GDPR Email Compliance

There are already plenty of good articles covering the collection/usage of email addresses under GDPR. Instead, this one focuses on how to make sure the actual email you send to these addresses is compliant; a surprising harbourer of additional liability.

DISCLAIMER: This article does not constitute legal advice, only my personal interpretation of how the GDPR will impact commercial email sending from a content perspective. Please feel free to comment if you have your own suggestions or disagree with my interpretations. This is as much about opening a dialogue than anything else.

At time of writing, there is still very little in the way of officially-sanctioned guidance specific to GDPR and email. Nevertheless, when it comes to compliance (and potential fines of up to 4% of annual revenue), many would agree that it's better to err on the side of caution when it comes to the interpretation of its wider statutes.

The full 88 pages of the GDPR text (final revision April 27th, 2016) may be fascinating bed-time reading, but I'm going to attempt to save you the dubious pleasure by highlighting here the fundamental issues and key clauses that I believe are likely to affect the content of email, and how you might stay on the right side of them.

So, let’s start with the fundamentals..

Some GDPR Basics

What is the GDPR for?

Fundamentally, it’s a European Union regulation for governing the processing (collection/storage/transfer) of personal data by companies.

It’s to replace Directive 95/46/EC from 1995 which provided guidance on how EU-member countries should deal with processing personal data. But because this was only a directive, each country could choose to ignore it and set their own rules (which they mostly did), leading to a hotchpotch of different rules across the EU i.e. a mess.

The GDPR is a Regulation, not a Directive, so it has to be adhered to by everyone. The intention is to bring the EU together and make the handling of personal data more transparent for everyone.

Who does it apply to?

1. EU-based companies processing the personal data of any natural person “regardless of whether the processing takes place in the Union or not.” (Article 3, Clause 1)


If you are a company based in the EU that sends email to anyone, the GDPR provisions apply.

2. Companies based outside the EU processing the personal data of EU “data-subjects” (i.e. persons) from the EU for “the offering of goods & services” or “the monitoring of their behaviour” (Article 3, Clause 2)


If you are a company outside the EU that sends commercial email to persons within the EU, the GDPR provisions will almost certainly apply.

What constitutes the "processing of personal data"?

The GDPR has a long list of definitions (and recitals) to try and lockdown its interpretation. The first two definitions deal with this:

"‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;" (Article 4, Clause 1)


"an online identifier" is the key term here. This could mean a simple email address but it could also mean any kind of unique personal identifier e.g. a cookie or other tracking code. In fact, Recital 30 elaborates on this and cites "cookie identifiers" specifically.

"‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;" (Article 4, Clause 2)


This pretty much covers all bases. If you have access to (store) or use any of the personal data in almost any way, it's counted as "processing".

So how to make sure your email is compliant?

Obviously a huge part of commercial email is the collection, management and storage of the contacts (email addresses) themselves. As mentioned before, there are many articles with this as the subject, and this article would be epic if I also picked out everything in the GDPR that could be related in some way to this; the 'processing' of email addresses is treated in the same way as any personal data, which is a wider field than what is being investigated here.

Here we're focussing on the actual emails themselves and what should and shouldn't be present within them, not who they should and shouldn't be sent to.

Content Items Under Scrutiny

The key content items in commercial email that are likely to trigger the GDPR are as follows:

  1. Subscription/Unsubscribe Policies
  2. Campaign Tracking Mechanisms (e.g. Pixels/Web-bugs)
  3. Cookies

Just mapping out all the GDPR's Recitals ('scene-setting' components) that have relevance for each, we can quickly see which has the potential for most damage (hint: it's cookies..):

Subscription/Unsubscribe Policies Campaign Tracking Mechanisms Cookies
Recitals 32, 39, 47*, 58, 59, 60, 61, 63, 64, 70 24, 26, 30, 39, 32, 42, 47*, 58, 60, 61, 63, 65, 69, 70 24, 26, 30, 32, 39, 42, 47*, 58, 59, 60, 61, 63, 65, 69, 70, 101, 108, 110

*Recital 47 contains an interesting absolution along the lines of what a person can reasonably expect their data to be used for: "The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest." This does seem to indicate only direct though, not passed to third-parties as per a great deal of cookie/tracking activity.

Nevertheless, we'll take a look at each and explore how GDPR-breaches might be prevented.

1. Subscription/Unsubscribe Policies

The well-known CAN-SPAM Act in the US essentially requires two things from an unsubscribe policy: 1) the way to unsubscribe is clear, and 2) unsubscribe requests must be honoured promptly (within 10 business days). It does not require an explanation of why the recipient is receiving the email in the first place (subscription policy).

Now although the GDPR hasn't been created for the handling of email specifically (nor does it mention it explicitly), its basic tenets suggest a far more in-depth approach to the unsubscribe policy is required.

Pre-described - The first thing to note is that the subscription policy and unsubscribe procedure should already have been described to the user "at the time when personal data are obtained" (Article 13, Clauses 1-2).

'Update Preferences' - Another key suggestion is that a simple one-click unsubscribe is not going to be enough. There are several Articles (15 thru 21) that lay down the rights of the subscriber. Without going into exact details, these include the right to details on how their data is being processed, the right to rectification (for them to correct their data), right to be forgotten (delete their data), and all should be available to them securely at any time. It seems a comprehensive 'Update Preferences' should replace the basic unsubscribe. It's worth noting that the security of such a section is also important to prevent personal data breaches (HTTPS at least).

Subscription Notice - It may be prudent to include some reminder notice as to how the recipient consented to the processing of his/her data in order to receive the email, perhaps in the vicinity of the Update Preferences link. The key clause (1) of Article 7 says that "Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data." Although it's not explicitly clear who this should be demonstrated to..

2. Campaign Tracking Mechanisms

In order for the standard email campaign metrics to be possible, certain tracking mechanisms have to be included in the email.

Historically, this has taken the form of an invisible 1x1 pixel image that relays information back to the provider that an email has been opened (providing the open-rate), along with any links first re-directed to the ESP for tracking, before going on to their final destination. Nowadays, most commercial emails contain some kind of visible image which they can attach tracking to, replacing the need for a hidden pixel.

Either way, all of this tracking is done without the knowledge (and probably consent) of the recipient; a big problem when it comes to the GDPR.

Most modern email clients do not load images in HTML emails by default, asking you if you want to proceed. What neither the clients, nor the emails themselves say is that loading these images subjects you to tracking and, ultimately, profiling - since the information is tied to your email address.

So how to address these concerns?

Pre-described - Again, to comply with the requirements of Chapter 3, Article 13, it would be safest (and most practical) to include information on how tracking and profiling will be applied to emails received by the subscriber, at the initial point of subscription.

Tracking Opt-out - There is provision in the GDPR to allow the user to selectively opt-out of personal data-processing for specific purposes that are not necessary for "the provision of a service" (Article 7, Clause 4) and "without detriment" (Recital 42). This could theoretically force providers to give the option of sending some emails with all tracking removed, at the request of the subscriber.

Tracking Notice - A clear notice could be added informing the recipient that loading the images and clicking any links will invoke personally-identifiable tracking and potential profiling. This could take the form of a link (un-tracked!) at the top of the email for "Tracking Information", linking to a page that lists everything that will happen.


Automated decision-making based on profiling has some of its own clauses that may require specific, separate consent if a recipient is going to receive different treatment (i.e. content) based on behavioral tracking/profiling.

3. Cookies

Already a focus for existing regulations when concerning websites (in the UK for example), yet cookie-setting via email is currently a very shady area. The GDPR is likely to thrust it into the light..

In our company's analysis of emails, we've noticed an incredible amount of privacy and data-collection concerns by way of hidden cookie-setting through links, images and more nefarious techniques.

What's happening?

Since the advent of HTML in email, email clients go through similar processes to those of the browser and will share local cookie storage with the web browser. Cookies can therefore be sent in an email transaction and then be accessed in a matching browser.

For our purposes here, there are two overarching cookie categories: Session and Non-session (aka Persistent).

Session cookies exist only in the temporary memory of a browser, lasting only as long as necessary for the duration of a website visit. They are unlikely to be personally identifying, and for all intent and purposes, fall outside GDPR's scope.

Persistent cookies are stored by the client/browser for longer periods and can be personally-identifying. These, and their dodgier 'pseudo-cookie' alternatives, are the ones we're looking for.

Potentially Problematic Cookie Types In Email

Cookies in links - A cookie is set when a user clicks on a link in the email. This is fairly standard practice but the user needs to be made aware that a cookie is being set by a notice on the link's resultant landing-page.

Cookies in images - A cookie is set when a remote image is retrieved (i.e. when the email is opened, or 'view images' is enabled in the client). With this method of cookie-setting, the user may have no way of knowing a cookie has been set at all.

ETAGs - ETAG headers form part of a standard HTTP Get request, and technically have nothing to do with cookies, but can be used for tracking purposes whilst conveniently skirting around any restrictive user cookie-policies (a 'pseudo-cookie'). A unique identifier inserted as an ETAG will be cached during the HTTP transaction and returned with any subsequent requests for the same resource. The tracking server then simply notes the information and refreshes it giving the effect of a cookie. In layman's terms, this means it can be used to bypass specific cookie legislation and still be used for tracking. This goes against pretty much all of the core principles of the GDPR.

Cookieless - The most nefarious group of 'pseudo-cookie', involves the 'cookie' being passed in even more subtle ways which are usually not detected or deleted in the same way as cookie history can be deleted in a browser. They are known generically as cookieless as they do not use the normal HTTP cookie mechanism and the use of any of these methods would be considered as unethical (and illegal under most legislations). Includes such things as Evercookies, HTML5 local-storage 'cookies', Flash 'cookies', 301 redirection Javascript 'cookies' and others. This is deliberately hiding tracking/profiling practices; there would be no way to explain the presence of these in your emails in any legitimate way.


Setting 3rd-party cookies using any of these methods will almost certainly compound any violations by invoking additional data-transfer (and potentially cross-border) clauses too.

So what to do?

Firstly, be fully aware of what you are sending. Many ESPs will use cookies to aide in their tracking and provision of metrics. Affiliate-networks, often the worst offenders in terms of privacy violations, have been known to use the shadiest techniques out there for hidden tracking and profiling.

Once you've found out what's going into your emails, you can then take the steps towards compliance (and get rid of what you can't live with..):

Legitimate Cookies Only - This kind of goes without saying, but using any of the 'pseudo-cookie' categories is a bad idea..

Reasonable Cookie Duration - We have analysed emails that set persistent cookies lasting decades. This is clearly in violation of several provisions revolving around not keeping the information for any longer than is necessary to serve the agreed purpose, including Article 5 (clause 1e), Article 17 (clause 1a) and Recital 65.

Pre-described - Once again, pre-emption is a good place to start. This means including information on the cookies that will be set by emails received by the subscriber, at the initial point of subscription. It would have to include additonal information on all 3rd-parties involved.

Cookie Opt-out - As with other types of tracking, there should be the option to selectively opt-out of personal data-processing for specific purposes that are not necessary for "the provision of a service" (Article 7, Clause 4) and "without detriment" (Recital 42). In cookie terms, this would mean the ability to opt-out of anything that is not essential for the session (i.e. session-cookies).

Cookie Notice - Again as with other types of tracking, a clear notice could be added to the top of an email informing the recipient that loading the images and clicking any links will set certain cookies. This could take the form of a link at the top of the email for "Cookie Information", linking to a page that lists everything that will be set.

Key Takeaways

There are three words that come to the fore when studying the GDPR:

Transparency - Consent - Protection

On the basis of this, you may have noticed a pattern emerging when considering how to resolve the email content components that deal with personal data under these tenets.

With that in mind, here are my key takeaways to mull over for your email compliance programs:

  • Disclose everything at point of subscription.
  • Reminder notices wherever possible.
  • Provide opt-out for all non-essential tracking/profiling.
  • Provide secure access to all opt-in preferences at all times.
  • HTTPS for everything.
  • And finally.. know exactly what you are sending!

Many organisations may not even realise what is being included with the emails they send, but as with all things GDPR - ignorance is not a defense.

I’ll close with the advisory words of Recital 74:

“the controller [the company handling the data] should be obliged to implement appropriate and effective measures and be able to demonstrate the compliance of processing activities with this Regulation, including the effectiveness of the measures.”

With that said..

Cookies & Tracking Compliance Testing

Email Cookies & Tracking Compliance Testing

Built Into All SendForensics Solutions