Email Marketing in Europe: How to Comply With the Law
Everybody hates spam, but a good email marketing campaign can greatly benefit your company and your customers. European email marketing laws are complicated, but they boil down to some fundamental rules.
This guide explains the two main EU laws that impact email marketing, how to get consent for email marketing, and whether you can legally send marketing emails without consent.
We’ll also address some email marketing FAQs involving buying email lists, business-to-business email marketing rules, and using tracking pixels.
Which EU Laws Apply to Email Marketing?
There are two main EU laws that impact email marketing:
- The Privacy and Electronic Communications Directive 2002 (ePrivacy Directive).
- The General Data Protection Regulation (GDPR).
This guide covers all countries where the GDPR and the ePrivacy Directive apply. This includes EU member states, plus the European Economic Area (EEA), and the UK. Collectively, we’ll refer to these countries as “Europe”.
Let’s briefly look at what these two laws cover.
What Is the ePrivacy Directive?
The ePrivacy Directive passed in 2002 and covers privacy in all types of electronic communication, including email, SMS, and cookies.
As a directive, the law does not directly apply in European countries. Instead, each European country has passed national law giving the ePrivacy Directive effect. For example:
- The UK’s Privacy and Electronic Communications Regulations (PECR).
- Germany’s Telecommunications Telemedia Data Protection Act (TTDSG).
- The Netherlands’ Telecommunications Act (Telecommunicatiewet).
There are important differences between some national ePrivacy Directive implementing laws. However, they all conform to the ePrivacy Directive’s general rules and principles.
The ePrivacy Directive has important implications for email marketing, including around:
- Consent.
- Tracking pixels and similar technologies.
- Unsubscribe links.
We’ll look at these ePrivacy Directive considerations in context below.
What Is the GDPR?
The GDPR applies to the processing of personal data, which can include email addresses.
The GDPR applies when providing or offering services to people in Europe. The GDPR interacts with the ePrivacy Directive in some important ways.
The GDPR has many implications for email marketing, including:
- The definition of “consent” (the ePrivacy Directive states when consent is required, the GDPR defines consent).
- Collecting email addresses, either directly from individuals or via third parties.
- Using, storing, or sharing email addresses.
We’ll look at these GDPR considerations in context below.
Do I Need Consent to Send Marketing Emails?
In Europe, email marketing generally requires consent. There is an exception, known as the “soft opt-in”. Some European countries also exempt certain business-to-business marketing emails.
Here’s a closer look at consent and the “soft opt-in”.
Getting Consent for Marketing Emails
As mentioned, you must normally obtain a person’s consent before sending them a marketing email.
Under the GDPR, “consent” must be:
- Freely given
- Specific
- Informed
- Unambiguous
- Given via a clear affirmative action
- Easy to withdraw
This is a strong consent standard, implying the following rules:
- Don’t trick people into giving consent.
- Don’t make access to a product or service conditional on consent.
- Don’t use “pre-ticked boxes” or similar methods to obtain consent.
- Don’t “bundle” email marketing consent requests with consent requests for other purposes.
- Give people clear information about how you’ll use their personal data.
- Provide an easy way for people to withdraw their consent.
But remember that consent is not always necessary for email marketing. Let’s look at the exception.
Using the “Soft Opt-In”
Rather than getting consent, you can use the “soft opt-in” in certain circumstances. Under the “soft opt-in”, email marketing does not require consent if:
- The person has provided their email address “in the context of a sale”, and
- The email marketing messages will relate to your company’s “similar products or services”, and
- The person has the opportunity to refuse email marketing, both:
- At the time of providing their email address, and
- Each time they receive a marketing email.
Some European countries interpret “the context of a sale” differently. For example, it can include negotiations or enquiries that might lead to a sale.
Email Marketing Signup Examples
Here are some examples of how email marketing consent operates across three different contexts: via a standalone signup form, during account creation, and during a purchase.
Standalone Email Marketing Signup (Consent)
Here’s a simple example of how you might meet the GDPR’s consent requirements when collecting email addresses:
Note that the signup form provides some basic information about the company’s purpose for collecting an email address, and invites the person to visit the company’s full privacy notice for more information.
In the above example, there is no need to add a separate tickbox for the person to indicate their consent. Providing an email address for an informed and specific purpose is a “clear affirmative action”.
Email Marketing Signup During Account Creation (Consent)
You might ask people to sign up to email marketing when they create an account. Here’s how a consent request might look during an account creation process:
Note that in this case, a separate consent request is required. This is because email marketing is not the primary purpose for which you are collecting the person’s email address. The email marketing consent box should be unticked by default.
Email Marketing Signup During Checkout (Soft Opt-In)
Finally, here’s how an email marketing signup form might look during the checkout process:
Note that in this example, the signup form comes “in the context of a sale”. Therefore, you don’t need consent—the “soft opt-in” applies. In this context, you can “pre-tick” the box—as long as the user can untick it.
Do I Need Consent for B2B Marketing Emails?
The ePrivacy Directive covers how to send marketing emails to “subscribers”. In some European countries, the rules do not apply to corporate communications. However, there is significant variation between countries.
The rules on business-to-business marketing emails can get complicated. We won’t cover all the varying rules across Europe. As an example, here’s how it works in the UK:
- PECR (the UK’s ePrivacy law) distinguishes “corporate subscribers” and “individual subscribers”.
- “Corporate subscribers” include legal entities, such as companies.
- “Individual subscribers” include consumers, and also sole traders and some types of partnerships.
- PECR’s email and SMS marketing rules don’t apply when emailing corporate subscribers (e.g.
info@apple.com
). - However, an employee’s email address can constitute personal data even when it belongs to a corporate subscriber (e.g.
stevejobs@apple.com
). In this case, the GDPR would apply to the use of that email address.
So in the UK, as long as the email address belongs to a “corporate subscriber” and is not personal data (some email addresses might be personal data even if they do not include a person’s name), neither the ePrivacy Directive nor the GDPR applies.
As noted, though, the rules vary between European countries—proceed with caution.
Are Email Addresses Personal Data Under the GDPR?
Email addresses are personal data if they relate to an identifiable individual. If so, you must comply with the GDPR when collecting, using, storing, sharing, or otherwise processing those email addresses.
We won’t cover all of the GDPR’s requirements in this article. But here are some key considerations for using email addresses under the GDPR:
- Legal basis: Processing personal data under the GDPR requires a “legal basis”. For email marketing, the two most relevant legal bases are “consent” and “legitimate interests” (when the “soft opt-in” applies). Identify and document the appropriate legal basis for your email marketing campaign.
- Right to object: Individuals have the absolute right to object to the use of their personal data for direct marketing. In other words, if a person requests that you stop emailing them (whether via your unsubscribe link or any other method), you must do so.
- Right to erasure: People can request that you erase personal data you hold about them. However, if a person has objected to your marketing emails, you may need to retain their email on a “do not contact” list.
- Security: You must implement “technical and organisational measures” to keep email addresses secure. For example, this might mean encrypting or pseudonymising your email list or restricting internal access to your email list.
- Storage limitation: You must not keep email addresses for longer than you need them for a specific purpose. Figure out a “retention schedule” for email addresses to determine how long you need to keep them.
- Purpose limitation: If you’ve collected email addresses for marketing purposes, you should only use them for this purpose. Likewise, if you’ve collected email addresses for other purposes, you should generally not use them for marketing.
These are just some of the GDPR considerations when conducting an email marketing campaign. We’ll look at some others in more detail below.
Do I Need to Include an ‘Unsubscribe’ Link?
Every marketing email you send must provide a way for people to unsubscribe - whether that’s an “unsubscribe” link or a reply address.
Under the GDPR, it must be “as easy to withdraw as to give consent”. You must make it very easy for people to unsubscribe: one or two clicks at most.
You must also ensure your identity is clear in all marketing emails. Include your company’s name and contact information.
Can I Buy Email Lists Under the GDPR?
Do the GDPR or ePrivacy Directive prevent you from buying lists of email addresses from third parties, such as “data brokers”? In practice, most likely “yes”.
Buying email lists is not specifically prohibited under the ePrivacy Directive or the GDPR. However, you need a legal basis for doing so, and it’s unlikely that you’ll be able to use “bought-in” email addresses for direct marketing purposes.
Unless each person on the list has consented to receive marketing emails from your company, you cannot send them marketing emails. The “soft opt-in” is unlikely to apply, as you don’t have a direct relationship with people on the list.
There are other reasons that purchasing email lists might not be a good idea:
- You may be liable for any data breaches or legal violations that occur in respect of the list.
- People on the list might not expect to receive marketing emails from your company, and might complain to a data protection authority (DPA).
- Many third-party email services, such as MailChimp and Substack, prohibit the use of third-party email lists.
In summary, purchasing lists of email addresses can be illegal and, in any case, might be a waste of money.
Can I Guess a Person’s Email Address Under the GDPR?
To reach a specific individual within a company, some sales and marketing teams attempt to guess or infer their email address.
For example, if you know that Apple email addresses use the format [firstname].[lastname]@apple.com
, you might try emailing steve.jobs@apple.com
.
If you have guessed a person’s email address, all the rules above still apply. You cannot send that person marketing emails unless you have their consent or the “soft opt-in” applies.
Can I Use Tracking Pixels?
Some marketing emails contain “pixels” or other trackers that indicate whether the recipient has opened the email or clicked links within it.
The ePrivacy Directive covers pixels, cookies, and any other technology that is:
- Placed on a user’s device, or
- Accesses information on a user’s device.
With some limited exceptions, you need consent to use these technologies.
This means that you can only embed pixels and other technologies in your marketing emails if people have specifically consented to this.
To get consent for the use of tracking pixels, you could add an additional tickbox to your email marketing signup form.