Guide

What Does GDPR Mean for Email Marketing in the UK?

GDPR — the General Data Protection Regulation — has been in force in the UK since 2018 and continues to apply post-Brexit via the UK GDPR framework. For businesses that use email marketing, it sets out clear requirements around consent, transparency, and data management. Failing to comply can result in fines, but more practically, it undermines the trust your email list is built on.

The good news is that GDPR-compliant email marketing and effective email marketing are largely the same thing. The regulation essentially codifies best practice: ask permission before you email people, tell them what they are signing up for, give them an easy way to leave, and do not hold their data longer than necessary. Businesses that follow these principles consistently outperform those that buy lists and blast unsolicited messages.

Consent and Lawful Basis

For marketing emails, the standard lawful basis under GDPR is explicit consent. This means the subscriber must have taken a clear, affirmative action to agree to receive marketing emails from you. A pre-ticked box does not count. The subscriber must tick the box themselves, and the wording must make clear what they are consenting to and who will be contacting them.

There is a separate basis called "legitimate interests" that some businesses rely on for B2B marketing, particularly for follow-up emails after a meeting or event. This is more nuanced and carries conditions — the marketing must be genuinely relevant to the recipient’s professional role, and they must have a reasonable expectation of receiving it. When in doubt, explicit consent is the safer and cleaner approach.

What You Must Include in Every Marketing Email

Every marketing email you send must contain a clear and easy way to unsubscribe. This is a legal requirement under both GDPR and the Privacy and Electronic Communications Regulations (PECR). The unsubscribe link must work, and the unsubscribe must be processed promptly — within a few days at most, and immediately if you are using an automated platform that handles it in real time.

Your emails must also clearly identify who is sending them. The sender name and email address must be genuine — not a no-reply address with no route back to a real person or organisation. Your physical business address should appear in the email footer. These requirements protect recipients and give them the information they need to make an informed choice about whether to continue receiving your emails.

Data Storage and Record Keeping

Under GDPR you must be able to demonstrate that you have consent for everyone on your marketing list. This means keeping records of when and how each subscriber signed up, what they consented to, and how that consent was captured. Most email marketing platforms log this automatically — check that yours does and that the records are stored securely.

You should not hold subscriber data indefinitely. If a contact has not engaged with your emails in a long period, consider running a re-engagement campaign and removing those who do not respond. Data minimisation — holding only the data you need for as long as you need it — is a GDPR principle that also makes practical sense: a leaner, more engaged list performs better than a bloated one full of people who have lost interest.

FAQs

Common questions.

Can I email people who have bought from me without asking for consent?
For follow-up emails directly related to the purchase — order confirmations, delivery updates — yes, you do not need separate consent. For marketing emails promoting other products or services, the position is more complex. Soft opt-in rules under PECR allow you to market similar products to existing customers if they had a clear opportunity to opt out at the point of purchase and did not. However, you should always provide an opt-out in those emails and stop marketing to customers who object.
What happens if I get a GDPR complaint about my email marketing?
If someone complains that you are emailing them without their consent, stop immediately and investigate. Check your records for when and how they were added to your list. If you cannot demonstrate a valid lawful basis for holding their data, delete it and inform them you have done so. The Information Commissioner’s Office (ICO) handles GDPR complaints in the UK and can impose fines, though most complaints are resolved without formal enforcement action if businesses respond promptly and in good faith.
Does GDPR apply if I am sending emails to people in other countries?
UK GDPR applies when you process the personal data of people in the UK. If you are emailing people in EU countries, you must also comply with EU GDPR. Other countries have their own data protection laws. If your list is international, you should familiarise yourself with the requirements applicable to each jurisdiction, or take a conservative approach and apply UK GDPR standards consistently across all your contacts.
Related guides

More on web design & ux.

Want a hand putting this into practice?

Book a free, no-obligation consultation with a Norwich-based specialist.

Book a free consultation
Get started

Let's put your business in a better light.

Book a free, no-pressure consultation. We'll talk through your goals and tell you honestly what we'd do — whether you work with us or not.

  1. 01
    Tell us a bitFill in the form — two minutes, tops.
  2. 02
    We'll call you backWithin one working day, no pressure.
  3. 03
    Get a clear planHonest advice and a fixed quote.

Free · No obligation · We reply within one working day

Book a free consultation