No results were found...


What’s happened to email marketing since GDPR kicked in

Marta Poliakova Marta Poliakova
· 13 min read · Email marketing · Sep 10, 2021

They say time flies when you’re having fun. Well, email marketing GDPR wasn't exactly fun, but these last few years did fly by quickly. So what has happened?

GDPR was one of the most discussed topics of 2018. That May, it was searched for more times than Beyoncé and Kim Kardashian, so it must have been important (and it still is)!

While GDPR attracted a lot of criticism from larger companies with concerns that it would destroy the digital ecosystem, the real worry was how it would affect everyday small businesses who simply wanted to send emails to their customers.

For many, these four letters may have appeared in a nightmare or two.

Several years have passed and it turns out that GDPR did not have the catastrophic effects that people thought it would. In many ways, GDPR helped email marketing more than it hurt it.

Here’s a quick recap of what happened and what it means for your email marketing.

GDPR was publicly announced two years before its implementation, yet most people ignored it until a few weeks/days before the deadline. Considering the huge scope and complexity of GDPR, this mass procrastination caused a frenzy and state of confusion for businesses, lawyers, and even data protection experts. 

“Procrastinate now, don't put it off.”
- Ellen DeGeneres

The 2018 GDPR Compliance Report revealed that only 40 percent of organizations were GDPR compliant by the May 2018 deadline.

GDPR cartoon by

Despite the confusion and criticism, GDPR at its core is a good thing for everyone. Technology has transformed our lives for the better, and a driver behind the power of the information age is your personal data.

It’s been over 25 years since lawmakers drafted new data protection legislation. A lot has changed since 1995.

Today, your data is a valuable asset that you willingly trade for products and services. It needs to be protected accordingly. You probably wouldn’t give your car keys to a stranger without a proper agreement. It’s the same with your data. 

GDPR ensures that everyone, as an owner of their unique data, has appropriate rights that others must respect. Luckily for email marketers, when you respect people’s personal data, your results will flourish.

For some reason, everyone thought that GDPR would kill email marketing by depleting their email list and making it nearly impossible to find new subscribers. Did you feel that way? 

Email and GDPR logo

Let’s be honest, your email list probably did get shorter after you implemented the GDPR opt-in process. But a shorter list doesn’t mean your list suffered. The people that remained are your loyal audience. They are the ones who will open your emails and click through to your content.

GDPR forced people to clean up their email lists, which resulted in better email performance.

Everyone must build their list the right way by obtaining explicit consent. Now that there is a standard to follow (and GDPR fines to avoid!), the number of email abusers will continue to decrease. As email marketing GDPR practices improve across the board, the sweet converting power will increase as well.

Not without its headaches

While your email effectiveness is sure to increase, GDPR is not without its challenges. One area of change that causes the biggest trouble is in collecting and storing subscriber consent.

Email marketing GDPR raised the bar with specific requirements for the collection of consent, including:

  • Consent must be “freely given, specific, informed and unambiguous”;

  • Requests for consent must be “clearly distinguishable from the other matters” and presented in “clear and plain language”;

  • Data subjects can withdraw their consent whenever they want, and you have to honor their decision;

  • You must keep documentary evidence of consent.

Another source of confusion revolves around adhering to the various data rights such as portability, access, right to be forgotten, etc. To help you solve these requirements, MailerLite developed several GDPR tools to manage your subscribers’ data.

Email marketing is one of the top sources of GDPR complaints. To help you avoid complaints and a GDPR non-compliance penalty, here are the keys to managing a compliant email marketing operation.

1. Checkboxes and explicit consent

Remember, checkboxes are not a requirement if you need consent for one purpose. You also don’t need to add a checkbox for a free giveaway. Just make sure you explicitly explain that the lead magnet is offered in exchange for joining the email list. Checkboxes are necessary when you need consent for two or more separate things, such as a newsletter and advertising. If you want more information, here’s a whole article dedicated to GDPR opt-in forms.

2. Privacy policy link

Don’t forget to add a link to your Privacy Policy in the opt-in form. Subscribers have the right to access the information explaining how you process personal data.

3. Subscriber requests

Never ignore your subscribers' requests. Respect their rights, which includes having a process to address and respond to their inquiries.

4. Transparency always wins

Keep in mind that you must clearly state which third-party providers you use for email marketing as well as any other business processes.

Note: If you haven’t included a prepared statement about your use of MailerLite in your Privacy Policy, then you can copy and paste this pre-written text below.

We use MailerLite to manage our email marketing subscriber list and send emails to our subscribers. MailerLite is a third-party provider, which may collect and process your data using industry-standard technologies to help us monitor and improve our newsletter. MailerLite’s Privacy Policy is available at You can unsubscribe from our newsletter by clicking on the unsubscribe link provided at the end of each newsletter.

European data protection agencies have issued impressive penalties for GDPR breaches since regulations began to be enforced in May 2018.


Google was hardest hit with a record 50 million EUR, which shook the whole data protection community. France’s data protection regulator (CNIL) found that Google violated the GDPR in two ways: by excessively disseminating essential information and by describing its data processing activities in a manner that was “too generic and vague”.

Google GDPR fine

They were in breach of the GDPR requirement for transparency. They also failed to obtain a valid legal basis for processing personal data for ad personalization, which violates the GDPR requirements for specific and unambiguous consent for all forms of personal data processing.

This is not the first GDPR fine, but it’s by far the most significant. 


In October 2020 the Hamburg Commissioner for Data Protection and Freedom of Information (HmbBfDI) issued a fine of 35,258,707.95 EUR against clothing retailer H&M Hennes & Mauritz Online Shop.

GDPR violations involved the monitoring of employees, using their personal data to make decisions about people’s employment, and sharing sensitive personal information between the managers.

Make sure you follow the data minimization principle. Do not process people’s personal information unless you have a legitimate basis and a specific purpose for it. Also, pay attention to the access controls on the data, which should be implemented as well.


The same year, Italian telecommunications operator TIM was hit with a €27.8 million GDPR penalty from the Italian Data Protection Authority (Garante), for an overly aggressive marketing strategy. Millions of subjects were approached without consent, and they received promotional calls and unsolicited communications.

British Airways

In October 2020, the UK Information Commissioner's Office (ICO) hit British Airways with a $26 million fine, because they had not implemented sufficient security measures. As a result, their system was compromised by hackers, who managed to get passengers’ personal information, including names, addresses, payment information, and log-in details.

...And more!

There have been other, smaller cases across various industries. In 2018, a Portuguese hospital was fined 400,000 EUR after its staff used bogus accounts to access patient records. And a German social network operator “” was fined 20,000 EUR for storing social media passwords in plain text. The list goes on...

GDPR set an example for non-EU countries to strengthen their own data protection regulations. This meant that privacy laws became more relevant after the GDPR. In a digital world, it is becoming more important to ensure that personal data is protected, processed and used for the correct purpose.


The California Consumer Privacy Act (CCPA) went into effect on January 1st, 2020 and was created to give CA residents—individuals who reside in California, even if they are temporarily outside of the state—more control over the personal information that businesses collect about them.

CCPA is similar to GDPR, except that it only applies to businesses that collect the personal information of California residents.  If you’d like to know more about the CCPA, you can find the whole article about it here.


South Africa’s Protection of Personal Information Act (POPIA Act) is the latest major data privacy law in the world to be modeled closely after the EU’s GDPR (and the ePrivacy Directive). It empowers its citizens with enforceable rights over their personal information, establishing 8 minimum requirements for data processing (e.g. introducing consent as a required legal basis), creating a broad definition of personal information for comprehensive end-user protection.

  • POPIA took effect on July 1, 2020.

  • POPIA enforcement began on July 1, 2021.

  • POPIA applies to any company or organization processing personal information in South Africa, who is domiciled in the country, or not domiciled but making use of automated or non-automated means of processing in the country.

The Act applies to any person or organization who keeps any type of records relating to the personal information of anyone, unless those records are subject to other legislation which protects such information more stringently.

The organization does not need to comply if it is domiciled and processes data outside of South Africa. In this respect, POPIA is not like the GDPR and Kenyan Data Protection Act, which requires you to comply if your organization processes the personal information of data subjects in the territory. POPIA focuses on the location of processing rather than the location of the data subject. 

Kenya DPA 

Kenya Data Protection Act came into force on 25th November 2019 and is now the primary statute on data protection in Kenya. According to the DPA, the data controller and processor are required to ensure that all personal data is processed lawfully, fairly and in a transparent manner. 

The Act covers the processing of personal data of data subjects located in Kenya and applies to data controllers and processors established or resident in or outside Kenya. The DPA is largely modeled on the GDPR.

Wait, why are we thanking GDPR? As it turned out, GDPR didn't kill email marketing. We believe that it helped many of you create more effective email campaigns. It also influenced other countries to strengthen their own laws—such as the CCPA and POPIA—which is great news for data protection everywhere! 

By respecting your subscribers and providing value with every email you send, email marketing GDPR delivers that extra layer of awareness to help you remember that your subscribers are not just a number—they are people with rights.

People own their data. When you agree to treat them and their data like you would want others to treat you and yours, good things happen.

As always, MailerLite is here for you to help answer questions and navigate GDPR for email marketing.

If you missed our other GDPR-related articles and videos, here they are:

Marta Poliakova
Marta Poliakova
Hi, my name is Marta, legal counsel at MailerLite. As a legal professional, it’s my job to ensure we’re always following the rules, especially regarding GDPR compliance. To blow off steam, I enjoy kickboxing. I call my punching bag “Mr. GDPR,” and boy do I get a good workout.