6 Myths about the GDPR and Email Marketing Debunked

Update 5/16/18: We have Data Processing and Security Terms.

The General Data Protection Regulation (GDPR) goes into effect on May 25, 2018.

Thousands of sources have published their “expert” advice about the law and how it applies to email marketing over the past several months.

But here’s the thing: Much of their advice is wrong or misleading — and it’s causing a lot of misunderstanding, confusion and fear among small businesses and entrepreneurs around the globe.

So, we decided to set the record straight.

We’ve already covered the steps you can take to help prepare for the GDPR. (Great news! If you’re an AWeber customer, you’re probably already doing a lot of those things.)

In this post, however, we’ll dispel some of the most common myths about the GDPR and email marketing. Use this information so you can confidently move forward.

Disclaimer: This blog post is for informational purposes only, and you should not consider it legal advice. We recommend that you seek legal and other professional counsel to determine exactly how the GDPR might apply to you.

Myth #1: “I need to send a re-engagement email to all of my existing subscribers to reconfirm consent.”

One myth we see everywhere is the idea that you must have all of your subscribers reconfirm their consent in order to be compliant with the GDPR.

This is false. Sort of.

Here’s the deal: It all depends on whether you can prove consent from your subscribers, or you have other lawful grounds for processing data, according to the GDPR.

(Want to succeed with email marketing? Then you need to sign up for Everyday Email, a FREE course that makes it simple and fun! 30 short, easy-to-follow tips sent to your inbox for 30 days.)

If you are relying on consent to determine lawfulness, ask yourself these three questions:

  1. Did my subscribers opt in to my list, and can I prove it?
  2. On my sign up form, did I clearly explain how I’d use subscribers’ data and what content I’d send them? Can I prove it?
  3. Can my subscribers unsubscribe from my list as easily as they subscribed?

To prove you received consent, you should use the following three data points:

  1. The date and time the subscriber opted in
  2. The source of the opt-in (e.g., www.mywebsite.com, “Added via API”)
  3. A screenshot of the data collection mechanism (i.e., your signup form or landing page)

You can easily find the date, time, and source information in your subscriber details within your AWeber account. Just look for the date and time when they opted in as well as the source of signup.

To prove you clearly explained how you’d be using data and what content you’d send to subscribers, save a copy or screenshot of the signup form you used to collect their personal data.

Now, let’s say you imported your list from another email service provider (ESP). In this case, you won’t have the source information within your AWeber subscriber details. However, you’re confident your list subscribed in a compliant way through your old ESP. If you don’t have this information available in your previous ESP, you probably can’t prove consent and should consider sending a re-engagement email.

Finally, let’s quickly touch on the third question: “Can my subscribers unsubscribe from my list as easily as they subscribed?”

The short answer: If you’re using AWeber, your subscribers already have the ability to unsubscribe on their own using the “Unsubscribe” link in the footer of all your emails. You can also make the unsubscribe option more obvious by adding it within the text of your email messages.

Here’s an example from Ann Handley’s newsletter, which I shared in my previous post with her bi-weekly:

“I can prove consent. Hooray!” 👍

If you answered “yes” to all three of the questions I mentioned previously, thumbs up, you’re able to prove consent and you can continue to engage your subscribers.

“I can’t prove consent. Bummer.” 👎

If you answered “no” to any of the three questions, and you can’t prove consent otherwise, then you should probably send a re-engagement email or delete those subscribers from your email list.

Here’s a sample re-engagement email you can send your subscribers. You can use AWeber’s Click Automations to tag subscribers who click the link to confirm their consent.

Subject: Still interested in receiving emails from me?

Hi there!

I hope you’ve been enjoying the content I have sent you, like {Insert all of the types of content you send (e.g., newsletters, sales, product info, etc.)}.

If you’d like to continue receiving emails from me, click the link below:

{Keep me on the list – LINK}

By confirming your subscription, we’ll continue sending you:

  • {Insert a list all of the things you plan to send to subscribers on this list}

Not interested anymore? That’s alright. If you don’t click the link above, we’ll take you off our list and stop emailing you. You can also unsubscribe here. (Note: Hyperlink the word “here” to the personalization token {!remove_web} in your email message.)

Thanks, and have a great day!

{Your Name}

In addition to confirming consent, you can also use your re-engagement email to create better segments of your subscribers, using AWeber’s Click Automations feature.

For example, let’s say you send a newsletter as well as product information to your subscribers. You can add multiple links within your re-engagement email to allow them to opt in to receive different types of content. When subscribers click any of the links, you can tag them appropriately and send them more targeted emails.

Here’s a sample re-engagement email that has multiple options:

Subject: Still interested in receiving emails from me?

Hi there!

I hope you’ve been enjoying the content I’ve been sending you, like {Insert all of the types of content you send (e.g., newsletters, sales, product info, etc.)}.

If you’d like to continue receiving emails from me, click one of the links below:

  • Keep sending me the newsletter {tag with gdpr-newsletter}
  • Keep sending me product information {tag with gdpr-productinfo}
  • Keep sending me both {tag with gdpr-newsletter and gdpr-productinfo}

Not interested anymore? That’s alright. If you don’t click any of the links above, we’ll take you off our list and stop emailing you. You can also unsubscribe here. (Note: Hyperlink the word “here” to the personalization token {!remove_web} in your email message.)

Thanks, and have a great day!

{Your Name}

It’s a best practice to generally wait about seven days after sending a re-engagement email before deleting any subscribers who do not click the link(s) to reconfirm their consent.

Myth #2: “I need to add GDPR checkboxes to all of my signup forms.”

Another rumor floating around is that you need to add checkboxes to your signup forms in order to be GDPR compliant. Some are even calling these “GDPR-friendly signup forms.”

This is false. Checkboxes are not required, and are completely optional.

Nowhere in the GDPR does it state that you need to add checkboxes to your signup forms.

What it does say, however, is that you need to clearly communicate how you will be processing subscribers’ personal data, whether using a descriptive sentence or two, or using a checkbox, if you so choose.

One reason to go the sentence-route? Unnecessarily adding multiple checkboxes to your forms may introduce the possibility of click fatigue and lower opt-in rates.

Here’s an example of a signup form that is GDPR compliant and does not include checkboxes:

So, when is it appropriate to use checkboxes? The GDPR requires that consent must be freely given by subscribers, and cannot be bundled with unrelated actions. Keeping this in mind, here are two examples where checkboxes are required to be compliant with the GDPR:

Example #1

Let’s say you’re a retailer and you want to send marketing emails to your customers after they make a purchase, as well as share their data with other companies within your retail group. Under the GDPR, you cannot bundle their purchase with consent to send marketing emails.

Instead, a separate consent should be captured at the point of purchase that is specific to the purpose of sending marketing emails or sharing their data with partner companies. You might decide to use a separate checkbox to capture this secondary consent.

Example #2

Let’s say you’re a financial institution and you want to allow third parties to use customers’ payment details for marketing purposes. Under GDPR, this type of processing activity (i.e., the sharing of payment information for marketing purposes) is not necessary for the performance of the contract or agreement with the customer. Consent must be freely given, and if a customer refuses consent, the institution would not be able to deny services or increase fees. That would be a violation of the GDPR.

If you would like to share subscribers’ data with other parties, you should use a checkbox to allow them to give their consent freely. And keep in mind that these checkboxes cannot be pre-checked.

Myth #3: “I need to use double opt-in to be compliant with the GDPR.”

Double opt-in (a.k.a confirmed opt-in) is when your subscribers sign up for something — like a newsletter — and then they’re asked to also confirm their subscription.

Some “experts” are stating that the GDPR requires double opt-in to prove consent.

This is incorrect.

As I mentioned in myth #1, the GDPR simply requires that you can prove the compliant consent. The act of entering personal information into a signup form and clicking “submit” can be considered an affirmative action, as long as the subscriber was clearly and directly informed of what they are accepting.

However, double opt-in is not necessarily a bad thing. There are lots of great reasons to use it, including better subscriber engagement and deliverability. You just don’t need to use it to be compliant with the GDPR.

Myth #4: “Subscribers’ personal data thats already in our database isn’t subject to the GDPR.”

This one is closely related to myth #1.

The GDPR applies to all personal data — even data that was collected prior to May 25, 2018.

If you cannot prove consent for all of your existing subscribers, you should send a re-engagement email to obtain that consent.

Myth #5: “My data is stored with my service provider, so it’s their responsibility to remain compliant with the GDPR, not mine.”

We touched on the relationship between data processors (e.g., AWeber) and data controllers  (i.e., you, the one sending the emails) in our previous GDPR blog post. But let’s dive deeper to dispel this myth.

Data processors and data controllers share responsibility for complying with the GDPR requirements. As an AWeber customer, you are still considered the data controller. You maintain control over how you use that data. AWeber is simply processing the data at your request.

So, it’s not an option to pass responsibility to a service provider who is processing data on your behalf. We recommend that you seek legal and other professional counsel to determine exactly your role and relationship to the data being processed.

Myth #6: “If I’m not compliant by May 25, I’ll get hit with huge fines.”

Anyone reading the GDPR fine print is likely nervous when they see the hefty fines associated with not being GDPR compliant. (Enough to make your palms sweat!)

However, EU officials indicate that fines would likely be a last resort.

“It’s scaremongering to suggest that we’ll be making early examples of organizations for minor infringements or that maximum fines will become the norm,” she said. “The ICO’s commitment to guiding, advising, and educating organisations about how to comply with the law will not change under the GDPR. We have always preferred the carrot to the stick.”

“While fines may be the sledgehammer in our toolbox, we have access to lots of other tools that are well-suited to the task at hand and just as effective,” she continued. “The GDPR gives us a suite of sanctions to help organisations comply – warnings, reprimands, corrective orders. While these will not hit organisations in the pocket – their reputations will suffer a significant blow.”

If you’re taking the necessary steps to understand and follow the GDPR regulations and engage in good email marketing best practices, you are on the right path to protecting yourself.

Keep calm and email on

On the surface, the new GDPR may appear scary and ominous, but it’s actually pretty straight forward. And it’s a good thing for email marketers, too.

It really comes down to doing the right thing with the personal data you collect. Only send emails and information to people who’ve given you permission to do so for the purpose you told them.

To learn more about the GDPR, visit www.eugdpr.org.

Have questions? Comment below, or contact our team, and we’ll do our best to answer them.

Not an AWeber customer? Get the peace of mind of working with a trusted provider. Get started with AWeber for free today.


  1. Nameer

    4/30/2018 9:39 am

    Hi Brandon, I was late to asking this question in the previous GDPR post, so thought I’d ask again here.

    In an effort to facilitate a subscriber’s ability to request their data or have their data deleted pursuant to the GDPR, is there any chance AWeber will add a “Delete My Data” and “Request My Data” link/button to what has been the traditional “Unsubscribe,” and “Change Subscriber Options” line at the bottom of each e-mail message?

    The reason I raise this question is because it would be great to remove all human effort associated with what is ultimately an inefficient and highly unproductive clerical task.

    Do you see what I mean? If a subscriber wants to see their data, they click a button. Want to delete their data? Click a button. In other words, “please refrain from even contacting me” about this, just do it yourself, no need for me to login to my AWeber account and manually fish around for this information, etc.

    Any chance this is something AWeber engineers have the technical ability to integrate into the service?

  2. Brandon Olson

    4/30/2018 12:02 pm

    Hi Nameer!

    Thanks for your question and suggestion. There are no current plans to add those options to the footer of email messages. However, I’ll pass this along to our product team to evaluate. Also, just an FYI, the “Change Subscriber Options” link will allow your subscribers to access their data.

    If you have any other questions, please let me know.


  3. Brandon Olson

    4/30/2018 12:03 pm

    Hi Tristan,

    I’m glad you found the article helpful! Let me know if you have any other questions.


  4. Dawn Petherick

    4/30/2018 1:15 pm

    Many thanks for this article 🙂
    Can you provide further information on how to create the links that we can add to the re-consent emails? I’m not sure how to do this.
    Best wishes, Dawn

  5. Brandon Olson

    4/30/2018 1:31 pm

    Hi Dawn,

    Absolutely! First, you’ll need a web page to link to. You can link to your home page or, even better, a simple ‘thank you’ page that thanks your subscribers for reconfirming their subscription. (Here’s a help article that demonstrates how to add links to your email messages.)

    Once you have a link (or links) inserted into your email, you’ll add tags to those links during the sending/scheduling process. These are known as automations. Here’s a help article that demonstrates how to add “link clicked” tags to your messages.

    I hope this helps. If you have any other questions or need some help setting this up, please let us know!


  6. Dawn Petherick

    4/30/2018 1:24 pm

    Please ignore last comment – I can now see how to do this using click automation – many thanks!
    However, I am concerned about the optin-box for new subscribers. All advise from UK lawyers is that we need to provide a link to the Privacy Policy at the point of signing up. Are there plans to allow us to add a link into the I respect your privacy sentence? If so and if there is scope to make the first sentence longer in order to describe what they are signing up for then I think this would meet the requirements. Many thanks, Dawn

  7. Brandon Olson

    4/30/2018 2:01 pm

    Hi Dawn,

    You can absolutely add text to your signup form within AWeber. I put together a quick 3-min demo of how to do this. Please let me know if you have any questions or need any help doing this.



  8. David Rose

    5/1/2018 8:15 am

    Nameer’s suggestions are a great idea.

    > Also, just an FYI, the “Change Subscriber Options” link will allow your subscribers to access their data.

    Not sure this helps. GDPR means that they have a right to see ALL the data we hold about them, which from an Aweber POV might be every link they clicked on within an email etc (if tracking is turned on). I don’t think they can see that level of detail can they ?

  9. Brandon Olson

    5/1/2018 1:17 pm

    Thanks for your input, David.

    You are correct that subscribers won’t be able to access their click and open activity on their own. However, you (the data controller) have access to a subscriber’s click and open activity within the Subscriber Management area of your AWeber account, and can provide that to your subscriber upon request.

    I hope this helps clarify.


  10. Jeff

    5/1/2018 11:19 pm

    What if we’re using double opt-in, and instead of adding check boxes to our forms or adding extra sentences of text on the form that explains how the subscriber’s data will be used, we simply include all of that info in the confirmation email itself?

    The user would still end up getting the necessary GDPR info they need before they actually subscribe, and our forms don’t need to be changed. Win-win?


  11. Brandon Olson

    5/8/2018 2:35 pm

    Hi Jeff,

    That’s a great question, and one that I haven’t heard before. Here’s our take: even when using double opt-in, you’re technically still processing data in order to send the confirmation email, so it would probably be best to clearly communicate on the signup form how you will be using their data.

    I hope that answers your question.


  12. Collins Agbonghama

    5/4/2018 10:35 am

    Great post Brandon on GDPR. Thanks for sharing.

  13. Amanda Cronin

    5/4/2018 10:53 am

    Hi Brandon,

    Can you talk a bit about GDPR compliance for B2B e-mail marketing? A lot of the information I’m finding is conflicting. My company is split between NY and London, so I want to make sure that we’re covered!

    Thanks in advance,

  14. Brandon Olson

    5/8/2018 2:44 pm

    Hi Amanda,

    Absolutely! As far as we know, the GDPR doesn’t distinguish between personal data for B2C and B2B marketing. So you’d need to be compliant either way.


  15. Brandon Olson

    5/8/2018 2:39 pm

    Hi Rudolf,

    You make a good point, though that scenario is probably not a common one. Regardless, as the controller, you’re still able to prove consent, meaning you would technically be compliant with that piece of the GDPR. You would, however, need to also provide your subscribers a means to unsubscribe or delete their personal data.


  16. LeeAnn

    5/10/2018 1:34 pm

    LOVE the AWeber posts on GDRP – very helpful and just techy enough. And I love the calm tone. Thanks and great job!!

  17. Kristina Podnar

    5/13/2018 10:27 am

    Several thoughts came to my mind right away, including:

    1. If you are using checkmarks, ensure the boxes are not pre-checked, but rather that a user actively checks them before submitting the form.
    2. I agree with you that you don’t need a checkbox if the call to action on the submit is as simple as your example suggest (name, email, “subscribe me to your newsletter”). One note though – you need to explain more than just “I respect your privacy and take it very seriously. No spam.” Users must be told how their information will be used (including storage) and which 3rd parties (processors) will have access to it.
    3. You don’t need double opt in under GDPR, but Member States mandates prevail in such situations. Therefore Germany, you would still need to have double opt in for select markets (might as well do it for all then as it is hard to tell which prospect/customer/user is coming from which market).
    4. Agree completely with you that most organizations will not be audited on May 25 nor fined on May 26. However, organizations that have a data breach or have complaints against them will rise to the top of the queue in terms of audit. My take is that you need a policy and you need a roadmap (but you indeed don’t need to panic!). It is and will be a journey for most organizations.


  18. Jeoff

    5/15/2018 8:59 am

    Thank you for this very helpful article.

    Regarding consent and re-engagement…
    Can we consider “active” contacts who have been clicking on at least two links in our e-mails recently, as giving explicit consent ?
    Or we need to re-engage them also ?

    Thank you for your help !

  19. Brandon Olson

    5/16/2018 11:47 pm

    Hi Jeoff,

    Thanks for the question. The GDPR requires that you can prove consent at the point of signup. Unfortunately, I don’t believe you can use subscriber engagement to do so. If you’re unable to prove consent at the point of signup, I’m afraid you should probably consider a re-engagement email to re-confirm consent.


  20. Adithya Shetty

    5/16/2018 9:59 am

    Hi Brandon,

    Very informative post. I added Checkboxes to my forms to be on a safe side.

    I’ve a different question; Is it necessary to display cookie notice as per GDPR even though I’m not from EU?

    Thanks in advance!

  21. Alan

    5/17/2018 1:47 pm

    Myth 3 – As far as I’m concerned double Opt in is the only real way to ensure you actually get a genuine sign up. Some troll or prankster can easily insert someone elses email into a single opt in form. The owner of the email then gets your mailshots and complains about spam – not good for your website or reputation especially with organisations such as can spam and GDPR in force.

  22. Christina Hills

    5/17/2018 2:10 pm

    This is fantastic! I have linked to this from my own blog post about the topic.

    So glad I am with Aweber as my email marketing company. You guys rock!

  23. Lois

    5/17/2018 7:09 pm

    I heard that one of the GDPR requirements is organizations must have a local representative in the EU who is able to be contacted for end-user queries (not necessarily part of the organization but working on behalf of them). Is this the case and if so, do you have any recommendations as to who we could use (or do you have a branch there that is going to perform this role)?

  24. Brandon Olson

    5/18/2018 1:18 pm

    Hi Lois,

    Thanks for your question. The only time you would need to have a representative in the EU is if you meet at least one of the following scenarios:

    • If you perform “large scale” processing, which is not defined in the GDPR.
    • If you’re a public authority
    • If you process sensitive data, as defined by the GDRP (e.g., genetic data).

    I hope this helps. Let us know if you have any other questions.


  25. Heidi Richards Mooney

    5/18/2018 4:57 pm

    One of the best articles on GDPR rules and regs. Thank you Brandon for doing the research to share with us so we can be or become compliant in a timely and straightforward manner. I found this to be so easy to implement that my team and I will be working over the weekend to get ready! Since I use aweber for my optin forms, I am glad to know that on your end things will be working as they should. I just need to go in and check my optin forms to add the necessary verbiage for all the freebies we offer. I also plan to share this article with our members and my social media following.

    Thank you again,

    Heidi Richards Mooney, Founder – Women in Ecommerce
    A long time, happy AWeber customer