CampaignOS

GDPR Compliant Email Marketing: The Complete Checklist and Setup Guide for 2026

GDPR Compliant Email Marketing: The Complete Checklist and Setup Guide for 2026

GDPR Compliant Email Marketing: The Complete Checklist and Setup Guide for 2026

GDPR compliant email marketing is not optional — it is the law for any business that emails individuals in the European Union, regardless of where your company is based. The penalties for non-compliance are severe: up to €20 million or 4% of global annual revenue, whichever is higher. But beyond the legal risk, GDPR compliance is also good marketing practice. Subscribers who have genuinely opted in are more engaged, more likely to convert, and far less likely to mark your emails as spam.

If you are confused about exactly what GDPR requires — and many marketers are, because the regulation is written in legal language rather than marketing language — this guide breaks it down into concrete, actionable steps. We will cover what counts as valid consent, how to handle existing lists, what your emails must contain, how long you can retain data, and what to do when subscribers exercise their rights.

Quick Answer: GDPR compliant email marketing requires: explicit opt-in consent (no pre-checked boxes), a clear record of when and how each subscriber consented, a visible and functional unsubscribe mechanism in every email, a data retention policy, and a process for handling subject access requests and deletion requests. Consent must be freely given, specific, informed, and unambiguous.

Who GDPR Applies To

GDPR applies to any organisation that collects, processes, or stores personal data of individuals located in the European Union — regardless of where the organisation itself is based. If you are a US-based SaaS company that sends marketing emails to subscribers in Germany, France, or Spain, GDPR applies to you.

Email addresses are classified as personal data under GDPR because they can be used to identify an individual. This means your email list is a database of personal data, and every email you send to EU subscribers is a processing activity that GDPR governs.

Even if most of your subscribers are outside the EU, it is simpler and safer to apply GDPR-standard practices to your entire list. The practices required for compliance are simply good email marketing hygiene — they will improve your results globally, not just protect you from EU regulatory risk.

GDPR defines consent as freely given, specific, informed, and unambiguous. All four criteria must be met simultaneously. Let us look at what each means in practice:

Freely Given

Consent is not valid if it is bundled with a condition — for example, requiring someone to subscribe to your newsletter in order to download a free resource. The subscriber must have a genuine choice. You can still offer the resource and ask them to subscribe separately, but you cannot make the subscription a requirement for accessing the resource.

Specific

The subscriber must consent to a specific type of communication. “I agree to receive marketing emails about [Product] from [Company]” is specific. “I agree to your terms and conditions” (which include buried marketing consent language) is not. Each type of communication — promotional emails, newsletters, product updates — should ideally have its own consent checkbox.

Informed

The subscriber must understand what they are consenting to. Your consent language must clearly state who is sending the emails, what kind of content they will receive, how frequently, and how they can withdraw consent.

Unambiguous

Consent must be indicated by a clear affirmative action. Pre-checked boxes do not constitute valid consent. Inactivity (not unchecking a box) does not constitute consent. The subscriber must actively check a box or click a button specifically for email marketing consent.

Common mistake to avoid: Using a single consent checkbox for multiple purposes — for example, “I consent to the privacy policy and to receiving marketing emails.” These must be separate checkboxes with separate consent records. Bundled consent is invalid under GDPR.

GDPR-Compliant Signup Form Setup

Your signup forms are the primary point of consent collection. Getting them right is the foundation of a GDPR compliant email marketing programme.

Required Form Elements

  • Unchecked consent checkbox: With clear language describing what subscribers are signing up for. Example: “I’d like to receive weekly marketing tips and product updates from CampaignOS. I can unsubscribe at any time.”
  • Link to your privacy policy: The consent language should link to a full privacy policy that covers what data you collect, how you use it, how long you retain it, and how subscribers can access or delete their data.
  • No pre-ticked boxes: The checkbox must start unchecked. Users must actively select it.
  • Timestamp and source recording: Your system must automatically record the date and time of consent, the form or page where consent was given, and the exact consent language shown at that time.

Double Opt-In as a Best Practice

Double opt-in — sending a confirmation email that requires the subscriber to click a link to activate their subscription — is not strictly required by GDPR, but it is strongly recommended. It provides an unambiguous proof of consent (the subscriber actively confirmed their email address and their intent to subscribe) and produces a higher-quality list. For any business focused on GDPR compliance as a genuine priority rather than a box-checking exercise, double opt-in is the right approach.

How to Handle Your Existing Email List

If your list was built before GDPR came into force (May 2018) or without compliant consent records, you have a practical problem. You cannot continue emailing subscribers without a valid legal basis for doing so.

Audit Your List

The first step is an audit. For each segment of your list, determine:

  1. When was each subscriber added?
  2. What consent language was shown at the time?
  3. Do you have a record of that consent (timestamp, form version, IP address)?
  4. Has the subscriber engaged (opened or clicked) in the last 12 months?

Run a Re-Permission Campaign

For any subscribers where consent records are unclear or missing, run a re-permission campaign: send a single email that clearly explains what they signed up for and asks them to actively re-confirm their subscription by clicking a button. Those who do not click within 30 days should be removed from your active send list (not deleted — keep the record, just suppress future sends). This is not pleasant — you will likely lose a significant portion of an old list — but it is legally necessary and will improve your list quality dramatically.

What Every Marketing Email Must Include

Every marketing email you send to EU subscribers must contain:

  • Clear sender identification: Your company name and registered address must be visible in the email — either in the body or footer. Anonymous or misleading sender names are not permitted.
  • A visible unsubscribe link: It must be easy to find — not buried in 8pt grey text in the footer. The link should take the subscriber to an immediate unsubscribe confirmation or a simple preference centre. Processing the unsubscribe must happen within 10 business days (though best practice is immediate).
  • No deceptive subject lines: The subject line must accurately represent the content of the email. Misleading subject lines designed to boost open rates are both a GDPR violation and a violation of anti-spam laws in most jurisdictions.
  • Your physical address: Either your registered company address or a PO box. Required by both GDPR and CAN-SPAM (for US-based senders).

Data Storage, Retention, and Deletion

GDPR’s data minimisation principle requires you to collect only the personal data you need and retain it only for as long as necessary. For email marketing, this means:

What to Store

You need: the subscriber’s email address, the date and source of consent, the exact consent language shown, and engagement history (for demonstrating legitimate interest in retention decisions). You should not store data you do not need — for example, birthdate or phone number if you never use those fields.

Retention Periods

GDPR does not specify exact retention periods, but the principle of storage limitation means you should define your own and document them. A reasonable framework:

  • Active subscribers: Retain for as long as they remain subscribed and engaged
  • Unsubscribed contacts: Retain for up to 3 years for proof of consent and to honour suppression (so you do not accidentally re-add them)
  • Non-responders (no engagement in 18+ months): Consider deletion or transfer to a suppression list

Handling Subscriber Rights Requests

GDPR grants EU subscribers several rights that you must be able to fulfil within 30 days of a request:

Right What It Means How to Handle
Right of access Subscriber can request all data you hold on them Export their profile, consent record, and email history
Right to erasure “Right to be forgotten” — delete all their data Delete from active list; retain suppression record (email + deletion date only)
Right to rectification Correct inaccurate personal data Update their record immediately upon request
Right to portability Receive their data in a portable format Provide a CSV or JSON export of their data
Right to object Object to processing based on legitimate interest Cease processing immediately and move to suppression list

Build a simple process for handling these requests — even if it is just a dedicated email address (privacy@yourcompany.com) with a documented workflow. Assign a responsible team member. Log every request and the date it was fulfilled.

Complete GDPR Email Marketing Checklist

Consent Collection

  • All signup forms use unchecked opt-in checkboxes
  • Consent language is specific, informed, and clearly written
  • Privacy policy link is visible on all forms
  • System records timestamp, source, and consent language for every subscriber
  • Double opt-in is enabled (recommended)

Email Content

  • Every email includes company name and registered address
  • Unsubscribe link is visible and functional in every email
  • Unsubscribes are processed within 10 business days (ideally immediately)
  • Subject lines accurately represent email content

Data Management

  • Data retention policy is documented and followed
  • Process for subject access requests is in place (within 30 days)
  • Process for deletion requests is in place (retain suppression record)
  • Data processor agreements exist with your email platform vendor
  • List is audited for consent quality every 12 months

Existing List

  • Pre-GDPR subscribers have been through a re-permission campaign
  • Non-responders from re-permission campaign are suppressed
  • All active subscribers have verifiable consent records

CampaignOS includes built-in GDPR compliance tools: consent tracking, automatic unsubscribe processing, data export capabilities, and a suppression list manager — so you can manage your obligations from a single platform. For broader context on building compliant automation workflows, see our guide to email list segmentation and our overview of email marketing best practices for 2026. External resources: GDPR and email marketing official guidance.

Frequently Asked Questions

Does GDPR apply to email marketing if my company is based outside the EU?

Yes. GDPR applies to any organisation that processes personal data of individuals located in the EU, regardless of where the organisation is based. If you send marketing emails to subscribers in EU countries, GDPR applies to those activities. Non-EU companies can be fined by EU data protection authorities and enforcement is increasingly cross-border.

Is double opt-in required for GDPR compliance?

Double opt-in is not strictly required by GDPR, but it is strongly recommended. GDPR requires proof of unambiguous consent — and a double opt-in confirmation email, where the subscriber actively clicks to confirm their subscription, is the clearest possible evidence. Single opt-in with proper consent language and timestamp recording is technically compliant, but double opt-in removes any ambiguity.

Can I use legitimate interest instead of consent for email marketing under GDPR?

Legitimate interest is a valid legal basis under GDPR for some data processing activities, but most data protection authorities have stated it should not be used as a substitute for consent in direct marketing. The ePrivacy Directive (which governs electronic communications including email) requires consent as the legal basis for sending marketing emails to individuals. Using legitimate interest for marketing emails to EU subscribers is high-risk.

How long can I keep subscriber data under GDPR?

GDPR does not specify exact retention periods but requires you to retain data only for as long as necessary. A reasonable policy for email marketing: retain active subscriber data while they remain subscribed, retain unsubscribed contacts for up to 3 years (for proof of consent and suppression purposes), and delete or anonymise data for non-engaged contacts after 18–24 months. Document your retention policy and follow it consistently.

What should I do if a subscriber requests deletion of their data?

You must process deletion requests within 30 days. Delete all personal data associated with the subscriber from your active database. However, you should retain a suppression record — just the email address and the deletion date — to ensure you do not accidentally re-add them to your list in the future. Document the request and the date you fulfilled it.

Built-In GDPR Compliance with CampaignOS

CampaignOS handles the technical side of GDPR compliance automatically — consent timestamping, unsubscribe processing, data export, and suppression list management — so your team can focus on creating great campaigns rather than managing spreadsheets of consent records.

Explore CampaignOS Compliance Features