GDPR and How Compliance Can Improve Your Email Marketing

March 13, 2018

There’s been a lot of buzz around the General Data Protection Regulation (GDPR), which is the new set of guidelines that dictate how individuals and companies may acquire, utilize, store, and delete the personal data of European Union (EU) citizens.

If you have subscribers based in the EU, you are responsible for following these regulations even if you operate outside the EU. Now let’s face it, nobody likes change and new laws tend to limit what you can do. But the reality is that the GDPR is really good for email marketing and it will actually help improve your campaigns.

At its core, GDPR is about giving people more control over their personal data and how others are allowed to use their data. For email marketing, that means providing more transparency and clearer consent agreements when signing up new subscribers.

Even before GDPR, MailerLite always required its users to be transparent with subscriber opt-in. So the good news is that your email practices shouldn’t change much since our current terms and anti-spam policies are already quite strong. That said, there are a few new features that we will implement to ensure that you have all the right tools to comply to GDPR.

In this blog post, we want to help you better understand how GDPR specifically affects your email marketing.

If you handle customer data beyond email marketing or use other third-party tools that collect data, you should definitely check out the full set of regulations and talk to legal experts to ensure you understand the full extent of compliance.

Why You Need to Care About GDPR

Every time you collect an email address, a name, home address or phone number, you are obtaining someone’s personal data. If any of those people are citizens of the European Union, you must adhere to the new rules. But don’t stress! We’ll explain the basics and provide some tips to help you transition.

The GDPR was developed to modernize the current EU data protection laws with a stronger focus on an individual’s rights and privacy. While some of the legislation is stricter and the penalties for non-compliance are tougher, the ultimate goal is to improve trust in the digital ecosystem.

4 Fundamental GDPR Rights

To that end, EU citizens will have several new rights to help them take more control of their own data. Here are the most important user rights that apply to email marketing:

  1. Right to be forgotten gives someone the power to ask a company to delete ALL of the data that is associated with that person. This requires you to provide more than an unsubscribe button. If a user makes a request, you must delete all the data stored in your databases and anything else associated with the user.
  2. Right of access allows your subscribers to ask exactly how you are using their data and for what purposes. If a request is made, you’ll need to provide a personal data report at no cost to them.
  3. Breach Notification is mandatory under the GDPR, which means you have 72 hours from becoming aware of the breach to notify customers.
  4. Right of portability lets people request their data, which means you would need to download a file of all their data in a ‘commonly used and machine-readable format’.

MailerLite currently allows customers to download user data if someone makes a ‘right of portability’ request. As seen in the screenshot below, you can export and save subscriber data to a PDF (Print) or a Json file (most popular format to transfer data).

Export subscriber data GDPR

Now that each individual has the power to request or delete their data, you need to think about what data you really need and what data you can live without. The more data you collect, the more documentation and management is required to quickly address a data request.

If you prefer to collect a lot of customer data for your marketing initiatives, it’s important to note that the GDPR definition of personal data is far-reaching and includes things like behavioral data, IP addresses, biometric and financial data to name a few. Basically, anything linked to the individual is personal data.

Consent is More Important Than Ever

Marketing to people who have given their consent is a best practice that we believe is one of the foundations of successful email marketing. If you’ve been building your list by getting user consent first, then GDPR will not change your lives much.

On the other hand, if you have old lists or market to people who have not given proper consent, it’s time to change your practices. Although you might not grow as fast as you want, the long-term results will be much better, not to mention you will also be complying with the GDPR.

Consent is a big deal within the new GDPR. Email marketers must obtain consent in accordance with the GDPR’s strict new requirements by ensuring active and explicit consent.

  • Active consent means your subscribers need to initiate the consent. You can no longer include the checks within the checkbox and make the user remove it. The user must click the checkbox.
  • Explicit consent means that you need to clearly communicate exactly what the user is agreeing to and what the data is being collected for.

Beyond being as transparent as possible with your consent forms, you must keep a record of every subscriber’s consent. The burden of proof is on you to prove that the individual consented to your terms. One way to accomplish this is through double opt-in, which provides a paper trail of the transaction.

Revalidate All Your Subscribers

If you are not sure that the people on your current lists gave consent or you don’t have a record of it, the onus is on you to revalidate all of your EU subscribers now.

MailerLite makes it easy for you to revalidate with a new GDPR template. You can simply go to Create New Campaign > Template Gallery > GDPR Template to find the pre-built template. We created the template with specific text to help you explain GDPR with a focus on revalidating your subscribers.

Here is a look at the GDPR template from MailerLite:

MailerLite GDPR Email Templater

When your recipients click the “Stay On List” button, they are automatically moved to a new GDPR subscriber group within your MailerLite account. The “Unsubscribe” button will unsubscribe the person from your list.

The text throughout the template, including the button text, can be edited to fit your specific needs.

Login to access the GDPR template.

What MailerLite is Doing to Help You With GDPR

At MailerLite, we have been following the GDPR developments since they were first announced in 2016. One advantage of being based in the EU is that we are able to stay ahead of new European developments, and we’re not required to apply for a Privacy Shield certification like the companies outside the EU.

As we mentioned earlier, our current policies are not changing much because we have always believed in more transparency when obtaining subscribers. That said, there are a few features and changes that we are working on to help you deal with some of the new rules:

  1. We are reviewing all of our consent forms and making improvements to make it easier for our customers to be more explicit and to facilitate active opt-in.
  2. We are making sure that all of our current features are optimized to help our customers adhere to GDPR.
  3. We are considering new features that will help customers comply such as other data portability functionality and detailed data reporting.

When you are transparent and respect every individual subscriber like they are part of your family, your email marketing will succeed. That is what we have always believed, and in the long run, the GDPR will help more organizations build trust and improve the digital marketplace for everyone.

If you have specific questions about how GDPR affects your email marketing or have suggestions on how we can improve MailerLite for GDPR compliance, we want to hear from you!

*GDPR requirements will be enforced starting on May 25, 2018.

*This blog is for informational purposes and is not meant for legal advice.

Enjoyed the post?

Subscribe to our newsletter and get the latest updates.

Thank you!

You made the right choice.

  • Michal Holaň

    you said “Beyond being as transparent as possible with your consent forms, you must keep a record of every subscriber’s consent.”

    So what is your solution of recording this activity? How you will be give us prove that our subscribers agreed with GDPR rules in our form?

    For example mailchimp has any solution here:

    MailChimp will also keep a record of what each version of your form says, so you’ll always know exactly which fields were present on a form when it was submitted by a subscriber, and you can prove consent if the need arises.

    more here:

    I would like to use mailerlite but I need to be sure that everything will work and I will have proof about that.

    Thanks for reply :)

    • Ignas Rubezius

      Hey Michal,

      Thanks for your question!

      MailerLite also has records for each sign up, including timestamps, IP address and more. We are working on some additional features that will help you prove consent if the need arises.

      Today we just released the first set of features/tools to help you prepare for the GDPR. More stuff is coming soon.

  • Matt

    What if the customer calls you and gives you his/her email and says they would like to receive newsletter? Not all calls are recorded in our organization. How can you prove that?

    I however feel that this is just all too hyped up. If you have a good email list without spam complaints and open rates of 40% and above nothing will change…

    • SD Cobley

      If you get consent verbally and record your calls you must be able to find that call to prove consent. If you dont record your calls and you get consent you should ask the customer to back this up. For example you could have an enquiry form on your website that gives them an explicit choice which once they have completed sends an e mail to you. Or you could just email them and say, hey you said it is OK for us to send you an email newsletter but could you just agree this in writing please. Dont forget theirs a reg called PECT which will also be changed this year ro E Privacy law..again both require consent (that has to be proved)

  • FWA

    First of all, thanks MailerLite for being proactive here.

    Our mailing list began over 17 years ago and has transition from one company to another and now resides with MailerLite.

    So, most of those original sign-up proofs will be lost.

    Thus, we will need to re-validate subscribers.

    Is there a way we can just target EU members of our mailing list?

    We’re naturally worried we will lose a big percentage of subscribers and what will be frustrtaing is to lose subscribers who are not even in the EU

    Thanks in advance for any support here!

    • Matt

      I believe you need a proof of sign up from May 25th on. If the subscriber was on the list prior to that date the old system is still valid and the subscriber can just unsubscribe. They can however still request you send them all the data you hold on them even prior that date.

      It’s true that some info about GDPR is confusing and I think MailerLite is just rather playing it safe than sorry.

      • FWA

        Thanks for that. Fingers crossed we don’t need to re-validate.

        • Matt

          We definitely won’t. Also the majority of people don’t know about GDPR and won’t even bother. It’s just another cookie hype of 2013 and in reality nothing changed just the banners are mandatory…

          • rick_harris

            I’m afraid ignorance is not going to stand up in court! As with any other law!

          • Matt

            @rick_harris:disqus Oh please. The GDPR was made for serious offender not for the lists with 40% + open rates and 0.00% spam complaints. Speaking about ignorance just have a look at your disqus profile…

          • rick_harris

            Apologies, Matt – perhaps I did not explain my comment sufficiently. The point I was trying to make is that if an email recipient is not aware of the law change (i.e. ignorant of it, not meant in an insulting way) but a company mails them anyway, that would still be illegal regardless of their lack of awareness. Trust this clarifies, and again no offence intended.

      • rick_harris

        sorry, Matt, but that is simply not the case I’m afraid. See my earlier comment for why previous sign up is not enough to comply with GDPR.

    • Ignas Rubezius

      You should check how many subscribers without proof you have and target only those with the re-validation. You could send the re-validation a few times before May 25th.

      If you have data with customer countries, you could target only EU. However, if you would rely on the IP data we have in MailerLite, it wouldn’t be 100% correct.

      But don’t worry, I’m sure that you can find the proof for most of your subscribers. Contact us if you need help with that. Every case is different and requires attention. You can also contact lawyers for legal advice.

      • FWA

        Hi Ignas!

        Thanks for your reply.

        We have found the database dump from Thindata whom we used for our previous subscribers, who were all double opt-in. This was received just before we transitioned to MailerLite.

        Could we possibly email you with a screenshot of a section of the file to see if you feel we have enough evidence of validation already?


  • Piotr Żakowski


    Short question. I collect only e-mail adresses (no name, no home address, no phone number). Is it obtaining of someone’s personal data? Do I have to be GDPR compliant in such a case or I can leave everything as it was so far? Thank you in advance for your reply.


    • rick_harris

      yes – personal data includes email address – it is identifiable, that is the criteria. You will need to be GDPR compliant.

    • Taste Tripper

      It only counts if their email includes identifying information. If, for example, their email is and that’s all you have then you don’t need to worry. But if it’s then it is identifiable. Probably better to be safe than sorry.

      • Piotr Żakowski

        Thanks for your reply.

    • Ignas Rubezius

      If you “collect e-mail addresses” as you say – it’s already OK. The problem would be if you would be buying lists without permission.

      So the only thing you have to do now is to make sure that your subscribe forms clearly state how you will use those emails and what you’re going to send.

  • Kendra

    Thank you for this information. I had a question about explicit consent and where it says that newsletters and promotions cannot be on one form. Specifically, a common practice is to use a freebie opt-in to collect email subscribers – will this be disallowed under the new rules since the subscriber would be receiving the opt-in AND being added to an email marketing list at the same time?

    • Ignas Rubezius

      Great question!

      I think, it’s important to let the users know how and where their data will be used. It means that it should clearly be stated that they will get the freebie and also other newsletters from the company.

      • EllenF

        I had the same question about explicit consent. I already put a notice beneath the opt-in form saying they’ll also get a free subscription to my newsletter, but that is 2 actions at the same time.

  • Does this mean I should send the template before or after May 25? And starting May 25th will I have to worry about new subscribers? Or do I need to send this out every quarter

    • Ignas Rubezius

      You should send the re-validation email ONLY if you don’t have any proof that your subscribers gave you permission to send them emails.

      The best proof is the double opt-in. However, it’s not required by the GDPR. It should be enough to have the date and IP. However, no one is sure how providing evidence will work, because GDPR doesn’t give any clear format.

  • Matthew Graham

    Great to read a practical and hands-on summary. Many thanks for such a well-written article.

  • Tracie Podger

    The fact someone has signed up is not enough evidence of consent? Do we get a ‘copy’ of that initial signup as evidence? Does this mean everyone on our list prior to May needs to be revalidated? I have more questions than answers now ha ha

    • rick_harris

      yes – it absolutely does, assuming you wish to comply with the law – see my comment above

    • Ignas Rubezius

      The fact that someone signed up is an evidence. You should back it up by the date and IP. Moreover, it’s even better if it was double opt-in.

      GDPR doesn’t give a clear format how the evidence has to be provided.

      • Tracie Podger

        I can’t tell you how many people I’ve had in the past who will swear on a life or the bible they didn’t sign up! I don’t do list builders, all my signups are organic so the only way they got there was by opting in, twice! So, someone signing up isn’t enough evidence. How do I back it up by the date and IP? Is that information stored somewhere on Mailerlite?

        • Ignas Rubezius

          We already show the date and it’s also included in the export file. We will add the IP soon.

  • Cloudtexo

    Great article. Mailerlite rocks and seems they have the best platform for marketeers and solving GDPR headaches!

  • kpitonak

    Cool-cool-cool post. Thank You for the short summarty/explanation. Thank You for the app. Keep rockin’!

  • rick_harris

    Sorry to disappoint a number of people earlier in this thread, but to be clear, having subscribers signed up before May 25th does NOT give you carte blanche to carry on mailing them. This is because GDPR extends the rights and protections EU citizens will have after this date, that they did not before.
    Unless you can be certain that the T&Cs that they signed up to in the past are compliant with GDPR in the future (which is very unlikely, hence the reason why new laws are being brought in), you will indeed need to reconfirm all subscribers via opt-in.
    Reading comments below like “the majority of people don’t know about GDPR and won’t even bother” is simply not going to stand up to legal scrutiny

    • Ignas Rubezius

      That’s right, it will affect not only new subscribers after May 25th but also all your current subscribers.

      If you didn’t buy lists and the subscribers opted-in using webforms, you don’t need to worry. For example if you used MailerLite webforms, so you have all the data when they subscribed. If the form was on other system, most probably you can still get the data.

      You should re-validate your subscribers ONLY if you don’t have data when and how they subscribed.

      GDPR didn’t set any format how you should provide the data. It just says that you should be able to prove that users subscribed by themselves.

      • Hi there, thanks for all the information provided here, really usefull. I have one question though. Went through the post and comment thread, but maybe I missed it.

        We collect emails in various ways. Some we imported from Mailchimp when we transitioned here. Most we got from various subscribe forms, prize games, coupons, and some via our web store when people make the purchase (checkbox option). All emails were obtained legally.

        We regulary merge obtained emails (various lists) into our “main” list. Now.. when I export the .csv (regarding the proof), I only get the Subscribed date and most of dates are the same, for example same date for couple of thousand emails in a row.


        Is there a way to filter out emails where the subscribe data is not clear? Yes we can check subscriber individually one by one, it shows all the data, but can´t do this for all 40K+ emails.

        Is there a way to filter out any unclear emails, so we send the compliance only to those? Do you have a solution that we can use, how to filter them out?


  • Tuulia Järvinen

    Is it possible to make a workflow to GDPR-list so when people click “Stay On list” they’ll automatically receive an email with specific content? I guess there’s no such a group before sending the revalidation, at least not on my account.
    So, how can I do this?

    Many thanks,

    • Ignas Rubezius

      The group will be automatically created by MailerLite as soon as you send the email and someone clicks.

      • Tuulia Järvinen

        Okey, thanks! Meaning, I could create the group myself first by clicking it myself, and then create workflow for it and only then send it the real list? Did I get it right?

        • Ignas Rubezius

          You can just use the template and send to your list. The group will be automatically created if you use the GDPR template. That is a special template and it has a feature to create a group based on click.

  • Aivar

    OK. I’ll send the revalidation email out, but over half of the recipients don’t even bother to choose their side, what then? What, if the majority only reads the sent emails and don’t react? Do I have to erase those who do not respond at all?

    • I’m afraid you will need to erase those who didn’t open. You need the consent for every usage of personal data. After the 25th of May you can’t send anything to those people who haven’t given the consent.

      • rick_harris

        exactly correct, Igor

        • Does that include people that you KNOW for certain are not EU citizens, or is it for everyone on your list?

  • Perry Wilson

    Thanks for this. What happens to the subscribers who don’t open the email? Or do open it but don’t click on one of the buttons. We all have these subs. I see this as an opportunity to clean my list, but that will only work if people unsubscribe/subscribe. If they ignore the email, will the fact that it was sent be enough to meet the requirements? Also, is there a way to target the emails to subscribers in Europe only if all I collect is the email address?

    • Ignas Rubezius

      You can send re-validation email a few times before May 25th just to make sure that more people will open it.

      Send the re-validation ONLY to subscribers where you don’t have any proof of their consent. Don’t send if they subscribed through a webform on your website.

      Yes, it’s a great opportunity to clean your list.

      There is no 100% correct way to target only EU if you collect only emails.

      • How do you send it ONLY to people whose consent you don’t have proof of? How do you figure out which subscribers those are and what targeting can you use to determine that information and then choose them as the recipients?

        • Ignas Rubezius

          How do you collect your subscribers?

          • All subscribers since I joined Mailerlite were acquired via Mailerlite forms. But I moved my list here from Mailchimp a year ago and not all information transferred into this account (I still have the original csv files with all the exported information). And I still transfer over some Mailchimp subscribers because Mailchimp integrates with Instafreebie, so I still have those accounts connected.

          • Ignas Rubezius

            If you have subscribe dates of each subscriber and you know that they came through Instafreebie that should be enough. No need to do the re-validation.

            Keep in mind, that I’m not a lawyer . But I have read a lot about GDPR.

            The thing is that it’s not 100% clear how it will work. I hope that more information will come from EU with detailed examples and real cases soon after May 25th. Moreover, I believe that there won’t be any fast penalties and etc. Most probably the EU will start just with some warnings and give time to fix things.

            The goal of GDPR is to stop spam. So, if you’re sure that you’re sending with user permission – you will be OK. You will find the needed proof or will fix things in your sign up process if needed.

          • rick_harris

            The goal of GDPR is much wider than just stopping spam, Ignas, albeit I appreciate from Mailer Lite’s perspective, that is your main concern.
            But the goal is data privacy and security – how organisations acquire, hold and manage people’s personal information – it’s way more than email.

  • Thank you for the post and the tools that can help us in this matter!

    My first question is this: if I have a form with double opt-in enabled and a user subscribes today, is it enough, is it the consent or I still need to reconfirm this user because there was no active consent (no checkbox)?

    And the second question: in the Subscriber profile I can see the source but there is no information was it single or double opt-in. Does it mean I need to revalidate all my subscribers?

  • Peťka

    Hello, a few questions:
    – will you make possibility of more confirmation checkboxes? To mark: newsletter / promo/ agreement with terms and conditions
    – if you will have more confirmation checkboxes, is it possible to categorize who marked just terms and conditions and who marked also newsletter?
    – situation now: if I have a form (landing page) with confirmation checkbox: where can I found the information that the contact (person) came via landing page with confirmation checkbox?
    – where can I find that the contact did double opt-in?
    – now when I make landing page with confirmation checkbox, it is necessary to mark it. But I think it is not correct for GDPR – I think that there must be possibility to finish without makring the checkbox. Will you do something with it?
    Thank you for answers.

  • Barbara Rath

    Thanks for the information!

  • Laszlo

    Great summary of what to do to align with the GDPR and great tool you offer to make sure you do align with!

    I was missing only one bit of information: the GDPR refers to EU citizens rather then those actively living in the EU. For ex. if Ignas, the founder of MailerLite decides to move to Argentina and will subscribe to Argentinean newsletters, those newsletters have to comply with the GDPR as well. As there is no way of knowing who is an EU citizens my advice would be to ask everybody from your list to restate that they want to be subscribed to your list.

  • Laura

    Thanks for the heads-up. When you say ‘you can’t include multiple items such as newsletters and promotions in one form’, where do you draw the line? Say you send your subscribers some kind of tips once a week. That’s a newsletter. I suppose linking to your own posts from a newsletter is not considered promotion.

    But is using affiliate links considered promotion? And is sending text emails about product launches (like your own ebooks) or occasional discounts considered promotion?

  • Laura

    Does the reconfirmation email need to mention the GDPR law at all? The GDPR template seems so formal and I’d rather change it to something way more casual like ‘hey, you haven’t opened my emails in a while, do you still want to receive my emails?’ (that’s one case) and then add the yes or no buttons…

    • Ignas Rubezius

      The reconfirmation emails don’t need to include anything about the GDPR. You just need to have some proof that the user subscribed to your newsletters. No one really knows what will be considered as proof. I think that having a signup date and IP address should work. If you send re-validation campaign you will get the date of clicking YES and also the IP address.

      Moreover, if you do the re-validation campaign you minimize the risk of someone complaining to authorities about your emails. And even if someone complains, you will be able to prove that he or she clicked YES.

      • Laura

        Thanks, Ignas! Where exactly is the IP address? Because I cannot see it in the ‘Subscriber profile’. Or is this something you keep secret and only provide in case it’s needed?

        • Ignas Rubezius

          We plan to make it visible in a few weeks.

  • Andrej Makarovic

    Hi, thank you for being proactive, this GDPR is really pain in the ass if I am quite honest and nobody still knows how it will work, BUT, I want to take an advantage of it and I hope it will help clean our databases and make them more ordered. So here is a question: If I have a customer who doesn’t have an e-mail and phone number, how can I put her into your database (Name, Lastname)? The second question is: if our customer gives us his data (with written approval), will I be able to import him into a mailerlite database and use his e-mail or I will have to revalidate him again? I am asking this because there could be a mass of doubled or tripled actions on each customer and I want to prevent this (so the customer wouldn’t have to sign a paper, and then again confirm over e-mail … several websites … )
    I was also considering to use your system to check all our customers, is there any option so you could approve a customer if he signs with electronic signature, is there a possibility to keep this signature somewhere?
    This project could expand your offer of services, so it would be great if you also consider to check all customers and not only those with e-mail.

    Thank you!

  • Jason Baldry

    As others have said it is this bit that concerns me most.. “Beyond being as transparent as possible with your consent forms, you must keep a record of every subscriber’s consent.”

    We gather subscribers via a form on a squarespace website that links to a google sheet and then through zapier we populate the list. How do we have proof other than their name and email appearing on a google sheet? I really don’t like double opt-in. I want them to sign up and then get a nice email welcoming them.

    • Jason Baldry

      also. how do ever move to another mailing list service in the future. How does that proof carry over when you have to export to csv and import?

  • I tried sending out the email template and the links do not work. Was I suppose to connect them in a special way? It ends up being a 404 error when clicked.

  • Maher Ben Chagra

    Thanks for the heads up. Could you please add a french GDPR template ?

  • Stephanie Fiteni

    Is it possible to add the checkbox required by GDPR in Mailerlite – I cant seem to find the feature. Will it be added?

    • Ignas Rubezius

      Checkboxes are not required by GDPR if it’s a sign up for your newsletter. You need a checkbox in other forms like registration to your service or a contact form. Those forms are not directly for newsletter, but if you also want to use the data for marketing, then you add a checkbox and ask permission.

  • jacques

    When we started to work with Mailerlite we have uploaded about 16K email addresses from our customers and people who had signed in to our newsletters. Therefore they were all opt-ins. Over the last 2 years about 7K have unsubscribed or were bounced. We now find ourselves with a list of about 11K that we must Confirm and Validate (we will use your template to do so). In this process I am sure that we will loose a fairly large number of subscribers. Not necessarily based on the merit or lack of of our newsletters or customer relationship, but just by the process itself. From now to the 25th of May people will receive numerous confirmation forms from a large variety of sources. It will be so easy for the people to just answer « No » or « Unsubscribe » and not be bothered by the whole process.

    Therefore I think it would be fair and balanced if Mailerlite would consent to use the email address of the people who had unsubscribed in our previous campaigns. This should be allowed only for the Validation email, Since this is a process of validation we want all the people with whom we had contacts to express their choice clearly. So instead of sending the confirmation message to 11K email address and loose a percentage of those. We could send the confirmation message to 17k email address we will loose people for sure but we might also recuperate some of the people who had unsubscribed before for whatever motivation. Could such an approach be considered by Mailerlite ?