Live Direct Marketing logo
Inbox Placement Test
Compliance12 min read

GDPR and email marketing: consent, deliverability, and the fine print

GDPR is not an email law — it is a data-protection law that happens to govern almost everything email marketers do. Eight years in, the rules are clearer, the enforcement bolder, and the deliverability impact direct.

Most non-EU senders still treat GDPR as a checkbox at signup. The regulators have moved past that view, and the mailbox providers increasingly mirror the regulators' signals. A list built without a clean lawful basis under Article 6 will degrade in inbox rate long before any DPA writes a letter, because the same recipients who didn't actually consent are the ones most likely to mark you as spam.

TL;DR

Email marketing under GDPR needs a documented lawful basis. For B2C that almost always means specific consent; for B2B you can sometimes rely on legitimate interest. The ePrivacy Directive (PECR in the UK) adds an extra consent layer for unsolicited marketing email. Soft opt-in works for existing customers in most member states, but Germany and a few others tighten it.

When GDPR applies to your sending

GDPR applies if you are established in the EU or EEA, or if you offer goods or services to people in the EU/EEA, or if you monitor their behaviour. A US company with no EU office that knowingly sells to EU customers is in scope. The territorial reach was tested and confirmed in multiple early enforcement decisions.

Personal data, in GDPR terms, includes any information relating to an identified or identifiable person. An email address that contains a name (j.smith@company.com) is unambiguously personal data. A role-based address (info@company.com) is more debatable but most regulators treat it as personal data when it can be linked to a specific person at the company.

The six lawful bases and which ones fit email

Article 6 lists six lawful bases for processing personal data. For marketing email, only two are realistically usable:

  • Consent (Art. 6(1)(a)). The recipient has freely given specific, informed and unambiguous consent. This is the default for B2C marketing.
  • Legitimate interest (Art. 6(1)(f)). Processing is necessary for legitimate interests pursued by the controller, balanced against the rights of the data subject. Used for B2B marketing in most member states; documented through a balancing test.

Contract, legal obligation, vital interests and public task all exist but rarely apply to marketing. Don't cite them creatively — DPAs see straight through it.

What "consent" actually means

Valid consent under GDPR has four elements: freely given, specific, informed, unambiguous. Practically that means:

  1. An unticked checkbox the user actively selects.
  2. Plain-language description of what they're consenting to (newsletter, product news, partner offers — listed separately if separately processed).
  3. Identification of the controller and any third-party recipients.
  4. Easy withdrawal that is as easy as the original consent.

Pre-ticked boxes are invalid (Planet49 case, CJEU 2019). "By signing up you also agree to our newsletter" bundled consent is invalid. Consent obtained as a condition of access to a service unrelated to the processing is invalid.

Records must be kept: who consented, when, how, and exactly what they saw. Without this audit trail, a complaint to a DPA puts the burden on you to prove consent — and you cannot.

The ePrivacy layer most senders forget

GDPR is the data-protection law. The ePrivacy Directive (and PECR in the UK) is the law specifically about electronic marketing. Even when your processing has a lawful basis under GDPR, ePrivacy still requires consent for unsolicited commercial email to individuals.

The ePrivacy Directive includes a so-called soft opt-in: where you obtained the email address in the context of selling a product or service to that person, you may market similar products and services to them without fresh consent, provided you offered an opt-out at collection and on every message. National implementations vary; in Germany the rule is interpreted strictly, in the Netherlands more liberally.

B2B email and legitimate interest

For business contacts in their professional capacity, most EU regulators accept legitimate interest as a basis for limited cold outreach, conditional on a documented balancing test. The balancing test weighs your legitimate interest (selling) against the recipient's reasonable expectations and rights.

A defensible B2B legitimate-interest case looks like:

  • The recipient is targeted in a clearly professional capacity (job title relevant to your offer).
  • The volume and frequency are restrained.
  • The first message identifies the source and offers a one-click opt-out.
  • Suppression on opt-out is immediate.
  • You have written a balancing-test memo and can produce it on request.

Germany is the major exception. The German interpretation of UWG (the Act Against Unfair Competition) effectively requires opt-in for B2B email too. France's CNIL takes a middle position, accepting legitimate interest only for narrowly-targeted B2B contact in a relevant capacity.

Country-by-country reality

GDPR is uniform; ePrivacy is national. The same B2B email may be lawful in Spain, marginal in France and unlawful in Germany. Country-of-recipient (not country-of-sender) governs.

When you need a DPIA

A Data Protection Impact Assessment is required for processing likely to result in high risk to data subjects. Pure newsletter sending rarely triggers it. Behavioural profiling, large-scale scoring of contacts based on opens/clicks, cross-platform tracking, and intent-data enrichment can. If you're building lookalike audiences from email engagement and matching them across platforms, do the DPIA.

Data subject rights you must honour

  • Right of access: on request, provide a copy of the personal data you hold and the purposes.
  • Right to rectification: correct inaccurate data.
  • Right to erasure ("right to be forgotten"): delete the data on request, with limited exceptions.
  • Right to object: for marketing, an absolute right — you must stop processing for marketing on request, no balancing test.
  • Right to data portability: provide the data in a structured, commonly used format.

Response time: one month, extendable by two more in complex cases. A suppression on the right-to-object must be effectively immediate; this dovetails with the unsubscribe rules under ePrivacy.

How GDPR posture affects deliverability

Mailbox providers don't check your privacy policy. They do observe what compliance with privacy law inevitably produces: opt-in lists complain less, engaged consent generates replies and opens, and clean suppression keeps spamtrap rates low. Senders who cut compliance corners usually cut hygiene corners too, and the reputation systems quickly catch up.

The strongest correlation we see in inbox-rate data is between a clean double-opt-in process and Gmail Postmaster Tools showing "High" domain reputation. Soft-opt-in lists land in Promotions; consent-rejected lists land in Spam.

Enforcement that actually happened

The Italian Garante has been the most active DPA on email marketing, with multi-million-euro fines against companies sending commercial email without valid consent. The French CNIL has repeatedly fined ad-tech businesses over consent failures that included email use. The German DPAs have issued smaller but frequent penalties for B2B opt-in violations.

Maximum fine under GDPR: the higher of EUR 20 million or 4% of global annual turnover. Email-only cases rarely hit the cap, but a consent failure that touches large lists has produced eight-figure penalties.

Frequently asked questions

Is double opt-in legally required by GDPR?

Not by GDPR itself. It's required by Germany's strict interpretation of UWG and is best practice everywhere because it documents consent. For other member states, single opt-in with reliable proof can satisfy the law.

Can I rely on a lead magnet (whitepaper download) as consent for marketing?

Only if the consent at download is specific to marketing, not bundled with the file delivery itself. The Planet49 ruling and subsequent DPA guidance treat "register to download" as consent for the download, not for ongoing marketing.

Do GDPR rules apply to internal email or company addresses like info@?

GDPR applies whenever the address can be linked to an individual. info@ addresses are a grey area — most DPAs treat them as in scope when the recipient company is small and the address is read by an identifiable person.

What if someone unsubscribes — can I keep them on a suppression list?

Yes, and you should. Keeping a hashed or minimal record on a suppression list to prevent re-mailing is itself processing under a legitimate basis (legal compliance / legitimate interest). Inform recipients of this in your privacy notice.
Related reading

Check your deliverability across 20+ providers

Gmail, Outlook, Yahoo, Mail.ru, Yandex, GMX, ProtonMail and more. Real inbox screenshots, SPF/DKIM/DMARC, spam engine verdicts. Free, no signup.

Run Free Test →

Unlimited tests · 20+ seed mailboxes · Live results · No account required