EU GDPR Regulations

Email Marketing and the GDPR

June 26, 2018

The General Data Protection Regulation (GDPR) is a new European privacy law that became enforceable on May 25, 2018. The GDPR is intended to harmonize data protection laws throughout the European Union by applying a single data protection law that is binding throughout each member state.

Does the GDPR Apply to You?

The GDPR applies to all organizations established in the EU and to organizations that process the personal data of EU data subjects in connection with either the offering of goods or services to data subjects in the EU or the monitoring of behavior that takes place within the EU. Personal data is any information relating to an identified or identifiable natural person, including their email address. You should consult with legal counsel regarding the full scope of your compliance obligations.

Making Your Sign-Up Forms GDPR Compliant

Critical Impact puts the power in your hands as it relates to your email marketing efforts and have made  tools available in our system for your convenience. However, we don’t control your data, so there are and will be actions you need to take on your side to ensure your own GDPR compliance. For example, when you provide a form for people to use to become subscribed to your email, there are some key pieces of information you must provide such as:

  • Clearly describe how you are going to use the data that subscribers provide.
  • Your form must have an active opt-in checkbox, that is unchecked by default.
  • Let subscribers know how they can opt-out at any time.
  • Include links to the terms of service and privacy policies.

Sending Emails Under the GDPR

Make sure you have permission and the proper proof of opt-in before sending to subscribers in the EU. Any email automation also needs to use EU subscriber data in a compliant manner.

Make Sure Your Data is Processed Safely

It’s important that your email marketing platform can process data securely. Critical Impact is certified under the EU-US Privacy Shield. This allows Critical Impact to transfer personal data among the European Union Countries, Switzerland and the United States, while still meeting data protection obligations under GDPR. Critical Impact’s certification can be found on the EU-US Privacy Shield website here:

Please note that this material is provided for your general information and is not intended to provide legal advice.