DEV Community

Custodia-Admin
Custodia-Admin

Posted on • Originally published at app.custodia-privacy.com

GDPR for Marketing Consultants: Client Lists, Campaign Data, and Email Compliance

#gdpr #privacy #marketing #compliance

GDPR for Marketing Consultants: Client Lists, Campaign Data, and Email Compliance

If you are a freelance marketing consultant or run a small marketing agency, GDPR creates obligations that are significantly more complex than those facing most small businesses. You are not just collecting your own customers' data — you are routinely handling data belonging to your clients' customers, building and managing third-party email lists, running advertising campaigns using behavioural data, and deploying tracking pixels on websites you do not own. Every one of these activities carries GDPR risk, and the lines between your responsibility and your client's responsibility are rarely clear without a properly structured data processing agreement.

This guide walks through the key GDPR issues for marketing consultants: your controller versus processor status, email marketing rules under PECR, B2B cold outreach, suppression lists, advertising pixels, CRM data handling, and what happens when something goes wrong.

Are You a Data Controller or a Data Processor?

This is the most important question a marketing consultant must answer — and the answer changes depending on the activity.

You are a data controller when you determine the purposes and means of processing personal data yourself. If you build your own email newsletter, maintain your own prospect database for business development, or decide which data to collect when designing a marketing campaign strategy, you are acting as a controller for that data.

You are a data processor when you process personal data on behalf of a client, following their instructions. If a client gives you access to their Mailchimp account, their CRM, or their customer email list to run a campaign on their behalf, you are a processor. The client remains the controller.

In practice, most marketing consultants act as both, depending on the activity. You might be a controller for your own newsletter subscriber list and a processor for every client campaign you manage. The distinction matters because:

  • As a controller, you must have your own lawful basis for processing, maintain records of processing activities, and respond to data subject requests yourself.
  • As a processor, you must act only on documented client instructions, implement appropriate security, notify the client without undue delay of any data breach, and — critically — have a signed Data Processing Agreement (DPA) in place before touching client data.

If you are handling client email lists without a DPA, you are non-compliant under Article 28 GDPR. This is one of the most common gaps among freelance marketing consultants.

Building and Managing Email Marketing Lists

Email lists are the lifeblood of most marketing practices — and the most GDPR-sensitive asset you manage. Under PECR (Privacy and Electronic Communications Regulations), sending marketing emails to individuals requires prior consent: a clear, specific, and freely given opt-in.

Key rules for list management:

  • Consent must be granular. Consent to receive emails from a retailer is not consent to receive emails from the marketing agency they hire. If you are mailing on behalf of clients, the consent must name (or at least clearly describe) the sender.
  • Pre-ticked boxes do not count. Consent must be a positive act. Pre-checked opt-in boxes at checkout are not valid consent under PECR.
  • Consent records must be maintained. You (or your client) must be able to demonstrate when, how, and what the subscriber consented to. If you cannot prove consent, you cannot use it as your legal basis.
  • Purchased lists are almost always non-compliant. Unless the list provider can demonstrate valid consent was collected from each recipient specifically for the categories of marketing you intend to send, purchased email lists should not be used for direct marketing to consumers.

PECR Rules for Email and SMS Marketing

PECR governs electronic marketing to UK and EU-based individuals and operates alongside GDPR. The key rules:

  • Email and SMS to individuals (B2C): Requires prior opt-in consent except where the soft opt-in applies (see below).
  • The soft opt-in: You can email a customer about similar products or services without fresh consent if they purchased from you recently and were given a clear opportunity to opt out at the time of purchase — and on every subsequent email. This only applies to the business that made the original sale; it cannot be used by a marketing consultant emailing on behalf of a new client.
  • SMS marketing: Subject to the same rules as email. Consent should be specific to SMS as a channel — consent to email does not extend to text messages.
  • Suppression: Every marketing email must include an unsubscribe mechanism. Unsubscribe requests must be actioned promptly (within days, not weeks) and the email address must be added to a suppression list — not deleted, so it cannot be inadvertently re-subscribed.

Cold Email Prospecting: The B2B Rules

Cold email is common in marketing and business development, and many consultants assume it is legal for business contacts. The position is more nuanced.

Under PECR, the rules for corporate subscribers (companies registered as Ltd, PLC, LLP, etc.) are slightly more permissive than for individuals — you do not need prior consent to email a company email address for relevant marketing, but you must still provide an unsubscribe option and honour opt-outs.

However, sole traders and partnerships are treated as individuals under PECR. Emailing a sole-trader freelancer or a partnership firm's generic address without prior consent is subject to the same rules as consumer marketing.

Additionally, the email address itself must be relevant to your offer. Emailing marketing directors about marketing services may be defensible as legitimate interests under GDPR, but emailing generic info@ addresses with unsolicited pitches is harder to justify.

The ICO's guidance on direct marketing is clear: even where PECR permits B2B cold email, GDPR still applies to how you process those contact details. You need a lawful basis (typically legitimate interests), you must conduct and document a Legitimate Interests Assessment, and you must provide a privacy notice.

Managing Unsubscribes and Suppression Lists

Unsubscribe management is a compliance obligation, not just a deliverability best practice. Every time someone opts out of marketing:

  • The opt-out must be recorded immediately.
  • The email address must be added to a suppression list — a list of addresses that should never receive marketing, distinct from your active subscriber list.
  • The suppression list must be applied across all future campaigns, including campaigns run from different platforms or with different lists.
  • If you manage multiple campaigns for the same client, unsubscribes from one campaign must be honoured across all campaigns for that client.

When you use email service providers like Mailchimp, HubSpot, or ActiveCampaign, these platforms typically manage unsubscribes automatically within their system — but you are responsible for ensuring suppression lists are exported and applied when switching platforms, when importing legacy lists, or when running campaigns from multiple tools simultaneously.

Using Mailchimp, HubSpot, and ActiveCampaign as Processors

When you use email marketing platforms on behalf of clients, those platforms are acting as sub-processors. As the data processor (you) instructing another processor (Mailchimp, HubSpot, ActiveCampaign), you are responsible for:

  • Ensuring your client has authorised the use of these sub-processors — this should be documented in your DPA.
  • Verifying that the platform's terms of service include an adequate Data Processing Agreement with appropriate security commitments.
  • Understanding where data is processed — particularly relevant for US-based platforms processing EU personal data. Post-Schrems II, you need to verify that adequate transfer mechanisms are in place (Standard Contractual Clauses, adequacy decisions, etc.).
  • Ensuring list data is not used by the platform for their own purposes (e.g., cross-client analytics or advertising) without the data subject's knowledge.

Custodia can help you audit the data flows involved in your marketing stack, identifying which platforms are processing personal data and whether appropriate agreements and consent mechanisms are in place.

Social Media Advertising Data and Pixel Compliance

Running paid social campaigns on behalf of clients — whether Meta Ads, LinkedIn, TikTok, or Google Ads — involves the use of tracking pixels placed on client websites. These pixels collect personal data (IP addresses, device identifiers, behavioural signals) and transmit it to advertising platforms.

Under GDPR and the ePrivacy Directive:

  • Tracking pixels require consent. A Facebook Pixel, LinkedIn Insight Tag, or Google Ads conversion tag cannot be loaded before a website visitor provides valid cookie consent. Loading these scripts by default — even in "basic" mode — is non-compliant.
  • As the consultant, if you are instructing a client to install a pixel, you have a responsibility to flag the consent requirements and ensure the pixel is integrated with a compliant Consent Management Platform (CMP). If you install the pixel yourself, you share responsibility for the compliance of its implementation.
  • Custom Audiences from client data: Uploading client email lists to Meta's Custom Audiences tool requires that the data subjects whose emails are being uploaded consented to their data being used for advertising targeting. General email newsletter consent does not extend to use for social ad targeting without explicit disclosure at the point of consent.
  • Conversion API (CAPI) implementations: Server-side tracking does not bypass GDPR. The same consent requirements apply; CAPI simply changes the technical method of data transmission, not the legal basis requirement.

Handling Client CRM Data on Their Behalf

Many marketing consultants are given direct access to client CRMs — HubSpot, Salesforce, Pipedrive, ActiveCampaign — to segment lists, manage contacts, or run automations. When you access a client's CRM:

  • You are acting as a data processor.
  • You must have a signed DPA in place before accessing the system.
  • Your access should be limited to what is strictly necessary for your role (data minimisation and access control).
  • You must not export or copy contact data to your own systems without the client's explicit authorisation.
  • If you discover personal data in the CRM that appears to have been collected without adequate legal basis — for example, contacts added without consent or documentation of a legitimate interest — you should flag this to the client rather than using it.

Marketing Automation and Behavioural Tracking

Marketing automation platforms track individual behaviour — email opens, link clicks, website page visits, content downloads, and form submissions — to build contact profiles and trigger automated workflows. This behavioural tracking constitutes processing of personal data, and in many cases constitutes profiling under GDPR Article 4(4).

Where profiling is used to influence marketing messages (personalisation, lead scoring, dynamic content), your clients must:

  • Disclose the use of profiling in their privacy notice.
  • Provide a basis for this processing — typically legitimate interests, with an LIA, or consent where the profiling is more intrusive.
  • Offer data subjects the right to object to profiling under Article 21.

As the consultant designing and building automation workflows, you share responsibility for ensuring these compliance requirements are met. Building sophisticated lead scoring or behavioural trigger campaigns without addressing the consent and notice framework is a compliance gap you are helping to create.

Data Minimisation in Campaign Analytics

Analytics data from campaigns — open rates, click-through rates, conversion tracking, A/B test results — can often be collected and used at an aggregated level that does not require processing individual personal data. Where possible, campaign reporting should use aggregated or pseudonymised data rather than individual-level tracking.

Practical steps:

  • Where campaign performance reports do not require individual-level attribution, use platform-level aggregate reports rather than exporting raw contact-level data.
  • Avoid creating large spreadsheets of individual contact engagement history unless there is a specific operational need.
  • Delete or anonymise campaign data that is no longer needed for its original purpose — do not retain engagement data indefinitely "for future reference."
  • When A/B testing email subject lines or content, the test results themselves (aggregate) are far less risky than the underlying individual-level data.

Data Breach Obligations When Client Email Lists Are Involved

If a breach occurs involving personal data you are processing on behalf of a client — for example, your laptop containing exported email lists is stolen, or your email marketing platform account is compromised — the obligations under GDPR Article 33 apply:

  • As the processor, you must notify your client (the controller) without undue delay, and in any case within 72 hours of becoming aware of the breach.
  • The controller (your client) then has the 72-hour obligation to notify their supervisory authority (e.g., the ICO in the UK) if the breach is likely to result in a risk to individuals' rights and freedoms.
  • Where the breach is likely to result in a high risk to individuals, the client must also notify affected data subjects directly.

This is why DPAs matter: the breach notification chain — processor to controller to regulator — only works if the legal relationship is properly documented. Without a DPA, there is ambiguity about who is responsible for notification, and both parties may be exposed.

Contracting With Clients as a Data Processor

Every marketing consultant who handles personal data on behalf of clients needs a solid DPA as part of their standard client contract. Under Article 28 GDPR, the DPA must specify:

  • The subject matter and duration of the processing
  • The nature and purpose of the processing
  • The type of personal data and categories of data subjects
  • Your obligations and rights as processor
  • A requirement to process only on documented instructions from the controller
  • Confidentiality obligations on all staff with access to the data
  • Implementation of appropriate technical and organisational security measures
  • Sub-processor authorisation (e.g., approval to use Mailchimp, HubSpot)
  • Assistance obligations (helping the client respond to data subject requests and regulatory enquiries)
  • Return or deletion of data at the end of the engagement

If you are using a standard client services agreement without a DPA addendum, you are non-compliant with Article 28. This is not a theoretical risk — it is a documented compliance failure that could be cited in any ICO investigation.

Practical Next Steps for Marketing Consultants

  • Conduct a data audit: map every source of personal data you access or process across your client engagements and your own business development activities.
  • Implement DPAs with all clients for whom you handle personal data.
  • Review your email marketing platform agreements and confirm sub-processor authorisation is in place.
  • Check that all campaign pixels and tracking tags are integrated with consent management tools on client websites.
  • Establish a suppression list protocol for all clients — and a process for exporting and applying suppression lists when changing platforms.
  • Document your Legitimate Interests Assessments for B2B cold outreach and any processing based on legitimate interests.
  • Create a data breach response plan covering your notification obligations as a processor.

Scan Your Website and Marketing Stack for Compliance Gaps

Understanding your GDPR obligations is the first step — but ensuring your clients' websites and your own marketing tools are actually compliant requires a thorough technical audit. Scan any website free at https://app.custodia-privacy.com/scan. Custodia will identify every tracker and third-party script collecting personal data, assess whether consent mechanisms are in place, and highlight the highest-priority compliance gaps — in 60 seconds, with no signup required.

For ongoing compliance, Custodia provides automated GDPR audit reports, consent management infrastructure, and AI-generated privacy policies and data processing agreements tailored to marketing consultants and agencies — helping you stay compliant as your client base and technology stack grow.

Top comments (0)