Suppose: you organise a competition or you publish a “white paper” on your website, to collect as many email addresses as possible. You want to use these email addresses to enrich your database and send marketing emails or newsletters. Is this allowed, and do you run the risk of fines under the new European privacy and data protection legislation (“GDPR”)? What does the new GDPR mean for your email marketing campaigns?


GDPR: Clear permission needed for email marketing

The answer is clear: To send such commercial emails and newsletters, you need a specific permission (“opt-in”). A pre-ticked ‘check box’ is not sufficient consent. A “pop-up” that does not clearly describe what the e-mail address will be used for is also not sufficient consent.


GDPR: What about existing e-mail addresses?

Suppose you have an existing e-mail list, but you cannot prove who has given permission via an “opt-in”? In principle, you must then ask those contacts for a new permission or consent. Without permission you can’t send these people emails anymore.


Under the new GDPR privacy and data protection rules, everything stands or falls with the evidence that you can present: If you cannot prove that you have obtained permission, then you do not have permission. If you cannot prove that you have adequate procedures for privacy and security compliance, you have a problem – and you run the risk of fines. Until today, some business owners have not been collecting evidence of consent via opt-ins. From May 2018, this will clearly have to be done (although I expect this will eventually be standardised via IT solutions).


Smaller ‘mailing lists’, smaller ‘bounce rates’?

So, it comes down to the fact that creating a ‘mailing list’ and sending out email marketing campaigns will become more difficult, and that those lists will become smaller. Moreover, companies will have to adapt their processes. This will undoubtedly take time (and frustration).


The upside is that GDPR compliant mailing lists will undoubtedly be more valuable lists, as they will only contain contacts who are really interested in your emails. Your “bounce rate” will thus likely decrease.


If you do not comply with the GDPR rules, you risk a high fine. Most likely, the Privacy Commission will focus on blatant cases. It is best not to fall into that category. In any case, sending emails without proof of consent and without proper unsubscription is risky business!



Do not hesitate to contact us with any questions on privacy or data protection.


Author: Bart Van Besien