GDPR Compliant Email Marketing: Complete Checklist for 2026
GDPR compliant email marketing is not a box you tick once and forget. It is an ongoing operational discipline that touches your signup forms, your email platform configuration, your contact data management, and your response procedures. The stakes are real: GDPR fines can reach €20 million or 4% of global annual revenue, and data protection authorities across the EU are actively enforcing — with marketing email violations among the most commonly cited categories.
This checklist covers every dimension of GDPR compliance for email marketers, organized by the stage of the email marketing lifecycle where each requirement applies. Whether you are auditing an existing program or building compliance into a new one, use this as your definitive reference for 2026.
GDPR Basics for Email Marketers
GDPR (General Data Protection Regulation) applies to any organization that processes personal data of EU residents — regardless of where your organization is based. If a single subscriber in Germany is on your list, GDPR applies to how you handle their data.
The six lawful bases for processing
Every data processing activity must have a lawful basis. For marketing email, the two relevant bases are:
- Consent: The contact has actively opted in to receive marketing from you. Required for all cold contacts and anyone who has not previously purchased from you.
- Legitimate interest: You have a legitimate business interest in contacting existing customers about related products/services. Must be documented and weighed against the subscriber’s rights. Legitimate interest does not cover cold outreach to non-customers.
Consent is the cleanest basis for most email marketing. It is explicit, documented, and easy to audit.
What “valid consent” means under GDPR
Consent must be: freely given, specific (what they are consenting to), informed (what you will send, how often, who processes their data), unambiguous (a clear affirmative action — no pre-checked boxes), and withdrawable (easy to revoke at any time).
Consent Collection Checklist
Signup Form Requirements
- ☐ Opt-in checkbox is NOT pre-checked
- ☐ Consent text clearly describes what emails the subscriber will receive
- ☐ Consent text identifies the sender by name and/or brand
- ☐ Link to your Privacy Policy is adjacent to the opt-in checkbox
- ☐ Form does not bundle marketing consent with service/account terms
- ☐ No “consent wall” — access to the service is not conditional on marketing consent
- ☐ Double opt-in is configured to confirm the email address and consent
Consent Record Requirements
- ☐ Timestamp recorded for every consent event
- ☐ Source recorded (which form, which page, which campaign)
- ☐ Exact consent language (copy of the checkbox text) recorded
- ☐ IP address recorded at the time of consent
- ☐ Consent records stored and accessible for audit purposes
- ☐ Double opt-in confirmation timestamp recorded separately
Data Processing Records Checklist
Article 30 of GDPR requires organizations to maintain records of their data processing activities. For email marketing, this means:
Record of Processing Activities (RoPA)
- ☐ Document the purpose of processing (email marketing)
- ☐ List the categories of personal data processed (email, name, behavioral data)
- ☐ Identify all data processors (email platform, analytics tools, CRM)
- ☐ Document data retention periods for each data category
- ☐ Document any international data transfers (e.g., US-based SaaS tools)
- ☐ Keep the RoPA updated when any processing activity changes
Privacy policy requirements for email marketing
- Explain what data you collect from email subscribers
- Explain how and why you process it
- Identify all third-party processors (your email platform, analytics, etc.)
- State how long you retain subscriber data
- Explain how subscribers can exercise their data rights
- Identify the lawful basis for each processing activity
- Provide contact details for your Data Protection Officer (if required)
Email Sending Compliance Checklist
Every Email Must Include
- ☐ Clear identification of the sender (company name)
- ☐ Physical mailing address (required by CAN-SPAM, best practice for GDPR)
- ☐ Unsubscribe link that works with a single click
- ☐ Non-deceptive subject line and from name
- ☐ Link to your privacy policy (in the footer is standard)
Before Sending Any Campaign
- ☐ Recipient list only contains contacts with valid, recorded consent
- ☐ Suppression list (unsubscribes, hard bounces) is applied before send
- ☐ Contacts who requested deletion have been removed from all lists
- ☐ Campaign content matches the type of communications consented to
- ☐ No purchased, rented, or scraped email addresses on the list
Tracking and profiling
Email tracking (open pixels, click tracking) involves processing personal data. Your privacy policy must disclose this. Some GDPR interpretations require consent specifically for behavioral tracking. In practice, most email platforms embed tracking by default — ensure your privacy policy covers behavioral data collected via email interactions.
Subscriber Data Rights Checklist
GDPR grants subscribers specific rights that you must be able to honor:
| Right | What It Means | Your Obligation | Timeline |
|---|---|---|---|
| Right of access | Subscriber requests all data you hold on them | Export and provide all stored data (contact record, consent log, email history) | 30 days |
| Right to erasure | Subscriber requests deletion of all their data | Delete from all systems, including CRM, backup, and email platform | 30 days |
| Right to rectification | Subscriber requests correction of inaccurate data | Update their record across all systems | 30 days |
| Right to object | Subscriber objects to processing on legitimate interest basis | Stop processing unless you have compelling legitimate grounds | Immediately |
| Right to withdraw consent | Subscriber withdraws marketing consent (unsubscribes) | Stop all marketing communications immediately, update suppression list | Immediately |
Data Rights Operational Checklist
- ☐ You have a process for receiving and logging data subject requests
- ☐ You can export all data held on a specific contact within 30 days
- ☐ You can delete a contact from all systems (platform, CRM, backups) within 30 days
- ☐ Unsubscribes are processed immediately (not batched weekly)
- ☐ Unsubscribed contacts cannot be re-added without fresh explicit consent
- ☐ You maintain an active suppression list applied to all future sends
Third-Party and Platform Checklist
Data Processing Agreements
- ☐ Signed Data Processing Agreement (DPA) in place with your email platform provider
- ☐ DPAs in place with CRM, analytics, and any other tool that processes subscriber data
- ☐ Verified that all processors are listed in your RoPA
- ☐ For US-based tools (e.g., Mailchimp, HubSpot): confirmed their EU-US data transfer mechanism (Standard Contractual Clauses, BCR, or similar)
For guidance on technical implementation, see the Email Unsubscribe Management Best Practices guide and our Email Deliverability Monitoring guide.
Data Breach Response
GDPR requires notification of a data breach affecting personal data within 72 hours of discovery — to your supervisory authority if the breach poses a risk to individuals’ rights. If the risk is high, you must also notify affected individuals without undue delay.
Breach Response Checklist
- ☐ You have identified your national data protection supervisory authority’s breach reporting portal
- ☐ You have a breach response procedure documented
- ☐ You have a contact designated to handle breach notifications
- ☐ Your email platform provider’s incident notification obligations are documented in your DPA
- ☐ You maintain an internal breach log even for low-risk incidents not requiring authority notification
Do It With CampaignOS
CampaignOS is built with GDPR compliance as a first-class feature, not an afterthought:
- Consent logging: Every subscriber’s consent timestamp, source, and consent text are recorded and exportable — the audit trail is automatic
- Double opt-in: Enable double opt-in per list with a single toggle — CampaignOS sends the confirmation email and records the confirmation timestamp
- Unsubscribe processing: Unsubscribes are processed immediately and synced to the global suppression list — they cannot be re-added by import or API without triggering a consent warning
- Data access and deletion: Export all data for a specific contact or delete them completely from the platform (contact record, activity history, consent log) via the Privacy center in the admin dashboard
- DPA availability: CampaignOS provides a Data Processing Agreement available for download and signature within the platform settings
- EU data hosting option: CampaignOS can be configured to process and store data exclusively in EU-based infrastructure
Ensure your email marketing is GDPR compliant from day one at app.campaignos.site.
Frequently Asked Questions
Does GDPR apply to my email list if I’m based outside the EU?
Yes. GDPR applies whenever you process personal data of EU residents, regardless of where your organization is located. If you have subscribers in France, Germany, or any other EU country, GDPR governs how you handle their data. This includes US, UK, Australian, and other non-EU businesses with any EU subscriber presence.
Is a pre-checked opt-in checkbox GDPR compliant?
No. GDPR explicitly requires an unambiguous affirmative act for consent — a pre-checked box does not meet this requirement because the subscriber has not actively opted in. The subscriber must manually check the box to signal consent. Pre-checked boxes, inferred consent, and silence do not constitute valid GDPR consent for marketing communications.
Can I email people who gave me their business card?
Not for marketing purposes without explicit consent, under GDPR. Exchanging business cards creates a mutual expectation of direct business communication — it does not constitute consent to receive marketing newsletters or campaigns. You can follow up on the specific conversation you had, but adding them to your email marketing list without their consent is non-compliant. Always ask explicitly: “Can I add you to our newsletter?” and document the response.
How long can I keep email subscriber data?
GDPR’s data minimization principle requires that personal data is not kept longer than necessary for the purpose for which it was collected. For email marketing, a common practice is to retain active subscriber data as long as the subscription is active, plus a defined period after the last engagement (often 12–24 months). After that, data should be deleted or anonymized unless a legal obligation requires retention. Define and document your retention periods in your Record of Processing Activities.
What is a Data Processing Agreement and do I need one with my email platform?
A Data Processing Agreement (DPA) is a contract between you (the data controller) and a service provider that processes personal data on your behalf (the data processor — your email platform). GDPR Article 28 requires a DPA with all data processors. Every email platform that sends email on your behalf processes personal data (subscriber emails, names, behavioral data) and therefore requires a DPA. Most major platforms provide a standard DPA — check under their legal or compliance documentation.
What are the actual GDPR fines for email marketing violations?
GDPR fines are tiered: lower-level violations (inadequate records, missing DPAs, non-compliant consent forms) carry fines up to €10 million or 2% of global annual turnover. More serious violations (processing without a lawful basis, violating data subject rights) can reach €20 million or 4% of global annual turnover — whichever is higher. In practice, supervisory authorities often issue warnings and corrective orders for first violations, but fines are real and growing: the total value of GDPR fines exceeded €4.2 billion by 2025.