’t necessary to comply with CAN-SPAM. But while it may not happen next month or even next year, it doesn’t hurt to use GDPR as a reminder to start using email marketing best practices so you are prepared if policies do get stricter in the U.S. too. Plus, the lessons to be learned from re-permission campaigns are applicable to cleaning out your lists, regardless of the opt-in regulations in your country. Use something similar to a re-permission email as a chance to remind your subscribers of the benefits they get from being part to your email list. Ask them to re-opt-in. Understand that you’ll never get 100% of your list to re-opt-in, but you’ll at least start building a record of opt-in data should the regulations get stricter in the U.S.

As a small business with a limited budget and already limited email marketing lists, you are probably thinking, “So what? I comply with CAN-SPAM, and that’s good enough for me.” That’s true. But there are benefits outside of data protection that can come from engaging with your subscribers through a re-permission campaign. For one, you will find your best, most engaged customers. These are people who want (and expect) to hear from you often. They are advocates for your brand and are waiting for the perfect opportunity to purchase one of your products. In addition, fewer contacts in your email marketing platform will save you money when you’re using a pay-per-email model.

And, just because you send a re-permission email (or maybe we should call it a re-introduction-to-your-company email in this case), doesn’t mean you have to remove the email addresses of people who don’t respond if you are only obligated to comply with CAN-SPAM. A lack of open or response may indicate that you should email them less frequently (unless they unsubscribe… then do not email them at all!).

Our Recommendations

Use the rest of this year to educate yourself – reading blogs like this and others to fully understand data collection policies and the regulations your company must comply with. Then, determine your company’s philosophy on collecting email addresses and start implementing it into your overall email marketing strategy.

Are you going to adhere to Europe’s stricter opt-in policy? Or are you simply going to work on removing people who aren’t your best customers? Whatever your situation may be, the world of email marketing and data privacy isn’t going to slow down anytime soon. If you are looking for a partner to create an email marketing strategy or implement one you already have, contact us and let’s work through it together!



We are Ampersand and & means so much more. Get what you need to know to Fuel & Simplify Business Growth.