Compliance GDPR

How can marketers stay compliant with the GDPR?

Feb 12, 2025 | Time to read 10 min read
How can marketers stay compliant with the GDPR?
By purchasing through the links on this page, you are giving us the opportunity to earn a commission. Your support is greatly appreciated!

User data collection is essential to help marketers understand how they can improve their marketing strategies and the user experience. However, if your business operates in the European Union (EU), you must ensure that data is handled responsibly and in compliance with the General Data Protection Regulation (GDPR).

Companies that fail to comply can face severe fines or penalties, ranking from thousands to millions of euros or even a ban on processing. For example, Amazon received a €746 million fine for failing to obtain user consent for targeted advertising. To avoid financially damaging costs, it’s important to learn all about the necessary compliance measures.

In this article, we’ll explain how the GDPR impacts marketing organizations. We’ll also cover what companies can do to ensure compliance with the GDPR for different marketing strategies.

Ensure GDPR compliance in marketing on Shopify
CheckmarkFree plan available
CheckmarkCustomizable cookie banner
Try TinyCookie

The importance of GDPR in marketing

The GDPR is an obligatory regulation to comply with if your organization processes the data of European Union (EU) citizens for marketing purposes. It ensures that EU users are more aware of and have more control over how their data is used by companies.

Here are the main reasons why GDPR compliance is important for companies that focus on marketing:

  • Boosts transparency. Companies can increase transparency for their customer base when they comply with the GDPR. According to the GDPR Recital 58, transparency refers to concise and easy to understand or access information. This is especially important because, according to research by Privacy Engine, 48.1% of people are concerned about their online data privacy and around 35% are somewhat concerned.
  • Increases user privacy. Since the GDPR Article 32 requires securing the collected user information, companies must apply the necessary measures, such as encryption and an incident management strategy.
  • Builds customer trust. By following GDPR requirements and being transparent, companies can ensure their customers trust them more. In fact, as Statista found, 39% of people believe that providing clear information about data handling practices would help build trust.

How does GDPR affect marketing?

GDPR requirements for marketers can be confusing. However, we prepared a list of everything you need to know about how GDPR affects marketers:

1. Data permission for collection and processing

Sending marketing emails to just any user without their explicit permission isn’t compliant with the GDPR. Under Article 7, companies must obtain freely given and informed consent from users before handling their data.

This means you shouldn’t just hand over pre-ticked consent boxes during signup or otherwise assume consent. Instead, the user must tick the box themselves without coercion. Here’s an example of how the Candle World offers a subscription option to their newsletter:

Newsletter subscription form example

The only exception is the refer-a-friend program. In this case, when a user enters their friend’s email address, the company can contact them but only for a one-time notification about the offer.

If you use the email address for further promotional emails or data collection without the friend’s consent, it’s considered a violation of the GDPR.

2. Data withdrawal options

Under the GDPR Article 17, the data subject has a right to object and a right to erasure (or a right to be forgotten). While the right to object data collection is typically non-negotiable, the right to erasure can be requested in the following cases:

  • It’s no longer necessary for the original collection or processing purpose.
  • The lawful basis for processing was the user’s consent and the user withdraws their consent.
  • The organization collects data due to legitimate interest but the user objects to it, and the organization fails to prove that its interests outweigh the user’s privacy.
  • The organization processes personal data for direct marketing purposes but the user objects to it.
  • Unlawful personal data processing.
  • Personal data erasure complies with a legal ruling.
  • The organization collected a minor’s personal information to provide them with their services.

In cases where the user wants to object to data collection, you must provide an “unsubscribe” link under each marketing email you send to the user. Here’s an example of how it looks like under Netflix emails:

Email unsubscription link example

You don’t have to provide a button that instantly unsubscribes to all emails. You can open the customer profile and allow users to manage the emails they want to receive themselves. Let’s take a look at how Netflix does it below.

Email preference management example

Users cannot opt out of account updates because they’re sent in order to fulfill a contract or provide a service. However, they can choose whether they want to receive membership offers or other emails.

3. Legal processing basis

Processing personal data must have a defined legal basis under the GDPR Article 6. To put it simply, legal basis refers to the justification for an organization’s data processing practices. It can include:

  • Explicit consent – the user (data subject) provides explicit consent for data processing.
  • Contractual obligation – specific data processing is essential to fulfill a contract when the user is one of the parties, like an email address.
  • Legal obligation compliance – data processing is required to comply with legal requirements.
  • Vital interests of the user – data processing is essential in emergency situations, for example, to protect the physical safety of the user.
  • Task in the public interest – processing is required to carry out a task in the public interest, like a local government using data for public health research.
  • Legitimate interests – when a company or third party requires processing for their legitimate interest that outweighs the user’s privacy and rights.

In marketing, the most common legal basis is explicit consent. Under such a legal basis, marketers need to get informed and freely given approval for sending newsletters, marketing emails, or delivering targeted ads.

4. Data subject rights

Marketing companies that process personal user data must ensure they follow the rights of data subjects outlined in the GDPR Chapter 3. They include:

  • Right to know. You must inform users in clear and simple language about the data collection and processing practices of your organization that affect them.
  • Right to access. Data subjects have the right to request access to or a copy of the data that your organization has collected.
  • Right to rectification. Users can request to rectify their data if it’s inaccurate or incomplete.
  • Right to erasure (right to be forgotten). Marketers must erase user data upon request in cases of unlawful handling, legal obligation, data processing of a minor, and due to consent withdrawal.
  • Right to object. Data subjects have the right to object data processing for direct marketing purposes.

If you want to ensure users don’t immediately object to data processing, it’s important to be completely transparent with your practices. This includes informing users of what data is collected, why it’s collected, and under what legal basis. Marketers should also focus on limiting data collection to only what’s necessary.

5. Contextual advertising

Heavy reliance on user data, including personalized ads and user profiling, is becoming a challenge due to GDPR restrictions. That’s why marketers are starting to get into contextual advertising.

Contextual advertising is used to display ads for users based on the website’s content rather than the collected personal data about the user. This advertising method eliminates the need to obtain user consent because user data isn’t collected.

It doesn’t mean that collecting user data for marketing purposes will be prohibited under the GDPR. However, it’s highly likely that it’s going to be much harder for marketers to obtain user consent.

6. Email marketing

Email marketing is an essential part of many businesses. According to research by Forbes, around 81% of companies use email for their marketing strategy. Yet, with the growing importance of GDPR compliance, there are some steps that need to be taken.

For starters, marketers have to gain explicit consent to send users marketing emails. Some companies do this with a double opt-in method. This includes sending the user an email asking to confirm the subscription. Here’s an example below.

Double opt-in email example

If the user doesn’t click the button, the company doesn’t include the email in the subscription list.

Further on, each marketing email should come with an “unsubscribe” link. That’s because, under the GDPR Article 21, users have the right to object data processing at any time.

7. Cost of non-compliance

Some organizations overlook GDPR compliance until Data Protection Authorities (DPAs) enforce it. If the company hasn’t had compliance issues before and didn’t harm users in any way, it may get a warning first. But GDPR fines and penalties also include:

  • Administrative fines for less serious violations, like not adhering to the lawful basis for processing or not having a Data Protection Officer (DPO). The fine can be up to €10 million, or 2% of the firm’s global annual revenue from the previous financial year (whichever is higher).
  • Administrative fines for serious violations, like user rights violations or data breaches. The fine can be up to €20 million, or 4% of the firm’s global annual revenue from the previous financial year (whichever is higher).
  • Ban on personal data processing when an organization adopts unlawful data handling practices.

There are many companies that have already faced large fines for non-compliance. For example, according to Reuters, LinkedIn was fined €310 million euro for processing data for advertising purposes without explicit consent. You can find more examples in our Biggest GDPR fines post.

7 practical steps to comply with GDPR for marketing

GDPR compliance for marketers is almost no different from general requirements. Here are the main steps you need to follow to guarantee compliance with the GDPR:

  • Audit user consent. Since the GDPR Article 7 requires obtaining freely given consent, make sure you go through your mailing list and can account for every opt-in. If you can’t, it’s best to remove those users from your mailing list to avoid violating the GDPR and getting fines.
  • Document how you collect data. Monitor where you’re getting the user consent from, such as newsletter subscriptions or third-party integrations. Make sure you list all personal data that is collected and know how it’s used and where it’s stored.
  • Determine a legal basis for processing. Make sure you state the legal basis for processing in your privacy policy. Marketers often use the user's consent or legitimate interest as a lawful basis.
  • Create opt-in and opt-out methods for emails. Even if users have opted in to receive marketing emails, they have the right to withdraw consent whenever they want. So, make sure you create proper opt-in and opt-out methods in place, such as a double opt-in process and an “unsubscribe” link.
  • Update your privacy policy. Review your privacy policy and ensure it includes transparent information about how the user’s data is used for marketing or advertising purposes. Disclose any information about third-party access to data and how users can withdraw consent.
  • Create a clear data management system. Users can request to exercise their rights at any time, so ensure you create a secure data management system.
  • Get consent for advertising cookies. If your organization uses non-essential cookies on its website, you must gain explicit user consent before processing their data. This is usually achieved with a cookie banner.
Adopt a cookie banner on Shopify in one click
CheckmarkFree plan available
CheckmarkOne-click setup
Try TinyCookie
× Enlarged Image

Frequently asked questions

Under the GDPR, organizations must inform users about data collection and processing practices in an easy-to-understand and transparent manner. They must also obtain explicit consent specifically for marketing purposes.

Yes, the GDPR Register states that direct marketing requires obtaining user consent. However, there are some exceptions. For example, the ePrivacy Directive allows sending marketing emails (on an opt-out basis) if the user’s email address was obtained during a product/service sale.

In the marketing cloud, GDPR requires businesses to acquire freely given consent from users in order to use their personal data for marketing purposes. In terms of marketing cloud platforms, organizations must ensure that they collect and process data in compliance with the GDPR.

About the author
Kristina Jaruseviciute
Kristina Jaruseviciute
Kristina is a Senior Writer at TinyCookie, where she specializes in providing educational content for readers interested in web cookies and compliance. She covers an extensive scope of subjects, from cookie types, definitions, and tutorials to compliance tips for website owners.