GDPR Marks The End Of The Wild West of Email Marketing In The EU

Consent… without it, many ‘growth hackers’ have invited themselves into the inboxes of unsuspecting prospects as a route to market or in a bid to build pipeline. As a business professional, particularly one who has a profile on this social network, you’ve probably been a recipient of one or more of these campaigns. As of the 25th of May, 2018, a huge wave of change coming as it pertains to consent, data protection and regulation with the introduction of the European Union’s new privacy law the General Data Protection Regulation. Litmus’ Bettina Specht explains, in this post, that GDPR aims to bring order to a patchwork of privacy rules across the EU. As GDPR is a regulation, not a directive, it has binding legal force and will be immediately enforceable as law in all EU member states. Greater consistency across European countries should be great news for all email marketers, but GDPR also comes with quite a few changes that impact the email industry.

It would be hypocritical of me to pontificate as someone who has never engaged ‘growth hacking’ tactics such as list building, list buying and the presumptive opt-in of prospects into various marketing programs. Early on in my career, it was standard practise. Those database building activities are considered BAU and even celebrated as a viable strategy in many early stage businesses. Some argue, as I have in the past, that for early stage, poorly funded organisations, it is a necessity for survival in highly competitive and crowded markets.

Before we delve into what the GDPR is going to mean for digital marketing going forward, it’s important to address what ‘consent-less’ digital (particularly email) marketing has given rise to.

3 Deadly Sins of Consent-Less Email Marketing


There has been a long standing debate in email marketing circles about the distinction between ‘cold emails’ and SPAM. A cold emails, so argues Justin Mcgill, is an email sent to a potential customer that has had no prior relationship with you.You can think of it like a cold call, but much less obtrusive. SPAM, in contrast, is defined by Comm100 as any email that meets the following criteria;

  • Anonymity: The address and identity of the sender are concealed
  • Mass Mailing: The email is sent to large groups of people
  • Unsolicited: The email is not requested by the recipients

Spamhaus contest that the word “Spam” as applied to Email means “Unsolicited Bulk Email”. Unsolicited means that the Recipient has not granted verifiable permission for the message to be sent. Bulk means that the message is sent as part of a larger collection of messages, all having substantively identical content.

Therefore, in their view, the message is Spam only if it is both Unsolicited and Bulk.

  • Unsolicited Email is normal email
  • (examples: first contact enquiries, job enquiries, sales enquiries)
  • Bulk Email is normal email
  • (examples: subscriber newsletters, customer communications, discussion lists)

The grey area between a cold email and spam only needs to be stated to be obvious especially in light of the fact that where the line falls has typically been decided on a company-by-company basis. In my opinion, it is an absolute necessity for marketers and salespeople to be able to reach out to potential customers, however because of the grey areas around consent, this has been subject to abuse. Some companies have even been sanctioned by their ESPs for their non-compliant email email practises.

Lazy Messaging

Due to the ability to draft anything and send it to ‘potential customers’, any collection of words and images, whether coherent or not, has been labelled as ‘content’ and subsequently delivered to prospects who, on average, have very specific problems they are trying to solve, for which they also have allocated budget. On more than one occasion, I have come across posts on my linkedin timeline where a peer in my network has shared how they were the subject of an unsolicited and irrelevant email or inmail.

The deliverability of messages, as long as you have the correct email address or budget, has led to a reduction in the quality of messages that are being crafted because it is simply a volume game. Most vendors employing the ‘email blast’ tactic have never done proper ideal customer profiling or spent time coming up with a unique point of view.

Poor Differentiation

The lack of differentiation is strongly linked to the commoditization of messaging. I cannot even begin to count the number of presentations I have sat through that begin with the statistic that ‘prospects are often 60% of their way through their purchasing decision before they ever speak to sales’, firstly that’s not true, but that’s another post altogether. The real challenge is that if everyone is saying the same thing and no one is coming up with a distinct point of view, that ‘fact’ simply becomes white noise. It does nothing to loosen the status quo, create urgency or uniqueness and certainly does not differentiate any vendor’s solution.

Commoditised messaging is spammy by nature and as it doesn’t add any value to the prospect, it often has the opposite intended effect of eliciting annoyance and at times outrage. Lack of a distinct point of view often leads to vendors having to compete purely on price, leaving consumers with very little in the way of choice.

My view is that GDPR will force the art and science of email marketing to mature. Brands will have to work much harder to define game-changing messaging, value propositions and go-to-market strategies. In the GDPR world, I do believe that content will regain its rightful place on the throne as King and customers will, once again, become the focal point of all marketing and sales departments.

The General Data Protection Regulation Email Cheat Sheet


GDPR touches several aspects of email marketing, especially how marketers seek, collect, and record consent. Here’s what every email marketer needs to know:


With GDPR in place, marketers will only be allowed to send email to people who’ve opted-in to receive messages. While this has already been the case in most European countries under the EU Privacy Directive, GDPR further specifies the nature of consent that’s required for commercial communication. Starting in May 2018, brands have to collect affirmative consent that is “freely given, specific, informed and unambiguous” to be compliant with GDPR.


The GDPR not only sets the rules for how to collect consent, but also requires companies to keep record of these consents.


Going forward, email marketers will have to change how they collect and store subscribers’ consent. But that’s only half of the story. GDPR also applies to all existing data. If your database includes subscribers whose permissions haven’t been collected according to the GDPR’s standards, or if you can’t provide sufficient proof of consent for some of your contacts, you might not be allowed to send email to those subscribers anymore.


GDPR not only comes with stricter regulations around consent and the use of personal data, but also with higher-than-ever penalties for businesses that don’t play by the rules. Non-compliance with GDPR can lead to fines of up to €20 Million or 4% of a brand’s total global annual turnover (whichever is higher). While it’s uncertain what amount authorities may fine those who break the laws, what is certain is that authorities won’t have the bandwidth to go after every brand that’s not fully compliant with GDPR. They will rely heavily on consumers to report breaches, and will likely focus their efforts on the most serious violations. That’s what happened in the wake of CASL. Enforcement efforts targeted egregious cases such as Compu-Finder, the Canadian training company that was slapped with a fine of CAD $1.1 million in 2015. According to authorities, Compu-Finder had sent emails without consent, as well as messages in which the unsubscribe mechanism did not function properly. Complaints about Compu-Finder accounted for 26% of all CASL complaints submitted against its industry sector.

What do you think?