What The Impacts Of GDPR On Email Consent & Permission Really Are


  • Your business must now compliant with GDPR, which imposes fines of up to 4% of your annual global revenue if your business fails to meet certain GDPR obligations
  • Even if your business isn’t in the EU, the GDPR likely applies to your business if you process the personal data of EU data subjects
  • For consent to serve as the lawful basis for processing personal data for electronic marketing purposes, such consent must be GDPR-compliant, i.e., be freely given, specific, informed, unambiguous, obtained from the data subject prior to beginning processing, and distinguishable from other matters.
  • In addition to consent, under limited circumstances, a company’s legitimate interests may also serve as the lawful basis for processing personal data for electronic marketing purposes  

Introduction and Overview

Marketers have long tried to balance the quality vs. quantity issue for their databases. As email software and technology has evolved and allowed for better targeting, marketers have had to continuously defend their decisions to leave chunks of email addresses off their lists.

A new development relevant to such decisions is a new law that updates the regulations concerning EU customer privacy and imposes obligations affecting how marketers are able to build and manage their databases.

The new data protection regulation in the EU, the General Data Protection Regulation (GDPR), brings new focus to the protection of personal data in the age of technology. This new law replaces the 1995 EU Data Protection Directive and must be read together with the current EU ePrivacy Directive in determining whether a business has a lawful basis (consent or other lawful basis, such as legitimate interests) for processing personal data for electronic marketing purposes.

The GDPR regulates how companies process the personal data they have, including how they collect it, store it, use it, protect it, transfer it, and dispose of it. The law  applies not only to companies located in the EU, but also to companies that are not located in the EU but that process the personal data of EU data subjects in connection with offering goods or services or monitoring the behavior of EU data subjects. The GDPR has a broad definition of ‘personal data,’ that includes any information relating to an identified or identifiable natural person (e.g., an email address or online identifier). The new regulations also imposes obligations that cover the handling of EU personal  data security and personal data breach notifications.

Consent and Legitimate Interests as Lawful Bases for Processing of Personal Data for Electronic Marketing Purposes, and the GDPR’s Impact on Email Permission

There is an exception to the ePrivacy Directive’s consent requirement for electronic marketing communications if an opt-out opportunity was provided at the time the EU customer’s contact details were collected and in future messages.  If instead of obtaining consent, a company has provided an opt-out opportunity that was compliant with the ePrivacy Directive, the company may be able to rely on legitimate interests as its lawful basis for such processing under the GDPR.  The lawful basis of legitimate interests may apply if the processing is necessary for the legitimate interests of the data controller or a third party unless such interests are overridden by the interests or fundamental rights and freedoms of the data subject[s].

Data Subject Rights and Related Obligations

The GDPR also provides for a number of data subject rights that would be applicable in the context of data subjects to whom a company sends direct marketing communications.  For example, a data subject has a right to erasure of his/her personal data under the circumstances set forth in the GDPR, including where the personal data is no longer necessary to the purposes for which it was collected or otherwise processed, or where consent is the only lawful basis for processing and the data subject has withdrawn such consent.

The GDPR also allows data subjects to obtain a copy of the personal data that has been collected about them.

Under the GDPR, companies will generally not be able to charge customers for obtaining this data (there are exceptions that can be made if the requests from a data subject are repetitive, manifestly unfounded, or excessive). Other data subject rights set forth in the GDPR include the right to rectification, the right to restriction of processing, the right to data portability, and the right to object to processing. The GDPR Businesses will be requires data subject requests to be responded to within one month of receipt of the request, subject to a limited exception that allows such period to be extended by two further months where necessary, taking into account the complexity and number of the requests.


Companies to which the GDPR applies that do not comply with the new regulations may be fined up to 4% of their annual global revenue. While this new law might seem intimidating, compliance with its obligations can actually help businesses improve their marketing efforts and increase both ROI and sales. Fear not, you will survive the new obligations imposed by the GDPR.

Check out part 2 of our GDPR series, “Stop Panicking: Why GDPR is Actually a Good Move.”

DISCLAIMER: You should seek independent legal advice concerning your company’s status and obligations under the GDPR and ePrivacy Directive because only an attorney can provide legal advice that is specifically tailored to a particular company’s situation.   Our comments on this blog post are not intended to provide companies with legal advice, and they should not be used as a substitute for legal advice.