Published
2nd June 2026
Read time
9 min read

When we looked at GDPR from a B2B marketing perspective, one of the biggest takeaways was that GDPR did not stop brands from using data. It made the use of data more accountable.

For B2C marketers, that shift has arguably been even more visible.

Consumer marketing is often more direct, more personal and more emotionally driven. It reaches people through email, SMS, paid social, search, websites, apps, loyalty schemes, competitions, online forms and in-store data capture. It can follow people from discovery to purchase, then from purchase to repeat purchase, review, referral and retention.

That means B2C marketing has always depended on data.

But since GDPR came into force in May 2018, the way brands collect, use and protect that data has had to change.

Eight years on, the biggest impact has not been the end of personalisation, email marketing or digital targeting. It has been the rise of a more conscious customer relationship.

People expect brands to know enough to be relevant, but not so much that it feels intrusive. They expect joined-up experiences, but they also want control. They are happy to share data when the value is clear, but less forgiving when it feels hidden, confusing or unnecessary.

That tension is where modern B2C marketing now lives.

B2C marketing became more permission-led

The most immediate impact of GDPR was felt in email marketing.

Before 2018, some consumer brands were still too relaxed about how email lists were built, shared and used. GDPR and PECR forced a reset.

The ICO’s guidance makes it clear that organisations need specific consent to send marketing emails or texts to individuals, unless they can rely on the soft opt-in for existing customers.

That soft opt-in can apply when someone has bought or negotiated to buy a similar product or service and has been given a clear opportunity to opt out when their details are collected and in every message thereafter.

In practical terms, this changed the role of the email sign-up.

  • A vague “submit” button is not enough.

  • A pre-ticked box is not enough.

  • A hidden privacy notice is not enough.

People need to understand what they are signing up for and how they can stop receiving it.

For marketers, this has created a much healthier way to think about email.

The question is no longer simply, “How many people can we add to the database?” It is:

  1. Why would someone want to hear from us?

  2. What value are we offering in exchange for their data?

  3. Have we been clear about what they will receive?

  4. Are we making it easy for them to opt out?

  5. Are we sending content that still reflects what they expected?

That last question is rather important.

Consent should not be treated as a one-time event. If someone signed up for useful product advice and then receives daily discount messages for unrelated items, the brand may technically be communicating with the subscriber, but it still damages trust.

The best B2C email marketing now feels more like a service than a broadcast.

The value exchange had to become clearer

B2C brands often ask people for data at several points in the customer journey:

  • A newsletter sign-up.

  • A competition entry.

  • A checkout form.

  • A loyalty scheme.

  • A product recommendation quiz.

  • A downloadable guide.

  • A review request.

  • A birthday discount.

  • A back-in-stock alert.

Each one depends on a value exchange.

The customer is giving something away. The brand needs to make the reason clear.

This is where GDPR has encouraged better marketing thinking. It has forced brands to stop collecting data simply because they can and start collecting data because it improves the customer experience.

That might mean asking for fewer details at the first point of contact. It might mean building progressive data capture into the journey, where the brand learns more over time. It might mean giving people more choice over the types of content they receive.

For example, a pet brand could let subscribers choose whether they want content about dogs, cats or small animals.

A home brand could allow people to select inspiration by room type.

A hospitality brand could ask whether customers are more interested in family breaks, couples’ stays or event offers.

Personalisation now must earn its place

Consumers expect personalisation. They want relevant recommendations, timely reminders and useful content. But there is a fine line between helpful and uncomfortable.

A personalised product recommendation after a purchase can feel useful. An advert that follows someone around the internet for weeks can feel irritating. A birthday offer can feel thoughtful. A brand that relies too heavily on inferred information can feel intrusive.

Since GDPR, personalisation has had to mature.

Good B2C personalisation should be based on three things:

  • Relevance

  • Transparency

  • Control

Relevance means using data to improve the experience, not just to increase the frequency of selling.

Transparency means helping people understand how and why their data is being used.

Control means giving people meaningful choices about what they receive and how they are contacted.

This is particularly important for brands using customer segments, behaviour-based campaigns, abandoned basket emails, product recommendations, loyalty data or paid media audiences.

The point is not to avoid personalisation. The point is to make sure it is proportionate.

That is the practical test marketers should keep coming back to.

  • Would the customer understand this use of their data?

  • Would they expect it?

  • Would they feel it improves the experience?

If the answer is no, it is probably time to rethink the campaign.

Cookies changed the measurement conversation

For B2C marketers, cookie consent has changed how website performance is understood.

The ICO’s guidance says people must be told when cookies or similar technologies are used, what they do and why. Consent must be actively and clearly given, unless the cookies are essential to provide the online service requested by the user.

This has had a major impact on digital marketing.

B2C brands can no longer assume every website visitor can be tracked in full. Analytics data may be less complete. Retargeting audiences may be smaller. Attribution may be less precise. Consent banners may affect how many users are visible in reporting platforms.

For marketers who have grown up with dashboards, conversion paths and platform attribution, this has been uncomfortable.

But it has also been useful.

It has challenged the idea that everything valuable can be measured perfectly. It has made marketers look beyond last-click conversion and platform-reported results. It has encouraged better use of first-party data, stronger CRM reporting and more focus on commercial outcomes.

Cybersecurity now sits behind customer trust

GDPR is often discussed in relation to consent, privacy notices and cookies. But data security is just as important.

B2C brands hold information that customers expect them to protect. Email addresses, phone numbers, purchase histories, enquiry forms, loyalty accounts and payment-related data all carry risk.

The NCSC’s GDPR security outcomes focus on managing security risk, protecting personal data against cyber-attack, detecting security events and minimising impact.

For marketers, this does not mean becoming cybersecurity specialists. It does mean taking responsibility for the tools and data used in marketing activities.

That includes:

  1. Using multi-factor authentication on marketing platforms

  2. Reviewing who has access to CRM, email and social media accounts

  3. Removing old users from systems

  4. Checking how third-party tools handle data

  5. Avoiding unnecessary exports of customer lists

  6. Keeping suppression lists secure

  7. Working with IT teams before adding new platforms or tracking tools

This is especially important in B2C because the scale of data can be much larger. A small process mistake can affect thousands of customers. A compromised marketing account can quickly become a reputational issue. A poorly controlled spreadsheet can create unnecessary risk.

So, has GDPR made B2C marketing better?

In many ways, yes.

It has made lazy list building harder. It has made vague consent journeys less acceptable. It has made brands think more carefully about personalisation, cookies, CRM and customer trust.

But it has also made good B2C marketing more valuable.

The brands that have adapted well are not the ones that stopped using data. They are the ones who use it with more purpose.

They ask for the data they need. They explain the value clearly. They respect preferences. They build stronger first-party relationships. They measure what matters. They understand that trust is not separate from performance.

For consumers, GDPR has helped make data use more visible. For marketers, it has raised the standard.

Need support building more trusted customer journeys?

Data protection should not stop ambitious B2C marketing. It should help shape stronger customer journeys, clearer messaging and more meaningful relationships between brands and their audiences.

If you want to build marketing that is creative, commercially focused and considered from first interaction to long-term loyalty, get in touch with the Leopard Co team.