GDPR and email marketing: how to stay compliant in 2026

What GDPR means for email marketers

The General Data Protection Regulation, which applies in the EU and, in its UK equivalent form, in the United Kingdom, changed the legal requirements for email marketing to individuals in those territories. For email marketers, the most significant change was on consent: GDPR raised the bar from a vague opt-in to a specific, documented, affirmative action.

GDPR applies to any organisation that processes the personal data of UK or EU individuals, regardless of where the organisation is based. A business in the United States, Australia, or anywhere else that sends marketing email to UK or EU subscribers is subject to GDPR for those relationships. The extraterritorial reach of the law is one of its most important features for email marketers to understand, because it means domestic compliance law alone is not sufficient if any part of your list includes UK or EU contacts.

The regulation is enforced by data protection authorities in each member state and by the Information Commissioner's Office (ICO) in the UK. Penalties for serious violations can reach 4% of global annual turnover or 20 million euros, whichever is higher. Enforcement actions against email marketers have focused on unlawful processing, inadequate consent, and failure to honour data subject rights rather than technical errors in programme setup.

The broader context of how compliance requirements interact with deliverability is covered in the email deliverability guide. This article focuses specifically on what GDPR requires of email marketing programmes, how to collect and document consent correctly, and what to do when your existing list does not meet the current standard.

Lawful basis for email marketing under GDPR

GDPR requires a lawful basis for processing personal data. For email marketing to individuals, the relevant bases are consent and legitimate interests. Understanding when each applies determines how you collect contacts and what documentation you need to maintain.

Consent is the most common lawful basis for direct marketing email. Under GDPR, consent must be freely given, specific, informed, and unambiguous. Freely given means there is no penalty for not consenting, and consent is not bundled with other terms such as acceptance of service conditions. Specific means the subscriber knows what they are consenting to receive. Informed means they understand who is collecting their data and why. Unambiguous means they took a clear affirmative action, such as ticking an unticked checkbox, not a pre-ticked box that they did not actively deselect.

Consent must also be granular. If you intend to send multiple types of email, such as newsletters, promotional offers, and event invitations, GDPR requires separate consent for each if the purposes are meaningfully different. Bundling consent for all types into a single checkbox is acceptable only if the types of communication are genuinely related and the subscriber would reasonably expect them to be covered by a single agreement.

Legitimate interests is the other basis sometimes used for B2B email marketing. Under the legitimate interests basis, you can send marketing email without explicit consent if you have a genuine business reason, the processing is necessary for that purpose, and the subscriber's interests do not override yours. In practice, legitimate interests is most defensible for emailing existing customers about closely related products or services, or for initial B2B outreach between businesses. It is much harder to rely on for consumer marketing or cold outreach to individuals who have had no prior contact with your business.

The soft opt-in is a specific provision in UK PECR (Privacy and Electronic Communications Regulations) that permits email marketing to existing customers without fresh consent, provided the marketing relates to similar products or services and the customer was given a clear opportunity to opt out at the point of data collection and in every subsequent message. This does not override the GDPR consent requirement for new contacts.

How to collect and document consent properly

Collecting GDPR-compliant consent requires attention to how your sign-up forms are structured, what they say, and what records you keep. A form that collects a valid email address but does not meet the consent standard creates a list that cannot be legally used for marketing.

A compliant consent collection process includes: an unticked opt-in checkbox with a clear label stating what the subscriber is agreeing to receive; a link to your privacy policy from the consent form; no pre-ticked boxes or implied consent language; and separate consent if you intend to share data with third parties for their own marketing.

The consent record must capture: the timestamp of when consent was given, the version of the form or consent language in use at that time, the IP address or other identifier of the subscribing device, and what the subscriber was told they were consenting to. This record must be retrievable if you are ever asked to demonstrate valid consent for a specific contact.

Most reputable email platforms store consent timestamps automatically when contacts opt in through platform-hosted forms. Mailchimp records the date, source, and IP address for contacts who join through Mailchimp forms. HubSpot stores submission history and form version data in the contact record, giving you the audit trail GDPR requires. For contacts collected through custom forms on your own website, the responsibility for capturing and storing consent metadata falls to you.

Consent documentation tools like Termly and TermsFeed help you generate privacy policies, cookie notices, and consent management infrastructure that meets GDPR standards. For businesses without dedicated legal resource, these tools provide a compliance baseline for the public-facing elements of consent collection. The email signup forms guide covers form design and consent language in detail, including how to structure double opt-in confirmation messages that create a clear consent record.

Handling unsubscribes and data deletion requests

GDPR creates two distinct obligations around stopping contact: the right to withdraw consent (which maps to unsubscribing from marketing email) and the right to erasure (which is a broader right to have all personal data deleted). Email marketers need processes for both.

Withdrawing consent from marketing email must be as easy as giving it. Under GDPR, if consent was given via a single checkbox tick, unsubscribing must require no more effort than a single action. One-click unsubscribes that immediately remove the contact from the active marketing list satisfy this requirement. Requiring subscribers to log in, enter a reason, or navigate multiple pages to unsubscribe does not.

Processing the unsubscribe must be immediate. The CAN-SPAM Act allows ten business days; GDPR does not provide a grace period. Best practice and the spirit of the regulation is to process unsubscribes in real time. Platforms like Mailchimp and HubSpot do this automatically. The practical risk of delayed processing is not just regulatory: a subscriber who unsubscribes and then receives another email is likely to file a spam complaint, which damages your sender reputation as well as creating legal exposure.

After unsubscription, you must retain the suppression record. You cannot delete the contact's email address from your system entirely following an unsubscribe, because doing so would allow the address to re-enter your list through future imports. The correct state is suppressed: the address remains in your system with a flag that prevents further marketing sends, but the contact's other data can be minimised.

The right to erasure is a separate and broader right. A subscriber can request that all personal data you hold about them be deleted, not just removed from the marketing list. This includes contact records, purchase history stored in your CRM, website tracking data, and any other data tied to their identity. GDPR gives you one month to respond to an erasure request. Most small email programmes can execute a deletion across their systems within that window, but larger organisations with data spread across multiple platforms need a documented deletion process.

Where erasure conflicts with a legal obligation to retain data, such as financial records, the retention obligation takes precedence for that specific data. The email address itself, however, has no equivalent retention obligation and should be deleted or anonymised when a verified erasure request is made.

What to do if you have a non-compliant list

Many email marketers have inherited or built lists that do not fully meet GDPR standards, whether because they pre-date the regulation, were collected via pre-ticked checkboxes, or came from sources where consent documentation is absent. Non-compliant lists create ongoing legal risk and, separately, tend to produce poor engagement and deliverability outcomes because they include people who did not genuinely opt in.

The options for non-compliant lists run from least to most disruptive. The first is a re-permission campaign: send a targeted email to non-compliant contacts explaining that you are updating your records and asking them to confirm they still want to hear from you. Contacts who click a clear opt-in confirmation are moved to a compliant active list. Those who do not respond within a set period are suppressed. This approach recovers some contacts and creates compliant consent records for those who re-engage.

The second option is to assess each non-compliant segment against the legitimate interests basis. If the segment consists of existing customers who purchased within the last 12 months and you intend to email them about closely related products, legitimate interests may provide a defensible basis. Document the assessment and the outcome. If legitimate interests cannot be justified, suppress the segment.

The third option is deletion. Contacts with no consent record, no legitimate interests justification, and no prospect of re-permission should be deleted from your system. Keeping them creates regulatory exposure without any commercial value, since they are unlikely to engage regardless.

The email list building guide covers how to build a permission-based list from the ground up, which is the most reliable way to ensure new contacts meet the GDPR standard from the point of collection.

GDPR vs CAN-SPAM: running global email programmes

Senders emailing both US and UK or EU recipients operate under two frameworks simultaneously. The frameworks are compatible but not identical, and meeting GDPR's higher standard on most dimensions satisfies CAN-SPAM as well, with a few exceptions.

On consent, applying GDPR-standard opt-in to all new subscribers regardless of location means your full list is legally collected under the stricter standard. This simplifies compliance management because you do not need to track which contacts were collected under which framework.

On unsubscribes, GDPR's real-time processing requirement is more demanding than CAN-SPAM's ten business day window. Running instant unsubscribes satisfies both.

On data rights, CAN-SPAM has no equivalent to GDPR's subject access and erasure rights. US recipients do not have a legal right to request their data or demand deletion under federal email law, but GDPR rights apply to all EU and UK individuals regardless of where the processing business is located. If any of your US-based contacts are EU or UK nationals, they retain GDPR rights even if they are physically in the United States.

The CAN-SPAM Act guide covers the specific requirements of US email law in full. For most senders managing global programmes, the practical approach is to design one compliant programme to the GDPR standard, use a platform that handles suppression and consent documentation automatically, and document the lawful basis for any segment where consent is not the primary basis.

What this means for your data practices

GDPR compliance and good email marketing practice point in the same direction. Collecting genuine opt-in consent, documenting when and how it was given, making it easy to unsubscribe, and honouring deletion requests are the same behaviours that produce engaged lists and strong inbox placement. Regulators and mailbox providers both reward senders who treat recipient data with care.

The most common GDPR failure for email marketers is not deliberate non-compliance but documentation gaps. Senders who collect consent correctly but do not store the timestamp, the form version, or the consent language will struggle to demonstrate compliance if challenged. Setting up consent record storage before launching any new acquisition programme costs almost nothing compared to the cost of retroactively documenting a large list.

For senders who use Klaviyo, the platform's consent and compliance features allow you to store opt-in source, timestamp, and IP address against each contact, making GDPR audit trails accessible directly from the contact record. This removes the need for separate documentation systems for most standard acquisition flows.

Building compliance into the programme from the start is always simpler than retrofitting it later. The intersection of technical deliverability, legal compliance, and list quality means that senders who get consent right from day one rarely face the list remediation, re-permission campaign, or reputation recovery processes that non-compliant programmes eventually require.