GDPR requires a lawful basis (usually consent or legitimate interest) to email EU/EEA residents. For marketing email, you need explicit opt-in consent — pre-checked boxes don't count. You must document when and how consent was obtained, honor unsubscribe requests promptly, allow data access and deletion requests, and have a data retention policy. Fines reach 4% of global revenue or 20 million euros, whichever is higher. The practical requirements: double opt-in, clear consent records, working unsubscribe, and documented data processing.
GDPR Email List Compliance: What You Actually Need to Do
GDPR Basics for Email
The General Data Protection Regulation (GDPR) has been in effect since May 2018. For email marketers, it boils down to four requirements:
- Lawful basis — you need a legal reason to process someone's email address
- Transparency — subscribers must know what you'll do with their data
- Rights — subscribers can access, correct, delete, and port their data
- Accountability — you must document your compliance
If you're sending email to anyone in the EU or EEA, these rules apply to you regardless of where your business is located.
Lawful Basis for Email Marketing
GDPR provides six lawful bases for processing personal data. For email marketing, two are relevant:
Consent
The most common and safest basis for email marketing. GDPR consent requires:
- Freely given — no bundling consent with other agreements ("sign up for our tool and agree to marketing emails" isn't free consent)
- Specific — consent for email marketing is separate from consent for data processing
- Informed — the subscriber knows what they're consenting to
- Unambiguous — an affirmative action (checking a box, clicking a button). Pre-checked boxes fail this requirement.
What this looks like in practice:
- A clear checkbox (unchecked by default) that says "I agree to receive marketing emails from [Company]"
- A signup form specifically for email subscriptions
- Double opt-in confirmation (subscriber clicks a confirmation link)
Legitimate Interest
The "soft opt-in" exception. If someone is an existing customer, you can email them about similar products/services without explicit consent, provided:
- They gave you their email during a purchase or inquiry
- You're marketing your own similar products/services (not third-party offers)
- You provided an opt-out at the point of collection and in every subsequent email
- You've conducted and documented a Legitimate Interest Assessment (LIA)
Practitioner note: Legitimate interest is the more flexible basis, but it's also the one that gets companies in trouble. "We believe our contacts are interested in our products" isn't a legitimate interest assessment. You need a documented balancing test that weighs your interest against the individual's privacy rights. When in doubt, use consent.
Consent Records
GDPR requires you to prove consent was given. For every subscriber, you should record:
- When consent was given (timestamp)
- How consent was given (which form, which page, what the form said)
- What they consented to (marketing emails, specific topics, frequency)
- Who gave consent (the email address and any associated identity)
Most ESPs handle this automatically:
| ESP | Consent Tracking |
|---|---|
| Mailchimp | GDPR fields, consent timestamp, form source |
| Klaviyo | Consent at profile level, double opt-in tracking |
| HubSpot | Consent tracking in contact properties, communication preferences |
| ActiveCampaign | GDPR consent checkbox, timestamp logging |
If your ESP doesn't track consent natively, build the tracking yourself. A spreadsheet is better than nothing, but a proper audit trail is what you need.
Subscriber Rights
GDPR grants data subjects specific rights you must honor:
Right to Access (Article 15)
Subscribers can request all data you hold about them. You must respond within 30 days with: their email address, engagement history, consent records, any profile data, and what you use it for.
Right to Erasure (Article 17)
Subscribers can request deletion of their data. This means removing them from your list entirely — not just unsubscribing. Delete from your ESP, CRM, analytics, and any backups you can reasonably access.
Right to Rectification (Article 16)
Subscribers can request corrections to their data. If they ask you to update their email address, name, or preferences, do it.
Right to Data Portability (Article 20)
Subscribers can request their data in a machine-readable format (CSV, JSON). This is rarely invoked for email marketing but you must be able to comply.
Right to Object (Article 21)
Subscribers can object to processing based on legitimate interest. If someone objects, you must stop processing unless you have "compelling legitimate grounds." For marketing email, an objection means stop sending — period.
Practitioner note: In practice, most GDPR data requests I've seen from email marketing are unsubscribe requests and occasional deletion requests. Having a documented process — even if it's "delete from ESP, delete from CRM, confirm to requester within 7 days" — is sufficient for most businesses.
Data Retention
GDPR requires you to keep data only as long as necessary. For email marketing, this means:
- Active subscribers: retain as long as they remain subscribed and engaged
- Unsubscribed contacts: retain suppression record (email address only) to prevent re-adding. Delete all other data within 30 days.
- Inactive subscribers: apply your sunset policy. Don't keep data for subscribers who haven't engaged in over a year.
- Bounced addresses: retain for suppression. Delete associated data within 30 days.
Document your retention periods in a data retention policy. This doesn't need to be a legal document — a clear internal policy that your team follows is sufficient.
Practical Compliance Checklist
- All signup forms have explicit, unchecked consent checkboxes
- Double opt-in is enabled for new subscribers
- Consent records include timestamp, source, and consent text
- Every email has a working unsubscribe link
- Unsubscribe requests are processed within 48 hours (Gmail requires 2 days)
- You have a documented process for data access/deletion requests
- Inactive subscribers are cleaned per your sunset policy
- Your privacy policy describes email marketing data processing
- You have a documented data retention policy
- Third-party data processors (ESPs) have Data Processing Agreements in place
What Gets You Fined
GDPR fines for email marketing violations have been issued for:
- Sending marketing email without consent
- Pre-checked consent boxes
- No unsubscribe mechanism or slow unsubscribe processing
- Purchasing email lists and sending to them without consent
- Failing to respond to data deletion requests within 30 days
- No records proving consent was obtained
Fines can reach 4% of annual global revenue or 20 million euros, whichever is higher. In practice, most email marketing fines have been in the 10,000-500,000 euro range.
The Bottom Line
GDPR compliance for email isn't complicated — it's just rigorous. Get explicit consent, document it, honor unsubscribes and deletion requests, clean your list regularly, and don't buy email lists. Most of this is good deliverability practice anyway.
If you're unsure whether your email practices are GDPR-compliant and need an audit of your consent flows and data handling, schedule a consultation. I'll review your setup and identify gaps before a regulator does.
Sources
- EU: GDPR Full Text
- ICO: Direct Marketing Guidance
- EDPB: Guidelines on Consent
- GDPR Enforcement Tracker: Fines Database
v1.0 · March 2026
Frequently Asked Questions
Do I need GDPR compliance if I'm based in the US?
Yes, if any of your subscribers are EU/EEA residents. GDPR applies based on the location of the data subject, not your business location. If your email list includes anyone in the EU, GDPR applies to those contacts.
Is single opt-in GDPR compliant?
Technically yes — GDPR doesn't specifically require double opt-in. However, double opt-in provides stronger proof of consent, which is what you'll need if challenged. Most data protection authorities recommend double opt-in, and it's standard practice for GDPR compliance.
Can I use legitimate interest instead of consent for email marketing?
In limited cases. Legitimate interest can apply to existing customers for marketing related products/services (the 'soft opt-in'). For cold email or new subscriber marketing, consent is the safer and more commonly accepted basis. Legitimate interest requires a documented balancing test.
Want this handled for you?
Free 30-minute strategy call. Walk away with a plan either way.