LegalForge
·10 min read

Email Marketing GDPR Compliance: The Complete Guide (2026)

GDPR has fundamentally changed how businesses can use email marketing. Here is a practical guide to running email campaigns that are fully compliant — from consent and opt-in forms to subscriber rights and privacy policy requirements.

Email marketing remains one of the most effective channels for businesses of all sizes. But since GDPR came into force, the rules governing how you collect email addresses, what you can send, and how you must handle subscriber data have become significantly stricter. Getting it wrong can result in fines of up to €20 million or 4% of global annual turnover, whichever is higher.

The good news: GDPR-compliant email marketing is entirely achievable. It does not mean you have to stop emailing people. It means you need to be transparent, respect subscriber choices, and handle data properly. This guide explains exactly how.

Does GDPR Apply to Your Email Marketing?

GDPR applies to your email marketing if any of the following are true:

  • Your business is based in the EU or UK
  • You send emails to people who are in the EU or UK, regardless of where your business is based
  • You process personal data of EU/UK residents (an email address is personal data under GDPR)

In practice, this means almost any business that sends marketing emails needs to think about GDPR. Even if you are a US-based business, if a single subscriber on your list is in the EU, GDPR technically applies to your handling of their data. Most businesses find it simplest to make their entire email marketing operation GDPR-compliant rather than trying to treat different subscribers differently based on location.

The Consent Requirement: The Core of GDPR Email Marketing

The single most important GDPR requirement for email marketing is consent. Under GDPR, consent must be:

  • Freely given: The person must have a genuine choice. You cannot make consent a condition of receiving a product or service unless email marketing is actually necessary for that service.
  • Specific: Consent must be for a specific purpose. “We’d like to send you marketing emails about our products” is specific. “We may contact you” is not.
  • Informed: The person must know exactly what they are consenting to. Tell them who you are, what type of emails you will send, and how often.
  • Unambiguous: Consent requires a clear affirmative action. A pre-ticked checkbox does not count. Silence does not count. Inactivity does not count. The subscriber must actively opt in.

What Counts as Valid Consent

  • An unticked checkbox that the user actively ticks, with clear text explaining what they are subscribing to
  • A sign-up form where the user enters their email and clicks a “Subscribe” button, with clear text explaining what emails they will receive
  • A double opt-in process where the user confirms their subscription via a confirmation email

What Does NOT Count as Valid Consent

  • Pre-ticked checkboxes (the most common violation)
  • Buried consent in lengthy terms and conditions that nobody reads
  • Bundled consent (“By purchasing this product, you agree to receive our newsletter”)
  • Assuming consent because someone gave you their business card at a conference
  • Purchased or scraped email lists (this is a GDPR violation, full stop)
  • Adding customers to your mailing list automatically after a purchase, without a separate opt-in

Legitimate Interest: The Alternative to Consent

GDPR provides an alternative legal basis called legitimate interest that can sometimes apply to email marketing. Under the UK GDPR and the Privacy and Electronic Communications Regulations (PECR), there is a “soft opt-in” exception that allows businesses to send marketing emails to existing customers without explicit consent, provided all of the following conditions are met:

  • You obtained the email address in the course of a sale or negotiation of a sale
  • The emails are about your own similar products or services
  • You gave the customer a clear opportunity to opt out when you first collected their email (and at every subsequent email)
  • The customer did not opt out

This soft opt-in is useful for eCommerce businesses. If someone purchases a product from you and you gave them a clear chance to opt out of marketing at checkout (an unticked checkbox saying “I do not wish to receive marketing emails”, for example), you can send them emails about similar products.

However, legitimate interest does not apply to:

  • People who have never purchased from you or engaged in a sales negotiation
  • Emails about products or services that are not similar to what they originally purchased
  • People who have opted out at any point
  • B2C marketing to individual (non-corporate) email addresses where no prior relationship exists

Building a GDPR-Compliant Email Sign-Up Process

Your sign-up process is the foundation of compliant email marketing. Here is how to build one that meets GDPR requirements:

1. Use Clear, Honest Language

Your sign-up form must clearly state what the subscriber will receive. Good examples:

  • “Subscribe to our weekly newsletter for design tips and product updates.”
  • “Get our monthly email with baking recipes and exclusive discount codes.”

Bad examples:

  • “Sign up for updates.” (Too vague — what kind of updates?)
  • “Join our community.” (Does not explain that emails will be sent)

2. Implement Double Opt-In

Double opt-in is not strictly required by GDPR, but it is strongly recommended by data protection authorities and is considered best practice. The process:

  • User enters their email in your sign-up form
  • You send a confirmation email asking them to verify
  • User clicks the confirmation link
  • Only then are they added to your active mailing list

Double opt-in provides clear evidence of consent (useful if you are ever challenged) and ensures the email address is valid and belongs to the person who signed up.

3. Keep Records of Consent

GDPR requires you to be able to demonstrate that consent was given. For each subscriber, you should record:

  • When they subscribed (date and time)
  • How they subscribed (which form, which page)
  • What they were told at the time of subscribing (the exact wording on the form)
  • Whether they completed double opt-in
  • Their IP address at the time of sign-up (optional but useful as evidence)

Most email marketing platforms (Mailchimp, Klaviyo, ConvertKit, Brevo) record this information automatically when you use their sign-up forms with double opt-in enabled.

4. Separate Consent from Other Actions

Do not bundle email marketing consent with other actions:

  • On checkout forms, the marketing opt-in must be a separate, unticked checkbox — not bundled into “I agree to the terms and conditions”
  • On lead magnet downloads (“Download our free guide”), consenting to receive the guide is separate from consenting to receive ongoing marketing emails
  • On account registration forms, creating an account does not equal subscribing to marketing emails

Subscriber Rights Under GDPR

Every subscriber on your mailing list has specific rights under GDPR that you must honour:

Right to Unsubscribe (Withdraw Consent)

Every marketing email must include a clear, easy-to-use unsubscribe mechanism. Best practices:

  • Place the unsubscribe link in a visible location (not hidden in tiny grey text)
  • Unsubscribing should take no more than two clicks — do not require users to log in, fill out a form, or explain why they want to leave
  • Process unsubscribe requests promptly (best practice: immediately; legal requirement: within 30 days, though taking 30 days is strongly discouraged)
  • Never charge a fee to unsubscribe or make the process deliberately difficult

Right to Access

Subscribers can request to see all the data you hold about them. This includes their email address, sign-up date, consent records, email engagement data (opens, clicks), segmentation data, and any other personal data stored in your email platform. You must respond within 30 days.

Right to Erasure (Right to Be Forgotten)

Subscribers can request that you delete all their data from your email marketing systems. This goes beyond simply unsubscribing — it means removing their data entirely from your platform, including historical engagement data. You must comply within 30 days unless you have a legal obligation to retain the data.

Right to Rectification

Subscribers can request corrections to inaccurate data. If someone asks you to update their email address, name, or any other information, you must do so promptly.

Right to Data Portability

Subscribers can request their data in a machine-readable format (such as CSV) so they can transfer it to another service.

Your Privacy Policy and Email Marketing

Your privacy policy must specifically address your email marketing practices. Here is what to include:

  • What data you collect: Email address, name (if collected), IP address at sign-up, and any other information gathered through sign-up forms
  • Why you collect it: To send marketing communications, newsletters, product updates, promotional offers
  • Legal basis: Consent (for new subscribers) or legitimate interest / soft opt-in (for existing customers)
  • Email service provider: Name the platform you use (Mailchimp, Klaviyo, ConvertKit, Brevo, etc.) and explain that subscriber data is shared with them for the purpose of sending emails
  • Email tracking: Most email platforms track opens and clicks using tracking pixels and unique links. Your privacy policy must disclose this
  • Data retention: How long you keep subscriber data after they unsubscribe (best practice: delete within 30 days of unsubscribing, unless you need to retain a suppression list to prevent re-subscribing them)
  • International transfers: If your email platform is US-based (most are), disclose the international data transfer and the safeguards in place
  • Subscriber rights: How to unsubscribe, request data access, request deletion, etc.

Email Tracking and GDPR

Most email marketing platforms embed invisible tracking pixels in emails to measure open rates, and use unique URLs to track link clicks. Under GDPR, this tracking constitutes processing of personal data because it is linked to an identifiable individual (the subscriber).

You should:

  • Disclose email tracking in your privacy policy
  • Consider mentioning tracking in your sign-up form (e.g., “We track email opens and clicks to improve our content”)
  • Be aware that Apple’s Mail Privacy Protection (introduced in iOS 15) pre-loads tracking pixels, making open rate data unreliable for Apple Mail users — but this does not change your GDPR obligations

Some privacy-focused businesses choose to disable email tracking entirely. This is not required by GDPR, but it can be a trust signal for privacy-conscious audiences.

Platform-Specific GDPR Features

Major email marketing platforms have built-in GDPR compliance tools. Use them:

Mailchimp

  • GDPR-friendly sign-up forms with separate marketing consent checkboxes
  • Double opt-in enabled by default for EU audiences
  • Consent tracking fields that record when and how consent was given
  • Data export and deletion tools for handling subscriber requests

Klaviyo

  • Consent-at-collection tracking
  • Configurable double opt-in flows
  • Suppression lists to prevent re-subscribing deleted contacts
  • Built-in data subject request handling

ConvertKit (Kit)

  • GDPR consent checkbox on sign-up forms
  • Subscriber data export functionality
  • Easy subscriber deletion from the dashboard

Brevo (formerly Sendinblue)

  • GDPR compliance module with consent management
  • Double opt-in configuration
  • EU-based data hosting option
  • Automated data subject request handling

Cleaning Your Existing Mailing List for GDPR

If you have an existing email list that was built before GDPR, or without proper consent, you need to clean it up:

  • Identify subscribers without valid consent: Review how each subscriber was added. If you cannot demonstrate that GDPR-compliant consent was given, you likely need to re-consent them.
  • Run a re-consent campaign: Send an email explaining that you want to continue emailing them and asking them to click a link to confirm their subscription. Anyone who does not confirm should be removed from your list.
  • Maintain a suppression list: When someone unsubscribes, keep their email on a suppression list (not your marketing list) so you do not accidentally re-add them in the future.
  • Remove purchased or scraped contacts: If you bought an email list or scraped emails from websites, those contacts must be removed immediately. Using purchased lists is one of the most clear-cut GDPR violations.

Common GDPR Email Marketing Mistakes

  • Using pre-ticked checkboxes. The most common violation and explicitly prohibited by GDPR.
  • No unsubscribe link. Every marketing email must have one. No exceptions.
  • Buying email lists. You cannot buy consent. The people on a purchased list did not agree to hear from you.
  • Ignoring unsubscribe requests. Continuing to email someone after they unsubscribe is a violation that regulators take seriously.
  • Not disclosing email tracking. If your emails contain tracking pixels or tracked links, your privacy policy must say so.
  • No privacy policy link in emails. Include a link to your privacy policy in every marketing email, typically in the footer alongside the unsubscribe link.
  • Not recording consent. If a regulator asks you to prove a subscriber consented, you need records. “They signed up on our website” is not proof without timestamps, form wording, and opt-in records.
  • Treating all subscribers the same. Different subscribers may have consented to different types of communication. Respect those boundaries.

GDPR Email Marketing Checklist

Use this checklist to ensure your email marketing is fully GDPR-compliant:

  • All sign-up forms use clear, specific language about what subscribers will receive
  • Consent is collected via an unticked checkbox or a clear subscribe action (not bundled with other consent)
  • Double opt-in is enabled
  • Consent records are stored (timestamp, source, wording shown)
  • Every marketing email includes a visible, easy-to-use unsubscribe link
  • Unsubscribe requests are processed immediately
  • Your privacy policy discloses your email marketing practices, email service provider, and email tracking
  • A link to your privacy policy is included in your email footer
  • You have a process for handling data access and deletion requests
  • Existing lists have been audited and re-consented if necessary
  • You are not using purchased or scraped email lists
  • International data transfers (to your email platform) are disclosed

Get Your Privacy Policy Right

A GDPR-compliant privacy policy is a non-negotiable part of lawful email marketing. It must accurately describe how you collect email addresses, what you send, which email platform processes the data, whether you track email engagement, and how subscribers can exercise their rights.

LegalForge generates a complete privacy policy that covers your email marketing practices in 60 seconds. Answer a short questionnaire about your business — including which email platform you use, what type of marketing you do, and which regions your subscribers are in — and AI creates a GDPR-compliant privacy policy tailored to your exact setup. You also get a Terms of Service and Cookie Policy for a one-time payment of £19.

GDPR-compliant privacy policy for email marketing — in 60 seconds

Covers email consent, subscriber rights, email tracking disclosures, and your email service provider. Tailored to your business.

Generate Your Policy — £19 One-Time

← Back to all articles