What is GDPR?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
If you send marketing email to anyone in the EU, GDPR applies to you. It doesn't matter where your company is based.
GDPR (General Data Protection Regulation) is EU law, in force since May 2018, governing how organizations collect, use, store, and share personal data of EU residents. For email marketers, the core requirement is consent: you need an affirmative opt-in before sending marketing email. Pre-checked boxes don't count. Purchased lists don't count. Consent from a previous transaction doesn't automatically carry over to marketing.
GDPR also gives individuals rights over their data: the right to see what you hold, request corrections, ask for deletion (the "right to be forgotten"), and export their data in usable format. You need to be able to honor these requests when they come in.
The penalties are real. Fines can reach €20 million or 4% of global annual revenue, whichever is higher. Regulators have fined organizations of many sizes, though enforcement tends to focus on systematic non-compliance rather than good-faith mistakes.
For email specifically, GDPR shapes your consent collection, your recordkeeping practices, and how you handle unsubscribes. If you're not sure whether your current setup meets the requirements, we're happy to take a look. SOS call is free.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.