A Practical Guide to Direct Marketing Under GDPR

In practice, direct marketing under GDPR is allowed, but it is not a free pass to message anyone whose email address you can find. Marketing teams need two layers of analysis: the GDPR lawful basis for processing personal data and the separate ePrivacy or national electronic marketing rules that decide whether you need prior consent for the message itself.

That distinction is where many mistakes happen. A company may have a legitimate interest in marketing, but still need consent to send email, SMS, push notifications, or use tracking cookies for advertising.

GDPR Lawful Basis For Marketing

The GDPR requires a lawful basis for processing personal data. For direct marketing, the two most common candidates are consent and legitimate interests.

Consent must be freely given, specific, informed, and unambiguous. The EDPB explains that people need a genuine free choice, enough information, granularity, and a clear affirmative action without pre-ticked boxes (EDPB consent explainer).

Legitimate interests can apply to some marketing, but only after a proper balancing test. You need to identify the interest, show the processing is necessary, and determine that the person's rights and expectations do not override it. Recital 47 of the GDPR says direct marketing may be a legitimate interest, but "may" does not mean "always."

ePrivacy Narrows The Options

For electronic marketing, GDPR is only part of the picture. The ePrivacy Directive, implemented through national laws, often requires prior consent for unsolicited electronic communications. In the UK, the ICO explains the same practical relationship under PECR: consent and legitimate interests are the likely GDPR lawful bases, but PECR can require consent for the channel; if PECR requires consent, legitimate interests cannot be used to bypass that requirement (ICO direct marketing guidance).

EU member states implement ePrivacy differently, so details vary. The operational rule is simple: check channel-specific marketing rules before relying on legitimate interests.

The Soft Opt-In

Many European regimes include a version of the "soft opt-in" for existing customers. The details vary, but the pattern is usually that you obtained the contact details directly during a sale or negotiation, market your own similar products or services, gave a clear chance to opt out when details were collected, include an easy opt-out in every message, and honor previous opt-outs.

The soft opt-in is not the same as buying a list. It does not usually apply to cold outreach using third-party data. It also does not justify adding tracking pixels or profiling without a separate assessment.

B2B Marketing Is Not Automatically Exempt

B2B marketing can be more flexible in some jurisdictions, especially for corporate email addresses, but it is still regulated. A person's work email address is still personal data if it identifies them. You still need transparency, a lawful basis, suppression lists, and an easy objection mechanism.

Cold B2B outreach should be targeted and proportionate. "Every founder in Europe" is not a careful audience. "Security leaders at companies using a deprecated standard, contacted about a relevant migration guide" is easier to defend.

Profiling And Segmentation

Marketing segmentation is processing personal data. Basic segmentation, such as customers vs prospects or plan tier, may be low risk. Behavioral profiling, lead scoring, cross-site tracking, and sensitive inferences are much higher risk.

Under GDPR, individuals have an absolute right to object to processing for direct marketing, including related profiling. Once they object, you must stop processing their data for that purpose. Keep suppression lists so you do not accidentally re-add people later.

If your marketing stack uses cookies, advertising pixels, or data enrichment, evaluate each piece separately. A newsletter platform, CRM, ad retargeting pixel, website analytics tool, and enrichment vendor may each introduce different legal bases, notices, contracts, and transfer issues.

Practical Compliance Checklist

Before sending a campaign, confirm that the source of the contact data is documented, the lawful basis is recorded, channel-specific consent or soft opt-in rules are satisfied, the privacy notice explains marketing and profiling clearly, unsubscribe works quickly, suppression lists are honored across tools, tracking pixels and link tracking are disclosed and consented where required, retention rules remove inactive contacts, and processors are covered by contracts.

For analytics connected to marketing, avoid sending personal data into analytics events. Do not put email addresses in URLs, UTM parameters, event labels, or custom dimensions. If you need campaign attribution, use campaign IDs and first-party conversion events rather than personal identifiers.

Examples

A compliant newsletter signup says clearly that the user will receive product updates, links to a privacy notice, and includes unsubscribe in the email. A risky webinar follow-up sends sponsor marketing to attendees from a third-party platform without verifying what attendees were told. A risky analytics setup adds email addresses to UTM parameters so sales can identify visitors in Google Analytics. A better setup stores lead identity in the CRM and sends analytics only campaign and event metadata.

The Privacy-First Marketing Principle

Direct marketing works best when it is expected, relevant, and easy to refuse. Privacy-first analytics supports that approach by measuring campaign outcomes without building hidden profiles. You can still know which campaigns drive signups, demo requests, downloads, and upgrades. You just do not need to turn every recipient into a surveillance target.

Marketing is not unlawful by default. Sloppy marketing is the problem: unclear consent, hidden tracking, bought lists, overbroad profiling, and broken opt-outs. Fix those, and you can grow without treating privacy as an obstacle.

Keep Evidence

Keep records of consent text, collection source, timestamp, privacy notice version, opt-out status, and campaign suppression logic. If you rely on legitimate interests, keep the legitimate interests assessment. If you rely on soft opt-in, document how the contact was collected and where the opt-out was offered. Compliance is much easier when evidence exists before a complaint arrives.

Campaign Release Checklist

Before a campaign launches, confirm the contact source, channel permission, lawful basis, unsubscribe path, suppression-list handling, retention, and processor contracts. If the campaign uses tracking pixels, link tracking, enrichment, retargeting, or CRM sync, review those separately from the email send.

For attribution, use campaign IDs and first-party conversion events rather than personal data in URLs or analytics events. Keep identity in the CRM and send website analytics only the minimized metadata needed to understand channel performance.