Your privacy policy must disclose what subscriber data you collect, how you use it, who you share it with, how long you retain it, and what rights subscribers have. GDPR requires disclosure of lawful basis, data controller identity, and rights including access, deletion, and portability. CCPA requires disclosure of data categories, sale/sharing practices, and consumer rights. Every email signup form should link to your privacy policy.
Privacy Policy Requirements for Email Marketing
What Your Privacy Policy Must Cover
A privacy policy for email marketing isn't a generic legal template — it needs to specifically address how you handle subscriber data.
Required Elements by Regulation
GDPR (EU/EEA Subscribers)
Your privacy policy must include:
- Identity of the data controller — your business name and contact details
- Data Protection Officer contact (if you have one)
- What personal data you collect — email address, name, IP address, tracking data
- Lawful basis for processing — consent, legitimate interest, or contractual necessity
- Purpose of processing — "to send marketing emails about our products"
- Categories of recipients — ESPs, analytics tools, anyone you share data with
- Data retention period — how long you keep subscriber data
- Subscriber rights — access, rectification, erasure, portability, objection, restriction
- How to exercise rights — contact email or process
- Right to lodge a complaint with a supervisory authority
- Whether data is transferred outside the EEA and safeguards in place
- Automated decision-making — if you use algorithms to segment or target
CCPA (California Consumers)
Additional requirements:
- Categories of personal information collected in the past 12 months
- Sources of personal information
- Business purpose for collecting
- Categories of third parties you share data with
- Whether you sell personal information and categories sold
- Consumer rights — know, delete, opt-out of sale, non-discrimination
- How to submit requests — at least two methods
- "Do Not Sell My Personal Information" link (if applicable)
CAN-SPAM (United States)
CAN-SPAM doesn't specifically require a privacy policy, but it requires:
- Sender identification in every email
- Functional unsubscribe mechanism
- Physical address
A privacy policy link in your footer is best practice and expected by ESPs.
Practitioner note: Most privacy policies I review during email audits are either years out of date or copy-pasted templates that don't match what the business actually does. If your policy says "we don't share data with third parties" but you use Mailchimp, Google Analytics, and Facebook Custom Audiences — you're sharing data with third parties. Make it accurate.
Email-Specific Disclosures
Your privacy policy should specifically address:
Tracking and Analytics
Disclose that you track:
- Email opens (via tracking pixels)
- Link clicks (via tracking redirects)
- Device and location data from opens
- Engagement patterns used for segmentation
Third-Party Processors
List the categories of services that handle subscriber data:
- Email service provider (e.g., "email delivery platform")
- Analytics tools
- CRM systems
- Advertising platforms (if you use email lists for retargeting)
Data Retention
State how long you keep:
- Active subscriber data
- Unsubscribed email addresses (on suppression lists)
- Engagement history
- Consent records
Practitioner note: The retention question is where most email programs are weakest. They keep everything forever "just in case." GDPR requires a defined retention period with justification. Decide how long you need subscriber data, document it, and enforce it.
Where to Display Your Privacy Policy
- Email signup forms — link visible before submission
- Email footer — link in every email
- Website footer — accessible from every page
- Preference center — accessible when managing subscriptions
Signup Form Example
<form action="/subscribe" method="post">
<input type="email" name="email" required>
<label>
<input type="checkbox" name="consent" required>
I agree to receive marketing emails. See our
<a href="/privacy-policy">Privacy Policy</a>.
</label>
<button type="submit">Subscribe</button>
</form>
Versioning and Updates
Maintain a version history:
Privacy Policy v3.2 — Last updated April 1, 2026
Previous versions: v3.1 (January 2026), v3.0 (July 2025)
When you make material changes:
- Notify existing subscribers via email
- Update the effective date
- Archive previous versions
- Document what changed
Common Privacy Policy Mistakes
| Mistake | Why It Matters |
|---|---|
| Generic template without customization | Doesn't reflect your actual data practices |
| Missing ESP disclosure | You share data with your ESP — disclose it |
| No retention period stated | GDPR violation |
| Not updated after ESP migration | Old ESP listed, new one missing |
| No link in email footer | Missed opportunity, potentially non-compliant |
| Claims "we don't track" while using open/click tracking | Inaccurate disclosure |
If you need a privacy policy review as part of your email compliance audit, get in touch.
Sources
- European Commission: GDPR — Information to Be Provided (Articles 13-14)
- California Attorney General: CCPA Privacy Policy Requirements
- ICO: Privacy Notices Guidance
- FTC: Privacy Policy Best Practices
v1.0 · April 2026
Frequently Asked Questions
Do I need a privacy policy for email marketing?
Yes. GDPR requires it for EU/EEA subscribers. CCPA requires it for California consumers. Even without legal requirements, major ESPs require you to have a privacy policy. [Google Postmaster Tools](/monitoring-analytics/google-postmaster-tools-guide) guidelines reference sender transparency. Include a privacy policy link in your email footer.
What must a privacy policy cover for email marketing?
At minimum: what data you collect (email, name, behavior data), why you collect it, who you share it with, how long you keep it, what rights subscribers have, and how to exercise those rights. GDPR adds requirements for lawful basis and data controller identity.
How often should I update my email privacy policy?
Review annually at minimum. Update whenever you change ESPs, add new tracking tools, share data with new third parties, or change your data retention practices. Version and date every update.
Want this handled for you?
Free 30-minute strategy call. Walk away with a plan either way.