Cold Email marketing and List Building under the GDPR !


New Member
On May 25.2018 takes effect the GDPR - General Data Protection Regulation (Regulation (EU) 2016/679)
European new regulation which is changing the way the business collect, share or destroy personal data from European residents.

If you plan on doing cold email under the GDPR, you want to know exactly what’s going to change after May 25.

So how email marketing and cold email are going to change after the GDPR goes into action?

Before we dive deep into cold emailing and its relationship with the GDPR, let’s fully understand what consent means under the new regulation.

The GDPR describes consent as:

Freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.

The main changes regarding consent, compared to the old regulation, are in bold. Let’s explore them in detail.

#1 – No Room for Doubt
When processing personal data from an EU resident, you have to be positive that the way consent is collected leaves no room for doubt about the subject’s intentions in providing their agreement to their personal data being processed.

In practice, this means that the EU resident you are storing data from should be fully aware of the purposes behind you collecting their data. Is it to offer them your services? To discuss potential partnerships? To explore potential employment opportunities? Whatever the reasons may be, you have to state them.

#2 – Express Agreement
There should be a positive indication by the EU resident to share their personal data with you. This indication cannot be based on silence, pre-ticked boxes or inaction on behalf of the data subject.

These marketing techniques used to remove friction and increase data collection won’t be allowed after May 25.

The data subject should expressly agree (e.g., by actively ticking a box) to have their data processed for specific purposes.

#3 – Informed Consent
Lastly, consent should be informed. The data subject should have clear information before they give their consent about who you are, how to withdraw their consent and other information that will ensure fair processing.

To see a full list of all the information you need to provide to subjects, read Article 14 of the GDPR.

What’s Going to Happen with Cold Email under the GDPR?

If you are a lead generator or marketer who’s sending tens or hundreds of emails a day to leads and potential customers through cold email campaigns, this is where you want to pay extra attention.

Do you have to stop doing cold email under the GDPR? Absolutely NOT.

Will you have to consider some changes? Yes, read on for a detailed list of changes you need to address.

Changes You Need to Do to Keep Sending Cold Email under the GDPR
The new regulation affects cold emailing. Under the GDPR it will not be allowed to contact an EU resident to advertise your services/product without their express consent.

The GDPR only changes the game for EU residents —people residing in the Union, regardless of where their company’s based at.

Here’s a list of the current member countries of the EU.

You can still contact the rest of the world following current regulations. Keep your lists targeted and make sure to apply certain tactics for people inside the EU.

Prospects’ emails will have to be collected and used for a specific purpose. Consent must be given for each purpose and not bundled together. This means you will have to ask the same person for explicit consent for each different campaign or product you are contacting them for.

How will this look in practice?

The data subject consent has to be obtained prior to sending them marketing material and the consent has to be active. A box that the lead has to tick is or a reply to a clear question on your first email is sufficient consent given that you clearly indicated the purpose behind emailing them.

All Emails are Considered Personal Identifiable Information
Be aware that it doesn’t matter if it is a personal or work email. In principle, if an email contains certain information about a person (name, surname, initials) is already enough for the email to be considered data protected by the GDPR.

Non-personal emails should* be outside of the GDPR’s reach. Emails like info-domain com or hello-domain com are not associated with any identifiable information, so cold emailing without a consent to these accounts should* be fair game.

* This issue is still not clear yet. Remains to be confirmed after the law goes into effect and new cases appear.

Here’s a summary of the common steps you need to take to be on the safe side when doing cold email under the GDPR, or sending unsolicited emails to potential future customers.

Obtain Consent Pursuant to the GDPR Through a Consent Form or a Reply
The safest option you have to continue using emails for lead generation is to create a “Consent Form”. Send this to the potential customer before you send any commercial or marketing material. This Consent form should contain at least the following information:
    • Your company’s identity
    • The purposes for which the data will be used at your company
    • Any further information that is necessary to enable the lead to understand the data processing to which they are being asked to consent (e.g., third parties with whom the data may be shared)
    • The existence of the right of access to, and the right to rectify, personal data
    • The existence of the right to object to processing and the right to be forgotten
    • The existence of the right to withdraw consent
Do not store lead’s email addresses in a CRM or similar software before obtaining express consent from them.