GDPR requires explicit consent before sending marketing email to EU residents. You must: 1) Get clear, affirmative opt-in (pre-checked boxes don't count), 2) Document when and how consent was given, 3) Allow easy withdrawal of consent, 4) Honor data subject access and deletion requests, 5) Have a lawful basis for processing email addresses. Unlike CAN-SPAM, GDPR is opt-in — you cannot email EU residents marketing content without prior consent. Penalties: up to 4% of global annual revenue or EUR 20 million.
GDPR and Email Marketing: Complete Compliance Guide
GDPR Email Requirements
1. Lawful Basis for Processing
You need a legal justification for processing someone's email address. For marketing: consent is the primary basis.
Consent requirements:
- Must be freely given — can't be a condition of service
- Must be specific — "marketing emails from [Company]" not "communications"
- Must be informed — explain what they'll receive and how often
- Must be unambiguous — affirmative action required (checkbox, click)
- Must be documented — record when, where, and how consent was given
What's NOT valid consent:
- Pre-checked checkboxes
- "By creating an account, you agree to receive marketing"
- Bundled consent (can't require marketing consent to complete a purchase)
- Silence or inactivity
2. Right to Withdraw Consent
Recipients must be able to:
- Withdraw consent as easily as they gave it (one-click unsubscribe)
- Be informed of their right to withdraw before consenting
- Have withdrawal processed promptly
3. Data Subject Rights
Under GDPR, email subscribers have the right to:
- Access: Request a copy of all data you hold about them
- Rectification: Correct inaccurate data
- Erasure: Request deletion of their data ("right to be forgotten")
- Restriction: Limit how you process their data
- Portability: Receive their data in a portable format
- Object: Object to processing based on legitimate interest
You must respond to these requests within 30 days.
4. Documentation
Maintain records of:
- When consent was given (timestamp)
- How consent was given (signup form, checkbox, verbal)
- What was consented to (specific marketing types)
- IP address and source of consent
- Current consent status
Most ESPs (Klaviyo, Mailchimp, ActiveCampaign) log consent automatically. Verify your ESP stores this data.
5. Privacy Policy
Your privacy policy must clearly state:
- What email data you collect
- How you use it (marketing, transactional)
- Who you share it with (ESPs, analytics tools)
- How long you retain it
- How to exercise data subject rights
- Your data controller contact information
ESP Compliance Features
| ESP | Consent Tracking | GDPR Forms | Data Export | Data Deletion |
|---|---|---|---|---|
| Klaviyo | Yes (consent timestamp) | GDPR-compliant forms | Yes (CSV) | Yes (profile deletion) |
| Mailchimp | Yes | GDPR fields on forms | Yes | Yes |
| ActiveCampaign | Yes | GDPR-compliant forms | Yes | Yes |
| Brevo | Yes | GDPR consent toggle | Yes | Yes |
| MailerLite | Yes | GDPR-compliant forms | Yes | Yes |
All major ESPs support GDPR compliance. Configure:
- GDPR fields on signup forms
- Consent documentation logging
- Data export capability for access requests
- Profile deletion for erasure requests
GDPR for Cold Email
Cold email to EU recipients is problematic under GDPR:
- B2C cold email: Almost certainly requires consent (which you don't have). Avoid.
- B2B cold email: May be permissible under "legitimate interest" if the email is relevant to their professional role. Document your legitimate interest assessment. Include easy opt-out. This is a gray area — consult legal counsel for your specific situation.
Common GDPR Mistakes
- Pre-checked consent boxes. Invalid. Must be unchecked by default.
- Bundled consent. "I agree to the terms and receive marketing" is one checkbox. Must be separate.
- No consent records. If challenged, you must prove consent was given. Log everything.
- Ignoring access/deletion requests. You have 30 days. Missing the deadline is a violation.
- Assuming CAN-SPAM compliance = GDPR compliance. CAN-SPAM allows opt-out. GDPR requires opt-in. They're fundamentally different.
The Practical Approach
For businesses that send to both US and EU audiences:
- Use double opt-in for all subscribers (satisfies both GDPR and CAN-SPAM)
- Segment by geography if needed (different consent flows for EU vs US)
- Document everything — your ESP should log consent timestamps and sources
- Process DSARs (data subject access requests) within 30 days
- Include physical address + unsubscribe in every email (covers CAN-SPAM)
- Privacy policy that covers both regulations
Practitioner note: Most of my US-based clients who send internationally implement GDPR-level compliance for everyone — it's simpler than maintaining different compliance standards for different geographies. Double opt-in, documented consent, easy unsubscribe, prompt DSAR processing. The deliverability benefits of opt-in align with the legal requirements.
Practitioner note: If you're doing cold B2B email to EU prospects, consult a lawyer. "Legitimate interest" is a valid basis but requires documented assessment. Many companies assume legitimate interest covers any B2B email — it doesn't. The assessment must be specific, documented, and balanced against the recipient's rights.
If you need email compliance reviewed alongside deliverability infrastructure, schedule a consultation.
Sources
- GDPR: Official Text
- ICO: Direct Marketing Guidance
- EDPB: Consent Guidelines
v1.0 · March 2026
Frequently Asked Questions
Does GDPR apply to me if I'm not in the EU?
Yes, if you send marketing email to people in the EU. GDPR applies based on the recipient's location, not the sender's. A US company emailing EU customers must comply with GDPR for those recipients.
What counts as valid consent under GDPR?
Consent must be: freely given (not bundled with other agreements), specific (for email marketing specifically), informed (clear what they're consenting to), and unambiguous (affirmative action like clicking a checkbox). Pre-checked boxes, inferred consent, and 'by using this site you agree' are NOT valid.
Do I need double opt-in for GDPR?
GDPR doesn't explicitly require double opt-in, but it's considered best practice (especially in Germany where it's effectively required). Double opt-in provides the strongest proof of consent. Most data protection authorities recommend it.
Can I use 'legitimate interest' instead of consent?
Legitimate interest can be a legal basis for B2B email in some cases (e.g., emailing a business contact about relevant services). But it requires a documented legitimate interest assessment and must balance against the individual's rights. For B2C marketing, consent is almost always required.
What are the penalties for GDPR email violations?
Up to 4% of global annual revenue or EUR 20 million, whichever is higher. In practice, most enforcement actions result in smaller fines, but regulators are increasingly active. Even small companies have been fined for email marketing without consent.
Want this handled for you?
Free 30-minute strategy call. Walk away with a plan either way.