The new GDPR and email lists: what you need to know and do


Everyone is freaking out about GDPR. I've written about it before (click the links in that post to check that you're prepared), but there's so much confusion around email lists which is causing a lot of stress for us, especially as it's how many of us keep people updated with our business.

So, I spoke to the Information Commissioner's Office to clarify what the actual rules are around email lists and GDPR.

Do I need to ask everyone to resubscribe?

This was a nightmare to get a straight answer from the ICO on, I can tell ya! I don't think the person I spoke to understood the concept of email lists for bloggers, content upgrades, etc.

This was what they said:

"If this is marketing you may possibly be able to rely on the 'soft opt-in' if you can do this then you will not have to ask everyone to re-subscribe."

A 'soft opt-in' is when someone has purchased something from you and has not unsubscribed from marketing. This means you can probably assume that they are happy to receive emails from you (more on that here).

Now, this is fine for people in that situation - but what about those of us who have email lists that people opt-in to on our websites without buying something, for example in exchange for a freebie, or simply signing up for our newsletter? There's also a lot of talk about tick boxes, which most of us don't use, so seems irrelevant.

From what I understand, if you can prove that your subscribers "positively opted in" to you storing their information and are aware of what you'll be doing with it, you should be okay. I think that someone freely entering their details into your popup/email form and pressing a button counts as this, as long as it's clear that they will be receiving emails from you.

Here's the GDPR definition of consent:

“any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”

Here's some more information about consent. In terms of records of how and when you received consent, your email service provider should provide this information (I use MailChimp and they tell me when and how subscribers joined my list, and I assume most providers do).

Most will also include the option to unsubscribe at the bottom of every email you send and will unsubscribe anyone who chooses to do so for you, so you don't have to do it manually. However, you'll also need to remove the information of anyone who has unsubscribed from your records.

My concern is around specifying why we want the data and what we'll do with it - I think it's quite obvious when you subscribe to a mailing list that you're going to receive emails, and I do have double opt-ins and a very clear privacy policy, but I'm worried that this may not be enough.

If you don't use double opt-in, you most likely will need to reconfirm that people want to continue receiving our emails. This will inevitably lead to a drop in subscribers, but you'll have a more engaged list which is a good thing! If you pay for the number of subscribers you have as well, whittling down your email list might mean you can pay less.

Apparently, the way to do this is to create a new list and ask your current subscribers to sign up. Make sure that the sign-up page meets the consent guidelines above. When people sign up for the new list, remove them from the other list. If people haven't chosen to resubscribe after a few reminders, remove their information.

What you can do going forward

It's good practice to enable double opt-ins when people sign up for your email list - this means that when they sign up, they'll get an email asking them to press a button to confirm that they want to subscribe to your list.

That way, anyone who signs up will be in no doubt that they will be receiving emails from you.

It's also a good idea to specify underneath your opt-in forms what you will be using the person's information for.


You should also have a privacy policy available to confirm how you use people's data.

It should be easy for people to unsubscribe from your email list. As I said before, most email service providers will automatically add this to the bottom of each email you send, so make sure you don't remove it!

This is my understanding of how the new GDPR will affect those of us with email lists based on speaking to the ICO, reading the GDPR legislation and various websites for information.

If you have any other helpful information or think I've got anything wrong, please do let me know and I'll update this post. If you're unsure whether you need to make any changes, please contact the ICO.

It’s time to swap money stress for financial empowerment.

The Independent Girls Collective is a members-only platform to help smart women like you to take control of their finances and feel good about money. 

As a member, you’ll get new courses, resources, live masterclasses and 1:1 coaching every month to help you manage your finances and provide the support you need to build a successful, fulfilling business that allows you to live the life you desire, as well as access to our supportive community of creative female entrepreneurs.