Email marketing is where GDPR gets real for most marketing teams — and where well-meaning campaigns most often cross a line. The complication is that two regimes apply at once, and the rules differ for consumers and businesses, so practical GDPR compliance here means understanding both.
This guide explains how GDPR and the ePrivacy rules combine, the consent and legitimate-interests options, the soft opt-in, the B2B position, and how to run compliant outreach.
Two sets of rules apply
Email marketing under GDPR is governed by two overlapping regimes: GDPR itself, which requires a lawful basis and transparency for the personal data you use, and the separate ePrivacy rules (in the UK, PECR), which specifically govern electronic marketing. You have to satisfy both.
This is why email marketing trips people up — it is not enough to think about GDPR alone; the ePrivacy layer adds its own consent and opt-out requirements on top.
Your lawful basis options
For the GDPR side, the realistic bases for marketing are consent or legitimate interests. Consent is the cleanest for consumer marketing; legitimate interests can work, especially for B2B, but only after a balancing assessment that respects people’s expectations.
Whichever you choose, you must document it — and remember the ePrivacy rules may still require consent regardless of your GDPR basis.
Free resource
The Ultimate Guide to GDPR
Run compliant email marketing with the right basis, consent and suppression.
The consumer (B2C) position
For marketing to individual consumers, the default under the ePrivacy rules is that you need consent — genuine, opt-in, unbundled consent — before sending marketing emails. Pre-ticked boxes and assumed consent do not count.
So a B2C email programme should be built on a clean, consented list, with clear records of who agreed and when.
The “soft opt-in”
There is an important exception: the soft opt-in. If you obtained someone’s details in the course of a sale (or negotiations for one), you may market similar products or services to them, provided you gave them a clear chance to opt out at the point of collection and in every message.
The soft opt-in is a practical route for existing customers, but it is narrow — it doesn’t cover prospects you never sold to.
The B2B position
For business-to-business email, the rules are often more permissive: in many countries, marketing to corporate subscribers (a company or partnership) does not require prior consent, so legitimate interests can support relevant outreach to a named business contact.
But the data is still personal data under GDPR, the rules vary by country, and the recipient’s right to object remains absolute — so B2B is freer, not lawless.
Named contacts are personal data
A key reminder: a named business email like jane.smith@company.com is personal data, even in a B2B context. Generic addresses like info@ are not. So even “permissive” B2B marketing must respect transparency, lawful basis and objection rights for named individuals.
Treating named business contacts as fair game with no GDPR obligations is a common and risky mistake.
Transparency and identification
Every marketing message must make clear who is sending it and provide a valid way to contact you. People should be able to see, at a glance, who you are — disguising the sender or using misleading subject lines breaches the rules.
Your privacy notice should also explain your marketing, and where you obtained contact details from a third party, you must tell people.
Easy unsubscribe is mandatory
Every marketing email must include a simple, free way to unsubscribe, and you must act on opt-outs promptly and absolutely. The right to object to direct marketing is unconditional under GDPR — once someone opts out, you must stop.
Maintain a suppression list so opted-out contacts are never emailed again, even if they reappear in a new import.
Handled well, this is one more building block of practical GDPR compliance.
Purchased and scraped lists
Buying email lists or scraping addresses is where marketers most often fall foul of the rules. You inherit data with no consent, no transparency to the individuals, and questionable accuracy — a recipe for complaints and enforcement.
If you use third-party data at all, do diligence on its source and consent status, tell people you hold their details, and honour objections. Many organisations conclude the risk outweighs the reward.
Keep records of consent
Where you rely on consent, you must be able to demonstrate it: who consented, when, what they were told, and to what. Your email platform should capture this. Without records, you cannot prove your basis if challenged.
Good record-keeping also helps you prune stale or doubtful consents before they become a liability.
Watch the cross-border differences
The ePrivacy rules are implemented nationally, so the exact position — especially on B2B — varies by country. A campaign that is fine in one member state may need consent in another. If you market across the EU, check the local rules or align to the strictest standard.
Aligning to opt-in by default is the safest way to stay compliant everywhere at once.
Practical compliant outreach
For compliant B2B outreach: target relevant named contacts, rely on a documented legitimate-interests assessment, identify yourself clearly, keep volumes and relevance sensible, include an easy opt-out, and suppress objectors immediately. For B2C, build on consented lists or the soft opt-in.
Done this way, marketing is both lawful and more effective, because it reaches people who are genuinely relevant and receptive.
How ISpectra helps
Email marketing sits at the tricky intersection of GDPR and ePrivacy, and getting it right is a practical part of GDPR compliance for any marketing team. ISpectra Technologies helps organisations choose the right basis for B2C and B2B outreach, set up consent and suppression properly, navigate cross-border differences, and document everything — so campaigns run without legal risk.
If you are unsure whether your email programme is compliant, a short review will tell you what to fix.
In one paragraph
Email marketing must satisfy both GDPR (a lawful basis and transparency for the personal data) and the separate ePrivacy rules (consent and opt-out for electronic marketing). Consumer marketing generally needs opt-in consent, with a narrow soft opt-in for similar products sold to existing customers; B2B to corporate subscribers is often more permissive under legitimate interests, but named business contacts are still personal data. Always identify the sender, provide an easy unsubscribe and honour objections absolutely, keep consent records, avoid bought or scraped lists, and check the country-specific rules. Build on consent by default and your marketing stays lawful across the EU.
Free consultation
Need help with GDPR?
Talk to our data-protection specialists — we’ll map your fastest path to compliance.
Quality over quantity wins under GDPR
There is a happy coincidence at the heart of GDPR-compliant email marketing: the practices the law pushes you toward are also the ones that perform better. A consented, well-targeted list of people who actually want to hear from you delivers higher open rates, better engagement and fewer spam complaints than a vast bought list blasted indiscriminately. Deliverability itself rewards good behaviour — mailbox providers increasingly penalise senders with high complaint and bounce rates, which is exactly what scraped and unconsented lists produce.
So rather than seeing GDPR as a constraint on reach, the smartest marketers treat it as a discipline that improves results. They invest in earning consent through genuinely useful content, segment carefully so messages are relevant, make unsubscribing easy (which paradoxically keeps lists healthier), and measure engagement rather than raw volume. The outcome is a smaller but far more valuable audience, lower legal risk, and a sender reputation that keeps your emails landing in inboxes rather than spam folders. In email marketing, compliance and effectiveness pull in the same direction more often than not — a point worth remembering whenever GDPR feels like it is getting in the way.