GDPR: mailing lists – the myths

aat comment

GDPR and existing mailing lists have become a regularly raised concern of late.

There has been lots of questions asking about re-consent and what you need to do.

Remember that although this article talks about mailing list consent. Any processing that you are doing based on consent will require that the consent is refreshed to meet the GDPR guidelines.

  • Do you have to delete your existing mailing lists and start from scratch? – NO
  • Do you need to contact everyone on the lists before 25th May and their consent to be contacted? – NO, not everyone. See below for my suggested approach.
  • If I contact them and they don’t respond do I need to delete them from my mailing list? YES – GDPR requires you to have their clear consent to use their data. It’s not acceptable to have “if we don’t hear from you we’ll continue to send our monthly newsletter” etc – the individual has to make a clear unambiguous affirmative action or statement.
  • After 25th May do I really have to go back on a regular basis and ask the individual again if they are happy for me to continue processing their information – YES
  • Do I really have to give them the option of withdrawing consent at any time – YES
  • I can continue to write to businesses as they don’t have to have given me consent to email them – YES you can write to B2B customers, limited companies, limited liability partnerships (although this may change with the new e privacy regulations) providing you give them the opportunity to opt out of contact every time you send them an email. Sole traders and members of unincorporated partnerships are considered an individual and therefore you need to have consent before you send them anything.

Having addressed the myths, let’s look at your options to make “getting it right” quicker and easier.

The key is to break your mailing list up and deal with each element separately.


You need to be able to identify when someone signed up to your mailing list so try not to amalgamate lists and lose that initial touch point information.

You’ll also need to be able to prove what the person signing up was told at the time about how you would use their information so keep a copy of the privacy notice you provided at the time.

Ian Cooley GDPR, Data Protection and Privacy Specialist at GDPR Advisors UK.

Related articles