Email lists, newsletters and the GDPR

Please note this information is now out of date - please refer to the ICO for up-to-date GDPR information. 

Customer email lists, newsletters and refreshing consent

Many small businesses contact their customers frequently via an email newsletter, typically offering news, information, new products or discount codes.

This remains legal under the GDPR if you have your customers consent to do so. The things to remember are:

    • Your customers' consent for marketing must have been opt-in
    • Consent can be removed at any time, or your customer can exercise their Right to Object
    • If you use a third party to provide this service, such as MailChimp, you must state that in your Privacy Policy, plus provide a link to their Privacy Policy
    • You must notify the third party provider of these services if the customer removes their consent - or delete their information yourself

It is good practice to always provide an unsubscribe link within all of your marketing messages.

Existing mailing lists

The GDPR may require small businesses to "refresh the consent" of the customers on their mailing lists if it isn't demonstrable that these customers provided consent previously.

If you are unsure that you could provide auditable proof that the customers on your mailing list have previously provided consent, as defined by the GDPR (i.e. clear, unambiguous, unbundled and opt-in), then it would be sensible to refresh this consent just to cover yourself.

This means you need to email everyone on your mailing list to ask them to optto remain on your existing list. If the customer doesn't reply (or click as needed) then you must treat them as being opted-out. Your mail provider should be able to help you with this requirement - although support at this point has been variable.


Here is how the Guardian Newspaper approached their existing mailing list to refresh the consent of their readership:

Mailchimp, the largest provider of these kinds of services to the small business sector have published a guide to their GDPR features and amendments here.

Note: this approach applies to any form of list-based marketing, including postal and SMS.


Have concerns?

An alternative, more lenient, route I have taken with one or two clients that have always, historically, respected their clients choice (ie have never ever opted customers into marketing by default) is to send an email to their subscribers that both let them know about a new Privacy Policy and explain that since they chose to receive email from the company that this is an opportunity to unsubscribe, if they wish to.

I feel this is within the spirit of the law, if not the letter of the law, and for some small mailing lists seems less likely to decimate its readership, whilst still being respectful of choice and consent.

Suggested wording could be:

Hi, valued customer of ABC Widgets Ltd,

Things are changing a bit in the online world. From 25 May 2018 the new EU General Data Protection Regulation (GDPR) will be coming into effect across all member states (which still includes us right now). Basically, it's creating a single set of rules to modernise data privacy laws across Europe.

To prepare for this change I have updated the Privacy Policy on my website, and that Policy is now active. It lays out how I treat your information and who I share it with when you use my website. You can read the policy here:

You are receiving this email because you chose to sign up for my newsletter in the past. If you disagree with my new Policy or no longer wish to receive my newsletters, please use the link at the bottom of this email to unsubscribe from future newsletters and correspondence - in that case, you won't hear from me again!

If you choose to stay subscribed, you can still unsubscribe at any future point by clicking the same link in any of my emails.

I hope you choose to remain subscribed as this is a very personal site. I feel its important to keep updated with any {reasons to stay updated}.

Business owner name.