Do I need to re-consent my entire EU list?

Only if you cannot prove existing consent meets GDPR standards. If you have documented consent obtained through clear opt-in, it likely remains valid. Unclear or missing consent records require re-consent.

Can I use legitimate interest instead of consent?

Possibly for existing customers, but it is riskier than consent. You must document a legitimate interest assessment and offer easy opt-out. Most marketers find explicit consent simpler and safer.

How do I identify EU subscribers?

Common approaches: ask during signup, use IP geolocation (imperfect), or apply GDPR standards to your entire list globally. The latter is often simplest.

What are the actual penalties?

Up to €20 million or 4% of global annual revenue, whichever is higher. Enforcement varies, but major brands have received significant fines. Smaller businesses may face smaller penalties but still regulatory action.

How Does GDPR Affect Email Marketing?

Key GDPR Requirements for Email

Consent Before Sending

The biggest difference from CAN-SPAM:

Must obtain consent BEFORE sending marketing email
Consent must be freely given, specific, informed, and unambiguous
Pre-checked boxes do not constitute valid consent
Silence or inactivity is not consent

Clear Consent Request

When collecting email addresses:

Explain who you are
State what you will send and how often
Separate marketing consent from other consents
Do not bundle with terms of service acceptance

Easy Withdrawal

Unsubscribe must be as easy as subscribing
One-click unsubscribe recommended
Cannot require login to unsubscribe
Process immediately, not "within 10 days"

Stricter Than CAN-SPAM

GDPR is significantly stricter than US CAN-SPAM. If you email EU residents, GDPR requirements override CAN-SPAM minimums. Opt-in is mandatory, not optional.

Lawful Basis for Processing

GDPR requires a legal basis for processing personal data (email addresses):

Consent

Most common basis for marketing email
Must be documented and provable
Can be withdrawn at any time

Legitimate Interest

May apply to existing customers
Requires documented assessment
Must balance your interest against recipient rights
Riskier than explicit consent

Contract Performance

Applies to transactional emails related to a purchase
Does not cover marketing content
Order confirmations yes, upsells no

Record Keeping Requirements

You must prove consent exists:

When: Date and time of consent
How: Method used (form, checkbox, etc.)
What: Exactly what they consented to
Who: Identity of the person consenting

Maintain these records for as long as you email the person plus regulatory retention periods.

Data Subject Rights

Right of Access

People can request all data you hold about them. Be prepared to provide:

Email address and associated data
Consent records
Email engagement history
Segmentation data

Right to Erasure

"Right to be forgotten" - upon request you must:

Delete their personal data from your systems
Remove from all email lists
Confirm deletion in writing
Some exceptions for legal obligations

Right to Object

People can object to direct marketing processing. You must stop immediately upon objection.

Who Must Comply

GDPR applies if:

You are established in the EU
You offer goods/services to EU residents
You monitor behavior of EU residents

Location of your business does not matter. Targeting EU residents triggers GDPR.

Practical Compliance Steps

Audit your list: Can you prove consent for each EU subscriber?
Fix signup forms: Clear, separate, unchecked consent boxes
Document everything: Log consent with timestamp and source
Update privacy policy: Explain email processing clearly
Improve unsubscribe: One-click, immediate processing
Prepare for requests: Process to handle access/deletion requests