Skip to main content

What Is GDPR

The General Data Protection Regulation (GDPR) is the European Union’s comprehensive data protection law that took effect on May 25, 2018. It governs how organizations collect, store, process, and share personal data of individuals located in the EU and European Economic Area (EEA).
GDPR applies to any organization that processes personal data of EU/EEA residents, regardless of where the organization itself is located. If you send email to recipients in the EU, GDPR applies to you.

How GDPR Applies to Email

Under GDPR, an email address is personal data. Sending an email to someone constitutes processing their personal data. This means every email you send through Lettr to an EU/EEA recipient falls within the scope of GDPR. Specifically, the following activities are all considered data processing:
  • Collecting email addresses
  • Storing recipient lists
  • Sending emails (marketing, transactional, or otherwise)
  • Tracking opens, clicks, and other engagement events
  • Retaining delivery logs and email history
You must have a lawful basis for each of these processing activities.

Lawful Bases for Email

GDPR defines six lawful bases for processing personal data. Three are most relevant to email sending:
Lawful BasisWhen It AppliesExamples
ConsentExplicit opt-in for marketing email. Must be freely given, specific, informed, and unambiguous.Newsletters, promotional campaigns, product announcements
Legitimate InterestSome transactional or relationship emails where you can demonstrate a legitimate business reason. Must pass a balancing test against the individual’s rights.Account security alerts, product updates for active customers
Contractual NecessityEmails required to fulfill a contract the recipient has entered into with you.Order confirmations, shipping notifications, invoice delivery
Consent is the safest and most common lawful basis for marketing email. If in doubt, obtain explicit consent.
GDPR sets a high bar for what constitutes valid consent. All of the following must be met:

Must Be Affirmative Action

The recipient must take a clear, positive action to opt in. Pre-checked boxes, silence, or inactivity do not count as consent.

Must Be Specific

Consent must be obtained separately for different processing purposes. A single checkbox covering marketing emails, third-party data sharing, and analytics is not valid. Each purpose needs its own consent mechanism.

Must Be Informed

At the point of collection, the recipient must clearly understand what they are consenting to — who will send the emails, what kind of content, and how often.

Must Be Revocable

Recipients must be able to withdraw consent at any time, and it must be as easy to withdraw as it was to give. An unsubscribe link in every email is the minimum requirement.

Must Be Documented

You must keep records of when and how consent was obtained. This includes timestamps, the version of the form used, and what information was presented at the time.
Store consent records with a timestamp, the source (e.g., signup form URL), the IP address, and the exact text the recipient agreed to. This evidence is critical if you ever need to demonstrate compliance.

Data Subject Rights Relevant to Email

GDPR grants individuals a set of rights over their personal data. The following are most relevant to email operations:
RightWhat It MeansYour Obligation
Right to AccessIndividuals can request a copy of all personal data you hold about them.Provide email addresses, sending history, engagement data, and any metadata you have stored.
Right to ErasureAlso known as the “right to be forgotten.” Individuals can request deletion of their data.Delete their data from your lists, CRM, and any other systems. Ensure they are added to a suppression list so you do not re-add them.
Right to ObjectIndividuals can object to processing for direct marketing at any time, with no exceptions.Stop all marketing emails immediately upon request.
Right to Data PortabilityIndividuals can request their data in a structured, machine-readable format.Provide their data in a common format such as CSV or JSON.
The right to object to direct marketing is absolute under GDPR. There is no balancing test — you must stop immediately when someone objects.

Practical Implementation

Double Opt-In for EU Recipients

Double opt-in (confirmation email after signup) is the strongest evidence of consent. The recipient provides their email, receives a confirmation message, and clicks a link to verify. This creates a clear audit trail.

Clear Privacy Notice at Point of Collection

Every signup form must include or link to a privacy notice that explains how you will use the email address, who the data controller is, and how the recipient can exercise their rights.

Easy Unsubscribe Mechanism

Include a visible unsubscribe link in every marketing email. Process unsubscribe requests promptly. Lettr supports list-unsubscribe headers which enable one-click unsubscribe in supported email clients.

Data Retention Policy

Do not keep email data indefinitely. Define how long you retain recipient data, delivery logs, and engagement events, and delete data that is no longer needed.

Honor Erasure Requests

When a recipient requests erasure:
  1. Remove them from all mailing lists
  2. Delete their personal data from your systems
  3. Add them to a suppression list to prevent future sends
  4. Confirm the deletion to the requester
Suppression lists are permitted under GDPR even after an erasure request. You need to retain the minimum data necessary (the email address) to ensure you do not contact the person again.

Data Processing with Lettr

When you send email through Lettr, Lettr acts as a data processor on your behalf. You remain the data controller and are responsible for ensuring lawful processing. Lettr processes the following personal data for you:
  • Recipient email addresses
  • Email content (which may contain personal data)
  • Delivery and engagement events (opens, clicks, bounces)
  • Any custom data you pass via the metadata parameter
Do not store sensitive personal data in substitution_data or metadata fields. Avoid including information such as health data, financial account numbers, government IDs, or other special category data. Use opaque identifiers (such as internal user IDs) in metadata instead of directly including PII.
Instead of passing "customer_name": "John Smith" in metadata, use "customer_id": "usr_48291" and resolve the name in your own systems. This minimizes the personal data flowing through your email infrastructure.

GDPR vs CAN-SPAM Key Differences

AspectGDPR (EU)CAN-SPAM (US)
Consent ModelOpt-in required before sending marketing emailOpt-out — you can send until someone unsubscribes
Geographic ScopeApplies to any organization processing EU resident dataApplies to commercial email sent to US recipients
PenaltiesUp to €20 million or 4% of global annual revenue, whichever is higherUp to $51,744 per individual email violation
Transactional EmailRequires a lawful basis (usually contractual necessity)Largely exempt from CAN-SPAM requirements
EnforcementNational Data Protection Authorities in each EU member stateFederal Trade Commission (FTC)

Common Mistakes

GDPR applies based on where the recipient is located, not where your organization is based. A US company sending email to EU residents must comply with GDPR.
Failing to respond to a data erasure request within the required timeframe (one month) is a GDPR violation. Establish a clear internal process for handling these requests promptly.
If you use any third-party service to send email (including Lettr), GDPR requires a Data Processing Agreement (DPA) between you (the controller) and the service (the processor). Ensure this is in place before processing EU recipient data.

CAN-SPAM Compliance

US email compliance requirements and how they compare to GDPR.

Unsubscribe Best Practices

Implementing effective and compliant unsubscribe mechanisms.

Data Privacy and Metadata

How to handle personal data in email metadata and substitution variables.

List Hygiene

Maintaining clean, compliant recipient lists.