GDPR Article 6: What You Need to Know

Lauren Joyner

by Lauren Joyner

If you do any kind of online marketing in the United States, chances are you comply with CAN-SPAM. Under CAN-SPAM, an email sender is not required to have opted-in (though we still highly encourage it for a variety of reasons). Instead, either affirmative consent is required or an easy to use unsubscribe mechanism must be provided. The European Union has a new privacy law that also addresses this issue. The new law is known as the General Data Protection Regulation and it will become effective on May 25, 2018.

Don’t brush this off if you’re not based in the EU. This will affect anyone targeting customers in the EU. For example, if you have an online store, maybe you’ve translated your website into a European language like French, to capture some market share in France. Thus, you’re likely regulated by the GDPR.There are many important provisions of the law to be aware of, but we’re going to focus on Article 6. The GDPR does not necessarily require an opt-in to send an email, rather it relies on the concept of the lawfulness of processing—Article 6—for guidance. For our American readers, GDPR is a comprehensive privacy law that encompasses the concepts found in the American CAN-SPAM law.

Article 6 of GDPR will affect your business in a big way. This article covers the concept of the lawfulness of processing. What does that mean? Processing the personal data of your customers/prospects (e.g., email address) is only lawful under certain circumstances that are laid out in Article 6, as follows:

a. The data subject has given consent to the processing of his or her personal data for one or more specific purposes;

b. Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

c. Processing is necessary for compliance with a legal obligation to which the controller is subject;

d. Processing is necessary in order to protect the vital interests of the data subject or of another natural person;

e. Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

f. Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

What do I need to know?

There are three sub-sections of Article 6 that will be most relevant to Infusionsoft users: a, b, and f.

Sub-section (a)—processing on the basis of the consent of the individual—is very specific and inflexible. Did you get your prospects email because they signed up for your newsletter? If so, the data subject (prospect) has given consent to process data (email address) in order to receive your newsletter. But was the consent documented in a way that you can demonstrate to regulators that it meets all the requirements for consent that are laid out in Article 7? Was the consent “freely given, specific, informed and unambiguous” as is described in Article 4? There’s plenty of pitfalls here, and these requirements are somewhat subjective. Other aspects of Article 6 may provide more legal certainty with respect to the legal grounds for processing personal data.

Sub-section (b) will be very important for Infusionsoft users (more on that later). Did you get the email address because someone bought something from your site? If so, you, as the site owner, needs to process the email address and home address in order to complete the contract—i.e., delivering the product.

Sub-section (f)—processing on the basis of the pursuit of a legitimate interest—offers a more fluid set of possibilities, though it also requires further explanation. First, you have to understand the definition of legitimate interests. An EU court case defined it with a three-part test:

  • Identify the legitimate interest (this is broad): For example, your interest in selling your good or services (although this is a rather permissive interpretation of what a “legitimate interest” can represent)
  • The need to process personal data for the purpose of pursuing the legitimate interest: An email needs to be sent to announce a sale. We can’t pursue our legitimate interest without processing the personal data.
  • Privacy rights of the individual can’t outweigh the legitimate interest being pursued (this is critical): The individual’s right to privacy must not be outweighed by the legitimate interest pursued

Sub-section B

This where you, the Infusionsoft user, should focus your attention. If you are offering anything on your site, whether a physical product you mail to the buyer, a consultation, or a membership, you need to read on.

Making any kind of purchase from you constitutes a contract. That doesn’t mean you can send them anything you want, but you do have the ability to process their data as necessary in order to fulfill the promise you made to your customer in the “contract.” You’ll need to, of course, communicate with them and to deliver what they requested from you.

Learn more about GDPR and how it may affect you as an Infusionsoft user. All posts on GDPR are meant to be informational only and should not be used as legal advice.

Lauren Joyner

Lauren Joyner

Lauren is the managing editor of the Knowledge Center and Product Blog at Infusionsoft. A southern California native, she got her start as writing headlines for the Ventura County Star newspaper. After leaving California behind, she worked as a writer and editor for various magazines and online publications, including Denver's award-winning city magazine 5280. When not working, Lauren spends time with her family, hunts for her next podcast obsession, reads cooking magazines, and cheers on the LA Dodgers and Philadephia Eagles.


Subscribe to our weekly newsletter

Get the latest Infusionsoft how-tos, sales and marketing tips, and news updates delivered to your inbox.

Get to know Infusionsoft on your terms with three demo options

Discover how you can use Infusionsoft to automate repetitive tasks, nurture leads, scale customer relationships, and so much more. Choose the demo experience that works best for you.


Online Demo

Explore key features of the platform in a self-guided online experience.

live-demo-svg Created with Sketch.

Live Webinar Demo

Reserve your spot in this interactive, 30-minute product demo with expert Q&A.


1:1 Personalized Demo

Get a customized tour of our software from a small business expert.

Meet the #1 automation platform for small business

How does Infusionsoft help modern small business get better results? View a 2-minute introduction to learn how 120,000 professionals just like you get organized, grow sales, and save time.

Have questions? We're always here to help.

Phone Icon White phone icon to call Infusionsoft

Talk to a human

+1 866 800 0004
Chat icon Chat Icon to chat with Infusionsoft Sales

Start a live chat

Sales Chat

Start your demo

Register for a live webinar

Schedule your demo

Try Infusionsoft free for 14 days

Created with Sketch.
  • Capterra logo
  • G2 Crowd logo
  • Software Advice logo
  • trustradius logo
  • Free support
  • ·
  • No credit card required
  • ·
  • Cancel anytime

Oops, our bad

A minor error occurred