Google “email marketing best practices” and you’ll get millions of results.


But also unsurprisingly. The internet is chock full of marketers wanting to tell you how to write can’t-say-no subject lines and make-money-while-you-sleep drip campaigns.

But what about the basic email best practices? You know: how to send emails that are legal and ethical.


I’m not a lawyer and none of the information in this article should be interpreted as legal advice. Please do your own due diligence to determine if or how much of this information is relevant to your circumstances, and whether you should seek professional legal advice.

Basic principles of good email consent

These basic principles of sending emails under the GDPR also apply to plenty of other privacy laws, and are just general good practice.

Be clear and transparent

Your subscribers have to be able to make an informed decision as regular people – not lawyers – which means you can’t rely only on a long, complicated privacy policy. You also MUST provide clear information up front about what you’re sending, where you’re storing their data and how you’re going to use it. Opt-in checkboxes and confirmation emails alone aren’t enough.

Make sure your privacy policy has a “summary” version in plain language and put an obvious link to it from your sign up form. 

Even better, summarize the key points and include them right there on your form!


Subscribe to receive my weekly shop updates and you’ll receive a free shipping code as a thank you!

I also send monthly styling tips so your new [product] will look its most beautiful in your home. (You can opt out of these in your subscription preferences. )

[your form fields would go here]

Your details are transferred to and processed on Aweber’s US servers under the EU-U.S. Privacy Shield. I don’t use your subscription details for anything else, such as advertising. You can unsubscribe at any time. Read my full privacy policy.

[subscribe button] <-- Put the button under all the text to make the text less "ignorable".

TIP: Check your email marketing platform’s GDPR guide for any suggested text, whether they’re certified for the Privacy Shield and links to their terms etc.

Mailchimp already lets you turn on GDPR fields and “legalese” with a single setting, if you’re using their built-in forms. Many third party forms also provide GDPR options, so Google your tools to see what they offer.

^^ Remember, if the tool processes your contact data on its own servers, put it in your tool audit spreadsheet!

Ask first

In almost every case, marketing requires consent.

Don’t use emails you got for some other reason (like a sale) without getting specific consent for email marketing, too. You can’t send an unsolicited email asking for consent!

If you need to ask for marketing consent and don’t have control over your checkout (like on Etsy), bundle your request into existing transaction emails or pages that you do control, like the thank you message.

Absolute best practice is to get specific consent for each different thing you want to use their data for. So if you want to send them emails and create Facebook custom audiences, then you should let them opt in to both, individually!

Don’t require marketing consent for a paid product or service

The GDPR guidelines make it very clear that if you make marketing consent a condition of purchase (no matter how transparent and up front you are), that consent cannot be “freely given” without detriment to the potential customer: they can’t buy your product!

Instead, offer a separate checkbox to opt-in to your marketing. Make sure it’s not pre-ticked and that you include a link to your privacy policy & some clear info about what you’re going to send.

Offer granular control

Let your subscribers choose what types of emails they want to get, as much as is practical to you.

Ideally, they should get this choice when they first sign up, especially if you want to send emails about very different products or to very different audiences. But if all the email topics are related, you could get away with offering it later.

For example, if you send shop updates (new products, sales etc.) and tips on how to use that same product: you probably don’t need to have a separate tick box for each when they subscribe.

Sell abstract prints and blog about painting with kids? Get separate consent up front.

How to manage granular control

  1. Create custom fields in your email marketing system. You could have a single “Topics” field with a checkbox for each topic. Or a separate “yes/no” dropdown for each option.
    The field should be editable by the contact when they’re updating their profile.
  2. Decide if your existing subscribers should be set to “yes” or “no” for each topic.
  3. Decide if you’re going to include these fields on some or all of your sign up forms. Add them in, if so. (If you’re using your built-in form builder, this will be easy!)
  4. Create a contact Segment in your list for each topic. Include contacts who have the topic ticked or set as “yes”.
  5. When sending emails on that topic, always use that same Segment.

If you’re also getting granular consent to use emails for other things, like Facebook custom audiences, store that in a custom field, too.

Let people unsubscribe

This has been an obvious one for many years, so if you don’t already have a one-click unsubscribe link on every email – get to it! Unsubscribing should be as easy as it was to subscribe (ideally, even easier).

However, this principle also means that unsubscribing from marketing emails should NOT also stop your subscriber from receiving other information or services, especially ones they’ve paid for!

What does this mean? Things you can’t do:

The easiest way to clarify what all this stuff really means for you is to list some common practices that are not ok under the GDPR:

  • Pre-ticked “opt in” boxes.
  • Automatically adding buyers to your newsletter without telling them.
  • Making newsletter subscription a condition of purchase (eg. clearly advising a buyer that they’ll be added to your list when they buy but there’s nothing they can do about it).
  • Unsubscribing a contact from a service they’ve paid for (eg. a paid masterclass) if they unsubscribe from your general emails.
  • An unsubscribe processes that makes you log in first.

Do I need to use double opt-in?

Everywhere you look, people are saying “you need double opt-in for GDPR!”

But do you?

Neither the GDPR nor the UK’s ICO says anything about “double opt-in” in their consent guidelines. Nor do they say you should verify a person’s identity before the consent is valid, which is what a double opt-in helps to do.

Likewise, countries like Canada, Germany and Australia have very specific consent requirements but still don’t mention double opt-in in the legislation itself.

It ultimately comes down to interpretation of the law and whether the consent you can prove is enough.

Key points

  • Double opt-in can help you provide evidence of consent and that the person who subscribed was actually the owner of the email address.
  • Double opt-in does not cancel out your other obligations around telling people exactly what you’re going to send them and offering control over what they get.
  • You still should not automatically add customers to a marketing list when they buy something, just because you have a double opt-in set up.
  • A double opt-in can reduce your list growth by 20-30%.
  • However, a double opted-in list is more engaged, active and ultimately – profitable per contact.

Bottom line:

Seriously consider a double opt-in process. But it’s not the be-all-and-end-all of consent and it’s not 100% mandatory.

You’ll need to work hard to perfect the messaging and optimize your opt-in rate, but your consent will be the “gold standard” as long as you’re also telling people the right things before they subscribe.

A great way to handle this is to offer a discount code as the sign up bonus, which many shops already do. Your double opt-in request email can then remind them: “Confirm to get your 15% off!”

SERIES: Data Privacy for Makers

These days, the internet is constantly abuzz with talk about data privacy. From Facebook scandals, to updated Privacy Policies, to new laws: it’s everywhere! So it’s perfect timing to get to know your obligations as a business owner, for the data you collect and store for your customers, contacts and website visitors.

Continue reading

Leave a Reply

Your email address will not be published. Required fields are marked *