New EU Email Marketing and Data Regulations (GDPR)

Since it was signed into law in 2003 email marketers in the United States have had to adhere to the Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM).

It regulates several aspects of email marketing and doesn’t allow deceptive subject lines, requires the sender to be accurately identified as a person or business and forces marketers to include a “clear and conspicuous” opt-out.

Fines for violating the act can be hefty. According to the FTC “each separate email in violation of the CAN-SPAM Act is subject to penalties of up to $41,484.00.” Canada has a similar law, the Canadian Anti-Spam Legislation (CASL).

Across the pond the EU passed the General Data Protection Regulation (GDPR), one of the world’s strictest data privacy laws that went into effect on May 25. And North American marketers targeting EU citizens – whether they’re in the EU or not – have to adhere to the GDPR.


Protecting EU Citizens

The EU Parliament approved the GDPR two years ago. According to “The aim of the GDPR is to protect all EU citizens from privacy and data breaches in an increasingly data-driven world.” The GDPR is global in its scope and regulates the personal data companies collect, store and use regardless of where EU citizens are physically located.

HubSpot’s excellent GDPR guide notes “The GDPR applies not only to EU-based businesses, but also to any business that controls or processes data of EU citizens.” This milestone legislation replaces the EU’s outdated 1995 Data Protection Directive and applies to email marketers, social media and other forms of digital marketing.

How the GDPR Affects North American Marketers

If you target EU citizens, you must comply with the GDPR. And its rules are strict. You have to document the personal data you store, where it came from and who you share it with.

Claritysquare’s chief data officer, Justhy Deva Prasad told Target Marketing: “Know and treat data sensitively while considering data portability and erasure. Under the GDPR, organizations must provide EU residents with the ability to access, correct and erase their data, as well as allow them to move it to another service provider if they so choose.”

With email marketing, when you get a person’s consent to use their email address you must clearly explain every way you might be using that email address. So, if you tell them you’re only using it for a free coupon campaign that’s the only way you can use it. You can’t use it for other campaigns, nor can you add it to a mailing list.

LinkedIn’s Marketing Solutions and the General Data Protection Regulation page shows you how the networking site has prepared for the GDPR. Their FAQs note that marketers using LinkedIn’s Matched Audiences “are also responsible for (1) the content of their ads, including GDPR compliance for any personal data contained in the ad, and (2) any personal data that they may gather in response to their ads, including a recipient providing contact information.”

Apple is taking the GDPR seriously

At Apple’s June, 2018 developer’s conference the tech giant previewed its latest iOS 12 operating system (for iPhones and iPads). DMN News reported that the new OS prevents “share buttons and comment widgets on web pages from tracking you without your permission.”

Apple’s Safari web browser “will also prevent advertisers from collecting unique device characteristics, so they can’t identify your device or retarget ads across the web,” DMN News noted.

Asking for Consent – “Terms and Conditions” won’t cut it

Dropping cookies without a getting user’s permission is not allowed under the GDPR. Nor can explaining how cookies work be buried in a vague “by agreeing to our terms and conditions” notice.

“What you need to do is make sure you are providing a comprehensive cookie notice,” Guillaume Marcerou, Global Privacy Director at digital ad agency Criteo, told DMN News.

Adhere to the Rules – Or Pay

Fines are steep if you violate the GDPR: up to 20 million euros ($24,541,000 US) or 4% of a company’s gross annual worldwide income, whichever is higher. Click here for the entire EU General Data Protection Regulation (GDPR).

Personal Data According to the GDPR

The GDPR considers personal data to be “any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.”

Article 12 lists the rights Data Subjects have under the GDPR. Some of these include:

  • The right, shown at reasonable intervals, to know what personal data has been gathered and how this data has been processed
  • The right to restrict processing when the data is incorrect


Find a Maven

DMN News points out that you will have to hire a Data Protection Officer (DPO) to make sure GDPR rules are being followed if your company is involved in “regular and systematic monitoring of data subjects on a large scale”.

So, if you’re processing a lot of non-anonymized data (information about European data subjects) you’ll need a DPO. Direct Marketing News also notes that the DPO can be a contractor but “must possess the requisite specialist knowledge.” You can read more about the DPO guidelines here.



Take 5 Media Group, since its founding in 2003, has been CAN-SPAM compliant. We use double opt-in (confirmed) email addresses, a proprietary validation process to remove questionable domains and a variety of other quality control checks.

Take 5 will also adhere to the GDPR when we target consumers who are EU citizens. With our reputation at stake and our clients’ ROI on the line we know it’s all about the data – the right data used the right way.

To find out more about Take 5’s email campaign services, audience-building capabilities and digital marketing products call Take 5 Media Group, Boca Raton, Florida, 561-819-5555, New York at 917-201-7451, or visit our website at