Back to Glossary

What is GDPR?

By Mailneo Team|

The General Data Protection Regulation (GDPR) is a European Union law that gives individuals control over their personal data. For email marketers, it means getting explicit consent before sending, providing easy opt-outs, and being transparent about how you use subscriber data.

Why It Matters

GDPR doesn't just apply to companies based in the EU — it applies to any business that processes personal data of EU residents. If someone in Berlin signs up for your newsletter and you're in Chicago, GDPR applies to you. Fines can reach 20 million euros or 4% of annual global revenue, whichever is higher. Meta was hit with a 1.2 billion euro fine in 2023. Even small companies have received five- and six-figure penalties.

Key Requirements for Email Marketers

Lawful Basis for Processing

You need a legal reason to email someone. For marketing emails, that's almost always "consent." The consent must be freely given, specific, informed, and unambiguous. Pre-ticked checkboxes don't count. Burying consent in terms of service doesn't count. The subscriber needs to take a clear, affirmative action — like clicking a checkbox that says "Yes, send me marketing emails."

Right to Access and Deletion

Any subscriber can ask to see all the data you hold about them, and they can ask you to delete it. You've got 30 days to comply. This includes email addresses, names, engagement data, purchase history, and any other personal data tied to their identity. If you can't locate and export someone's data on request, that's a compliance gap.

Data Minimization

Only collect the data you actually need. If all you need is an email address, don't also require a phone number, birthday, and mailing address. Every additional field you collect increases your compliance burden and your risk if there's a data breach.

Common Mistakes

  • Using a single opt-in checkbox that covers both marketing emails and third-party data sharing — each purpose requires separate consent
  • Assuming existing subscribers are covered because they signed up before GDPR — if you didn't get GDPR-compliant consent, you need to re-permission your list
  • Treating unsubscribes as GDPR deletion requests — unsubscribing stops emails, but GDPR deletion means removing all personal data from your systems
  • Not having a documented process for data subject access requests — you need to respond within 30 days, and scrambling wastes time

How to Stay Compliant

Use double opt-in for your sign-up forms. It creates a clear, timestamped record of consent that holds up under scrutiny. Store consent records showing what the subscriber agreed to, when, and how. Add a privacy policy link to every sign-up form and email footer. Designate a data protection point person (or DPO if required) who handles access and deletion requests.

Quick Tips

  • Keep a consent audit log for every subscriber — record the timestamp, source, and exact language they consented to
  • Make your unsubscribe process one-click; don't force people to log in or confirm via email to opt out
  • Review your data processors (ESPs, CRMs, analytics tools) — you're responsible for how they handle your subscribers' data too

Related Terms

Email Compliance

Adhering to laws and regulations governing commercial email communications.

Double Opt-In

A two-step signup process where subscribers confirm their email address by clicking a verification link.

Opt-In

When a subscriber gives explicit permission to receive your emails.

CAN-SPAM

The U.S. law governing commercial email — requires honest headers, a physical address, and easy opt-out.

CASL

Canada's anti-spam legislation — stricter than CAN-SPAM, requires explicit opt-in consent before sending.

Ready to improve your email deliverability?

Connect your email accounts, automate outreach, and track opens and clicks — without switching between tools.

Get Started Free