Does GDPR apply to my business if I’m not in the EU?

Yes, if you process personal data of EU residents. GDPR applies based on where your contacts are located, not where your business is based. If you have any EU customers, subscribers, or prospects in your email list, GDPR applies to your handling of their data.

What’s the difference between opt-in and double opt-in?

Opt-in is a single action (checking a box, clicking subscribe). Double opt-in adds a confirmation email requiring another click to verify. While GDPR doesn’t strictly require double opt-in, it provides stronger proof of consent and is recommended best practice.

Can I email existing contacts who haven’t given GDPR consent?

Generally, no for marketing purposes. You need valid consent obtained under GDPR standards. Old lists with implied or bundled consent likely don’t meet GDPR requirements. Consider a re-consent campaign to refresh permissions, understanding you’ll lose contacts who don’t re-consent.

How do I track GDPR consent in Salesforce?

Create custom fields on Contact and Lead records for consent status (checkbox), consent date (date field), consent source (text field describing where and how consent was obtained), and privacy policy version. Use automation to populate these fields from web forms or preference centers. Salesforce’s Individual object provides additional consent tracking capabilities for organizations with complex compliance requirements.

What happens if someone requests their data be deleted?

You must fulfill “right to erasure” requests within 30 days. In Salesforce, this may mean deleting the record entirely or anonymizing personal fields while retaining anonymized business data for reporting. Document your deletion process and train staff to handle these requests promptly.

GDPR Email Marketing: Consent, Compliance & Salesforce Setup

Why GDPR Compliance Transforms Email Marketing from Risk to Competitive Advantage

GDPR compliance is essential for any organization marketing to EU residents, but it is far more than a regulatory burden—it is a strategic framework that produces measurably better email marketing outcomes. Organizations that embrace GDPR’s consent-first model build email lists composed entirely of recipients who have actively chosen to hear from them, resulting in higher open rates, stronger click-through engagement, and lower spam complaint rates than lists built under opt-out models. The regulation’s emphasis on transparency and data subject rights creates the kind of trust that sustains long-term customer relationships and differentiates brands in competitive markets.

The consequences of non-compliance are severe and have been enforced aggressively since GDPR took effect in May 2018. Supervisory authorities across EU member states have issued billions of euros in cumulative fines, with penalties reaching up to €20 million or 4% of global annual revenue, whichever is higher. These penalties apply to any organization processing EU residents’ data, regardless of where the organization is headquartered—a U.S. company emailing European contacts faces the same obligations and potential penalties as a Berlin-based enterprise. Beyond regulatory fines, GDPR violations damage sender reputation with ISPs, erode customer trust, and can trigger formal complaints to data protection authorities that result in investigation and public enforcement action.

Key GDPR Principles That Govern Email Marketing

According to the GDPR-info.eu email marketing guide, email marketing must adhere to six foundational principles that shape every aspect of how organizations collect, store, and use personal data for commercial communications:

Lawfulness, Fairness, and Transparency: Every email marketing operation must have a valid legal basis—either explicit consent or, in limited B2B contexts, legitimate interest. Organizations must communicate clearly and honestly about how they will use personal data, what types of emails recipients will receive, and how frequently they will receive them. Burying marketing consent in lengthy terms of service or using pre-checked opt-in boxes violates this principle.

Purpose Limitation: Email addresses collected for one specific purpose cannot be repurposed for unrelated marketing without obtaining separate consent. An address collected for order processing does not automatically authorize newsletter sends, and an address provided for a webinar registration does not grant permission for ongoing product promotion unless the consent form explicitly states this purpose.

Data Minimization: Collect only the data necessary for your stated email marketing purpose. Requiring recipients to provide their phone number, company size, job title, and mailing address to subscribe to a newsletter violates data minimization if the newsletter only needs an email address. Every additional field must be justified by a specific, documented processing need.

Accuracy: Keep personal data accurate and up to date. Use email verification to identify invalid addresses, process bounce notifications promptly, and provide recipients with easy mechanisms to update their information. Inaccurate data wastes resources and may result in emails reaching unintended recipients.

Storage Limitation: Do not retain personal data longer than necessary for your stated purpose. Implement data retention policies that define specific timeframes for how long subscriber data is kept after the last engagement, and automate the suppression or anonymization of records that exceed these retention periods. Holding email addresses indefinitely without active engagement violates this principle.

Integrity and Confidentiality: Protect personal data with appropriate technical and organizational security measures. This includes encrypting subscriber databases, restricting access to email marketing systems, securing API connections between your CRM and sending platforms, and implementing access controls that limit who can export or modify subscriber data.

Consent Requirements: The Foundation of GDPR Email Marketing

GDPR requires explicit, informed consent before sending marketing emails. According to the UK Information Commissioner’s Office (ICO) guide to electronic mail marketing, valid consent must meet five specific criteria that together ensure the recipient has made a genuine, informed choice:

Freely Given: Consent must not be tied to other terms, services, or conditions. Pre-checked boxes do not constitute valid consent, nor does bundling marketing consent with a service agreement where the recipient has no realistic choice but to accept. The recipient must be able to decline marketing without losing access to the product or service they are requesting.
Specific: The recipient must understand exactly what they are consenting to—which organization will send emails, what types of content they will receive, and through which channels. A generic “I agree to receive communications” checkbox is insufficient; consent must specify email marketing as a distinct purpose separate from other processing activities.
Informed: The consent request must explain who will send the emails, what content the recipient can expect, and approximately how often they will receive messages. This information must be available at the point of collection—not buried in a separate privacy policy page that the recipient must navigate to independently.
Unambiguous: Consent requires a clear affirmative action—checking an unchecked box, clicking a subscribe button, or typing an email address into a subscription form. Silence, pre-checked boxes, or inactivity do not constitute valid consent. The action must be deliberate and unmistakable in its meaning.
Documented: Organizations must be able to demonstrate when and how consent was obtained for every recipient on their marketing list. This means recording the date and time of consent, the specific form or mechanism used, the version of the privacy policy in effect, and the exact language presented to the recipient at the point of collection.

GDPR vs. CAN-SPAM: Understanding the Fundamental Differences

GDPR and CAN-SPAM represent fundamentally different regulatory philosophies toward commercial email, and organizations that send to both U.S. and EU audiences must understand these differences to avoid compliance gaps:

CAN-SPAM (United States): An opt-out model—organizations can send commercial emails to any recipient who has not previously unsubscribed. No prior consent is required before the first send. The law focuses on how emails are sent (accurate headers, physical address, functional unsubscribe) rather than whether permission was obtained before sending. Penalties are assessed per non-compliant email (up to $53,088 each).

GDPR (European Union): An opt-in model—explicit consent must be obtained before sending any marketing email. The recipient must take a clear affirmative action to agree, and that consent must be documented, specific, and as easy to withdraw as it was to give. Penalties reach up to 4% of global annual revenue or €20 million, whichever is greater—making GDPR the most consequential email compliance regulation for organizations operating internationally.

If your organization emails both U.S. and EU audiences, GDPR’s stricter opt-in requirements should set your baseline standard for your entire email program. Applying GDPR-level consent practices universally eliminates the risk of accidentally sending to EU contacts without proper consent and produces higher-quality engagement metrics from all audiences—since every recipient on your list has actively chosen to receive your messages.

Implementing GDPR Compliance in Salesforce

Salesforce provides several native tools that support GDPR compliance when properly configured. According to Salesforce’s data protection and privacy documentation, the platform includes purpose-built features for managing consent, processing data subject requests, and enforcing email suppression based on consent status:

Individual Object: Salesforce’s Individual object for storing data privacy preferences stores consent records, communication preferences, and data processing history for each person. This object links to Contact and Lead records, providing a centralized view of each individual’s consent status, the date consent was obtained, and the specific permissions they have granted—creating the documented consent trail that GDPR requires.

Consent Management: Track consent status, the date it was obtained, the mechanism used to collect it, and the specific permissions granted. Use custom fields on Contact and Lead records to store consent date, consent source, and the privacy policy version in effect when consent was given. This documentation is essential for demonstrating compliance during regulatory audits or data subject inquiries.

Email Opt Out Field: The standard Email Opt Out field (HasOptedOutOfEmail) on Contact and Lead records blocks mass email sends to opted-out recipients. This field serves as the enforcement mechanism for consent withdrawal—when a recipient withdraws consent or objects to marketing, checking this field ensures that all native email sends are suppressed automatically at the platform level.

Data Export: Export individual data to fulfill data subject access requests (DSARs). GDPR grants individuals the right to receive copies of all personal data held about them, and Salesforce’s data export tools allow organizations to compile and deliver this information within the required 30-day response window.

Data Deletion: Delete or anonymize records to fulfill erasure (“right to be forgotten”) requests. When a data subject requests deletion, organizations must remove or anonymize their personal data from Salesforce while potentially retaining anonymized business data for reporting purposes. Document your deletion process and train staff to handle these requests promptly and consistently.

Data Subject Rights That Directly Affect Email Marketing

GDPR grants individuals specific rights over their personal data that directly impact how organizations manage email marketing lists, process unsubscribe requests, and handle personal information. Under GDPR Article 21 (Right to Object), data subjects have an absolute right to object to direct marketing processing at any time, and organizations must stop immediately, with no exceptions or balancing test required:

Right to Access: Individuals can request copies of all personal data you hold about them, including email addresses, engagement history, segmentation data, and consent records. Organizations must respond within 30 days with a complete, intelligible copy of the requested data. For email marketing, this means being able to extract and deliver all subscriber-related data from Salesforce, including campaign membership, email activity logs, and preference center selections.

Right to Rectification: Individuals can request corrections to inaccurate personal data. In email marketing, this commonly involves updating email addresses, correcting name spellings, or modifying preference center selections. Organizations should provide self-service mechanisms where recipients can update their own information directly, reducing the administrative burden of processing individual correction requests.

Right to Erasure: Individuals can request deletion of their personal data (the “right to be forgotten”). For email marketing, this means removing the subscriber’s record entirely or anonymizing all personal fields while retaining anonymized engagement data for aggregate reporting. The request must be fulfilled within 30 days, and the deletion must extend to all systems where the data is stored—including backup systems, analytics platforms, and third-party integrations.

Right to Restrict Processing: Individuals can limit how you use their data while a dispute or request is being resolved. In practice, this may mean continuing to store their data but suspending all marketing sends until the restriction is lifted—requiring workflows that can suppress specific contacts from active campaigns without deleting their records.

Right to Object: Individuals can object to direct marketing at any time, and organizations must stop processing immediately—there is no balancing test or business justification that overrides this right. This is the broadest and most absolute of the marketing-related rights, requiring that all email marketing seize the moment an objection is received.

Right to Withdraw Consent: Withdrawal of consent must be as easy as giving consent was. If a recipient subscribed with one click, they must be able to unsubscribe with one click. Process unsubscribe requests immediately—do not require login credentials, multiple confirmation steps, or surveys before processing the withdrawal. Any delay or friction in consent withdrawal is a direct GDPR violation.

Implementing GDPR-Compliant Email Marketing Step by Step

Building a GDPR-compliant email marketing program requires intentional design at every stage of the subscriber lifecycle—from initial collection through ongoing communication to eventual unsubscribe or data deletion:

Double Opt-In: Send a confirmation email after signup that requires the recipient to click a verification link before being added to your marketing list. Double opt-in creates documented, verifiable proof of consent that is nearly impossible to dispute—the confirmation click, timestamped and logged, demonstrates that the owner of the email address actively confirmed their subscription. While GDPR does not strictly require double opt-in, it is the industry best practice and the strongest form of consent documentation available.

Clear Signup Forms: Use a separate, unchecked consent checkbox specifically for marketing—never bundle marketing consent with terms of service acceptance or account creation. The checkbox label must clearly explain what the recipient is consenting to: who will send emails, what type of content they can expect, and approximately how often. Include a link to your privacy policy directly adjacent to the consent mechanism.

Consent Records: Store a complete audit trail for every consent event: the date and time of consent, the URL or form where consent was collected, the exact wording of the consent request, and the version of the privacy policy in effect at that moment. This documentation must be retrievable on demand—regulators may request proof of consent for any individual on your marketing list at any time.

Privacy Notice: Provide a clear, accessible privacy notice at the point of data collection that explains how personal data will be used, how long it will be retained, what rights the data subject has, and how to exercise those rights. The notice must be available before consent is given—not as a post-collection disclosure.

Easy Unsubscribe: Include a clear, functional unsubscribe link in all email templates. Process withdrawal immediately upon click—do not require login, multiple confirmation steps, or completion of surveys before honoring the request. GDPR requires that consent withdrawal be as easy as consent was to give, meaning that if subscription required one click, unsubscription must also require no more than one click.

GDPR Compliance Across Email Campaign Types

Different email campaign types require specific approaches to GDPR compliance, and understanding these distinctions prevents both over-restriction of compliant communications and under-protection of data subject rights:

Mass Email Campaigns: For email campaigns, verify consent status before including any contact in the send list. Use list filters and automation rules to include only contacts with documented, current consent—excluding records where consent has expired, been withdrawn, or was never properly obtained. Every send must check consent status at the time of execution, not rely on status from when the campaign was originally planned.

Drip and Nurture Campaigns: For multi-step email automation sequences, ensure that the original consent explicitly covers automated email series—not just a single message. Build automation workflows that check consent status before each step in the sequence and immediately exit contacts whose consent has been withdrawn. A contact who withdraws consent after the second email in a five-email drip must not receive emails three through five.

Sales Prospecting Sequences: For outbound prospecting email sequences, B2B prospecting may use “legitimate interest” as a legal basis instead of explicit consent in some cases. However, you must document a legitimate interest assessment demonstrating a genuine business reason, that the email is necessary (not just convenient), and that the processing does not override the individual’s rights. Even under legitimate interest, recipients can object at any time, and you must stop immediately.

Triggered Automated Emails: Marketing-triggered automated emails require consent just as batch campaigns do. Transactional emails sent for contract performance (order confirmations, shipping notifications, account updates) may not require separate marketing consent, but they must not contain promotional content. Including a promotional upsell in an otherwise transactional email transforms it into a marketing message that requires consent.

Legitimate Interest as a Legal Basis for B2B Email Marketing

B2B email marketing may rely on “legitimate interest” instead of explicit consent in certain circumstances, but this alternative legal basis carries its own documentation and compliance requirements that many organizations underestimate. To use legitimate interest, you must conduct and document a legitimate interest assessment (LIA) that demonstrates three elements: there is a genuine, identified business purpose for the processing; email marketing is necessary to achieve that purpose (not merely convenient); and the processing does not override the individual’s privacy rights and interests. The assessment must be conducted before sending and documented in writing. Even with a valid legitimate interest basis, recipients retain the absolute right to object to direct marketing at any time under GDPR Article 21—and when they object, you must cease processing immediately with no exceptions. Many organizations find that obtaining explicit consent is simpler to manage operationally than maintaining legitimate interest documentation, conducting assessments for each marketing initiative, and defending those assessments during regulatory inquiries.

How GDPR Compliance Directly Improves Email Deliverability

GDPR compliance actually produces measurably better email deliverability outcomes because consent-based lists are composed entirely of recipients who actively chose to receive your messages. This self-selection produces higher open rates, stronger click-through engagement, and dramatically lower spam complaint rates compared to lists built under opt-out models—all of which are positive signals that ISPs use to evaluate sender reputation and determine inbox placement. Track email metrics, including open rates, to measure engaged audience health, and use email analytics to monitor performance trends that indicate whether your consent practices are producing the expected engagement improvements. Organizations that transition from opt-out to opt-in models typically see initial list size reductions of 30–60% but experience engagement rate increases that more than compensate, generating equal or greater revenue from a smaller, more engaged audience.

GDPR Compliance Checklist for Email Marketing

Before launching any email marketing campaign targeting EU residents, verify every element against this compliance checklist. GDPR compliance requires attention at every stage of the subscriber lifecycle—from collection through communication to eventual deletion:

Consent obtained with clear, affirmative action (unchecked checkbox, active subscription)
Consent records documented with date, time, mechanism, and privacy policy version
Privacy notice provided at the point of data collection, before consent is given
Unsubscribe mechanism is easy, functional, and completes in one click
Process established to handle data subject requests (access, rectification, erasure) within 30 days
Data retention policy defined, documented, and enforced through automation
Consent status verified before each marketing send—not just at list creation time
Third-party data processors have appropriate data processing agreements in place

AppExchange Solutions for GDPR-Compliant Email Marketing

Native Salesforce provides foundational GDPR tools, but the 5,000 daily email limit and basic consent tracking may not meet all compliance needs for organizations with complex marketing programs. AppExchange solutions like MassMailer provide enhanced consent management with automated compliance checks that verify consent status before every send, preference center options that give recipients granular control over their email experience, automated unsubscribe handling that processes consent withdrawal in real time, and comprehensive email integration with Salesforce data that ensures consent enforcement flows automatically into every campaign. Use campaign management to track compliance metrics across all active programs and identify campaigns where consent coverage may be incomplete.

Key Takeaways

GDPR requires explicit opt-in consent before sending marketing emails to EU residents—no exceptions for existing customer relationships without proper consent
Penalties can reach €20 million or 4% of global revenue—compliance is mandatory for any organization processing EU residents’ data
Document consent comprehensively with records of when, where, how, and under which privacy policy version it was obtained
Respect data subject rights, including access, erasure, objection to marketing, and consent withdrawal—process all requests within 30 days

Ready for GDPR-compliant email marketing? MassMailer delivers consent management, easy unsubscribe handling, and email template tools with compliance elements built in. Send confidently 100% native to Salesforce with best-in-class capabilities.

Start your free trial today →

MassMailer

MassMailer Verifier

MassMailer Alerts

Email Monitor

Email Template Builder

MassMailer Docs

Salesforce Mass Email Marketing

Salesforce Email Deliverability

Salesforce Email Verification

Salesforce Email Attachments

Salesforce Email Alerts

Salesforce Email Integration

Blog

Case Study

Podcast

Glossary

Video

Presentation

Success as a Service

Success Packages

Support

Join Webinar

About

Customers

Partners

Why MassMailer

MassMailer vs Mailchimp

MassMailer vs Constant Contact

MassMailer vs iContact

MassMailer vs ActiveCampaign

MassMailer vs Campaign Monitor

MassMailer vs Salesforce Engagement Studio

MassMailer vs Salesforce Marketing Cloud

MassMailer vs SendGrid

MassMailer vs Adobe Marketo Engage

MassMailer vs Oracle Eloqua Marketing Automation

MassMailer Vs Emma

MassMailer Vs Brevo

MassMailer vs Klaviyo

MassMailer vs Vertical Response

Education

GDPR Email Marketing

Table of Contents

Related Glossary Terms