GDPR Email Marketing: A Practical Compliance Checklist (2026)
The General Data Protection Regulation is seven years old in 2026 — and enforcement is only accelerating. The Irish Data Protection Commission issued €1.2 billion in GDPR fines in 2023 alone. The UK Information Commissioner's Office issued £12.5 million in penalties in 2024. GDPR is not a one-time compliance project. It is an ongoing operational requirement that touches every email you send to a subscriber in the UK or European Union.
For email marketing specifically, GDPR is the strictest of the major email laws. Unlike CAN-SPAM — which requires only that recipients can opt out after receiving an email — GDPR requires a lawful basis for processing subscriber data before the first email is ever sent. Unlike CASL — which allows implied consent from a business relationship — GDPR's consent standard is more demanding and more explicitly documented.
Yet GDPR compliance for email marketing is more achievable than its reputation suggests. The requirements are clear, the operational changes are manageable, and the audit trail that compliance creates — consent records, suppression logs, processing records — actually makes email programmes easier to defend, not harder to run.
This guide covers every GDPR requirement relevant to email marketing: the six lawful bases and which ones apply to email, how to collect and document valid consent, what subscribers can demand and how to respond, how to handle data breaches, and the 2026 compliance checklist that applies to any business emailing UK or EU subscribers.
Who GDPR Applies To
GDPR has extraterritorial reach — it applies to any organisation that processes the personal data of individuals located in the European Union or United Kingdom, regardless of where the organisation itself is based.
US businesses emailing EU or UK subscribers are subject to GDPR. A New York-based ecommerce store that ships to Germany and emails its German customers is processing the personal data of EU data subjects and must comply with GDPR for those contacts. The fact that the business is incorporated in the US provides no exemption.
UK GDPR vs EU GDPR: Following Brexit, the UK has its own version of GDPR — UK GDPR — which is substantively identical to EU GDPR with minor procedural differences. For practical email marketing compliance purposes, UK GDPR and EU GDPR impose the same requirements. This guide addresses both.
What counts as personal data under GDPR: Any information that can identify a living individual — directly or indirectly. An email address is personal data. A name is personal data. IP address, device ID, and behavioural data linked to an identified individual are all personal data. When you collect an email address and use it to send marketing communications, you are processing personal data under GDPR.
The Six Lawful Bases for Processing — and Which Apply to Email Marketing
GDPR requires that every instance of personal data processing has a lawful basis. There are six bases, but for email marketing, only two are practically relevant. Understanding which basis applies to your programme determines every downstream compliance obligation.
Lawful Basis 1: Consent
The GDPR definition of consent: Freely given, specific, informed, and unambiguous indication of the data subject's wishes — by a statement or clear affirmative action — signifying agreement to the processing of their personal data.
This is the most commonly used basis for marketing email to consumer audiences.
What GDPR consent requires:
- Freely given: Consent cannot be a condition of service. "You must agree to receive marketing emails to create an account" is not freely given consent. The marketing opt-in must be genuinely optional.
- Specific: Consent must be for a specific purpose. A single checkbox that covers "I agree to all communications" is not specific enough for GDPR. Consent for email marketing, consent for SMS marketing, and consent for postal marketing must each be obtained separately.
- Informed: The subscriber must know who is collecting their data, what it will be used for, and that they can withdraw consent at any time. This information must be provided at the time consent is collected — not buried in a privacy policy linked from the footer.
- Unambiguous: Consent must be an active, affirmative act. A pre-checked opt-in box is not valid consent under GDPR — the subscriber must actively check the box. Silence or inactivity does not constitute consent.
Consent documentation requirement: You must be able to demonstrate that consent was obtained. This means recording: when the consent was given, what wording was presented, what the subscriber agreed to, and how consent was given (checkbox, double opt-in confirmation, etc.). If you cannot produce this record, you cannot demonstrate lawful processing.
Consent withdrawal: Subscribers must be able to withdraw consent as easily as they gave it. If consent was given by checking a checkbox on a web form, withdrawal must be equally simple — a one-click unsubscribe satisfies this requirement for email marketing.
Consent does not expire automatically under GDPR — there is no fixed duration for valid consent. However, if you have not communicated with a subscriber for an extended period (12–18 months is commonly cited), it is difficult to demonstrate that the consent remains active and that the relationship still reflects the subscriber's original intent. Best practice is to run a re-permission campaign for subscribers who have not engaged in 12 months.
Lawful Basis 2: Legitimate Interests
Legitimate interests is the most flexible GDPR basis — and the most misapplied. An organisation can rely on legitimate interests when processing is necessary for a legitimate purpose, provided that purpose is not overridden by the data subject's interests, rights, and freedoms.
For B2B email marketing: Legitimate interests can support commercial email to business contacts where there is a genuine and relevant business relationship. A software company emailing a previous business customer about a new product that is directly relevant to that customer's business role may have a legitimate interest basis — the marketing is relevant, the relationship exists, and a reasonable business contact would not be surprised to receive it.
For B2C email marketing: Legitimate interests is harder to rely on for unsolicited consumer marketing. The UK ICO and most European data protection authorities take the position that sending marketing email to consumers without prior consent cannot typically be justified under legitimate interests — the consumer's right not to receive unsolicited commercial communications tends to override the organisation's commercial interest.
The Legitimate Interests Assessment (LIA): Before relying on legitimate interests, you must conduct and document a three-part test: (1) identify the legitimate interest; (2) confirm the processing is necessary for that interest; (3) balance your interest against the data subject's rights. This assessment must be documented. It is not a one-time exercise — it should be reviewed when circumstances change.
The PECR overlay for UK senders: The Privacy and Electronic Communications Regulations (PECR) govern electronic marketing in the UK and require prior consent (or the soft opt-in exemption) for direct marketing by email — regardless of the GDPR lawful basis. In practice, this means UK businesses cannot rely on legitimate interests alone for consumer marketing email; they also need PECR consent. The PECR soft opt-in exemption (below) is the exception.
The UK PECR Soft Opt-In Exemption
Under UK PECR, a business may send electronic marketing to individuals without prior consent if all four conditions are met:
- The contact's email address was collected in the course of a sale or negotiations for a sale of a product or service
- The marketing relates to similar products or services from the same organisation
- The individual was given a clear opportunity to opt out at the time their details were collected
- Every subsequent marketing message offers a simple opt-out
In practice: A UK ecommerce business that collects an email address during checkout can send marketing emails about similar products to that customer — without specific email marketing consent — as long as the customer was given an opt-out opportunity at checkout and every marketing email includes an easy unsubscribe. The soft opt-in does not permit marketing about unrelated products or services.
Important limitations: The soft opt-in applies only to individuals (not businesses as organisations) and only in the specific scenario of a prior purchase relationship. It does not cover leads who expressed interest without purchasing, or subscribers who signed up through a lead magnet rather than a purchase.
The Other Four Bases (Less Relevant to Email Marketing)
Contract: Processing is necessary to perform a contract with the data subject, or to take steps at the data subject's request before entering a contract. This covers transactional email — order confirmations, shipping notifications — not marketing email.
Legal obligation: Processing is necessary to comply with a legal obligation. Not applicable to email marketing.
Vital interests: Processing is necessary to protect someone's life. Not applicable to email marketing.
Public task: Processing is necessary to perform a task in the public interest. Applicable to public authorities and organisations exercising official functions — not to standard commercial email marketing.
Collecting GDPR-Compliant Consent for Email Marketing
The most common GDPR compliance failure in email marketing is not the absence of a consent mechanism — it is the use of a consent mechanism that does not meet the GDPR standard.
What a Valid Consent Form Looks Like
The opt-in field: An unchecked checkbox with clear, specific label text:
☐ I agree to receive email marketing from [Company Name] about [specific
content — e.g. "product updates, promotions, and news"]. I understand
I can unsubscribe at any time by clicking the unsubscribe link in any email.What the label must include:
- The identity of the data controller (your company's legal name)
- The specific purpose (email marketing, not a general "communications" category)
- The types of content they will receive
- The right to withdraw consent (unsubscribe)
What the label must NOT do:
- Bundle email marketing consent with terms of service acceptance
- Make the checkbox pre-checked
- Use vague language like "I agree to be contacted" without specifying the channel and purpose
- Obscure the consent request in dense text that a reasonable person would not read
The Double Opt-In Recommendation
GDPR does not explicitly require double opt-in — a single unchecked checkbox with clear label text constitutes valid consent. However, double opt-in produces a stronger consent record:
- It confirms the email address is valid and under the subscriber's control
- The confirmation email creates an additional timestamped record of consent
- It filters out sign-ups by third parties using someone else's email address — which creates a false consent record
For consumer audiences in regulated industries (financial services, healthcare) or where the data processed is sensitive, double opt-in is strongly recommended as a risk management measure even though it is not legally required.
What to Record for Every Subscriber
| Field | What to Capture |
|---|---|
| Consent timestamp | Exact date and time consent was given |
| Consent method | Checkbox submission, double opt-in confirmation, verbal consent with witness |
| Consent language | The exact wording shown on the form at time of consent |
| IP address | For web-based sign-ups |
| Source URL | The page where consent was collected |
| Data controller | Which legal entity collected the consent |
| Purpose | What the subscriber consented to |
This record must be retained for as long as you are processing the subscriber's data — and for a defensible period after the relationship ends in case of a complaint. The ICO's recommended approach is to retain consent records for the duration of the relationship plus sufficient time to defend any regulatory challenge.
Data Subject Rights Under GDPR
GDPR grants eight rights to data subjects — individuals whose personal data you process. All eight are relevant to email marketing operations; five require operational processes to handle efficiently.
The Right to Withdraw Consent
The most operationally active right for email marketing. Data subjects can withdraw consent at any time, with immediate effect. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal — but it must stop new processing immediately.
Operational requirement: Every marketing email must include a clear, functioning unsubscribe mechanism. Migomail's bounce management processes unsubscribes in real time and permanently suppresses opted-out addresses across all sending streams.
The Right to Erasure ("Right to Be Forgotten")
Data subjects can request the deletion of all personal data you hold about them. This goes beyond an unsubscribe — an erasure request asks you to delete not just the email address but all associated data: name, purchase history, engagement history, browsing data, preferences.
Operational requirement: When you receive an erasure request, you must delete the subscriber's personal data within one month (30 days). The exception: you may retain a suppression record (email address + erasure date) to prevent the address from being re-added to your marketing list — this retention is necessary to comply with the erasure request itself (by preventing re-addition).
Do not confuse unsubscribe with erasure: An unsubscribe stops marketing email. An erasure request requires deletion of all personal data. These are different requests requiring different responses.
The Right of Access (Subject Access Request — SAR)
Data subjects can request a copy of all personal data you hold about them and information about how it is being processed. You must respond within one month and provide the information at no charge (for reasonable requests).
Operational requirement: You must be able to export all personal data held about a specific individual — from your email platform, your CRM, your analytics tools, and any other system that processes their data — and compile it into a comprehensible response.
The Right to Rectification
Data subjects can request correction of inaccurate personal data. For email marketing, this typically means updating an email address, correcting a name spelling, or adjusting preference records.
Operational requirement: A mechanism for subscribers to update their own data — a preference centre or contact form — satisfies this right for most email marketing use cases.
The Right to Object
Data subjects can object to processing based on legitimate interests at any time. If you are relying on legitimate interests as your lawful basis for marketing email (B2B contexts, soft opt-in scenarios), an objection must be treated as a withdrawal — you must stop sending marketing emails to that address.
The Rights to Portability, Restriction, and Not to Be Subject to Automated Decision-Making
These three rights have limited practical application in standard email marketing operations. Data portability requires providing data in a machine-readable format on request. Restriction allows temporary suspension of processing pending resolution of an accuracy dispute or objection. Automated decision-making rights apply to decisions with significant legal or similarly significant effects — standard email personalisation does not qualify.
GDPR and Transactional Email
GDPR's consent requirements apply to marketing email — not to purely transactional email. Order confirmations, shipping notifications, password resets, and account alerts can be sent on the lawful basis of contract (processing necessary to perform a contract with the data subject) without separate marketing consent.
However, the GDPR/PECR restrictions apply the moment a transactional email includes promotional content. An order confirmation that includes "You might also like these products" has a commercial element that requires either consent or the soft opt-in exemption for UK recipients, or a separate legitimate interests assessment for EU recipients.
For a full breakdown of the transactional vs marketing email distinction, see our transactional vs marketing email guide.
Data Processing Agreements with Your Email Platform
Under GDPR, your email marketing platform is a data processor — it processes personal data (your subscriber list) on your behalf. You are the data controller — you determine the purposes and means of processing.
GDPR Article 28 requires that you have a written Data Processing Agreement (DPA) in place with every data processor. The DPA must specify:
- The subject matter and duration of processing
- The nature and purpose of processing
- The type of personal data and categories of data subjects
- The obligations and rights of the controller
For email marketing: Confirm that your email platform offers a compliant DPA and that you have signed it. Most major platforms (including Migomail) provide DPAs as standard documents available in their terms of service or on request.
Sub-processors: Your email platform may use sub-processors — delivery infrastructure providers, analytics tools, cloud hosting. The DPA should list all sub-processors and include a mechanism for notifying you of any changes.
International Data Transfers
If your email platform stores subscriber data on servers outside the UK or EU — in the US, for example — this constitutes an international data transfer that requires a legal mechanism.
Valid transfer mechanisms for UK and EU data:
- Standard Contractual Clauses (SCCs): Pre-approved contract terms published by the European Commission. Most email platforms that operate under GDPR include SCCs in their DPA.
- UK International Data Transfer Agreement (IDTA): The UK equivalent of EU SCCs for transfers from the UK.
- Adequacy decisions: Some countries are deemed "adequate" by the EU or UK, meaning transfers there do not require additional safeguards. The US does not have a blanket EU adequacy decision, but the EU-US Data Privacy Framework provides a mechanism for transfers to certified US organisations.
Practical step: Review your email platform's DPA and sub-processor list to confirm international transfers are covered by SCCs, IDTAs, or an adequacy mechanism. If the platform cannot demonstrate a valid transfer mechanism, it may not be compliant with GDPR for processing EU/UK subscriber data.
GDPR vs CAN-SPAM vs CASL: Compliance Comparison
For businesses emailing subscribers across multiple jurisdictions, apply the most restrictive law applicable to each subscriber.
| Requirement | GDPR (EU / UK) | CAN-SPAM (USA) | CASL (Canada) |
|---|---|---|---|
| Lawful basis required | ✅ Yes — one of six bases | ❌ No | ✅ Yes — express or implied consent |
| Prior consent for marketing | ✅ Yes (consent basis) | ❌ No | ✅ Yes |
| Consent documentation | ✅ Yes — timestamp, method, wording | ❌ No | ✅ Yes |
| Pre-checked boxes permitted | ❌ No | ✅ Yes | ❌ No |
| Right to erasure | ✅ Yes — within 30 days | ❌ No | ✅ Limited |
| Right of access (SAR) | ✅ Yes — within 30 days | ❌ No | ❌ No |
| Unsubscribe required | ✅ Yes | ✅ Yes | ✅ Yes |
| Unsubscribe processing time | Without undue delay | 10 business days | 10 business days |
| DPA with email platform | ✅ Required | ❌ No | ❌ No |
| Maximum fine | €20M or 4% global revenue | $51,744 per email | $10M CAD per violation |
The practical rule: Segment your list by subscriber location and apply the correct law to each group. For a US business with global subscribers, apply GDPR to UK and EU subscribers, CAN-SPAM to US subscribers, and CASL to Canadian subscribers. Our CAN-SPAM compliance guide and CASL compliance guide cover the US and Canadian requirements in full.
GDPR Email Marketing Compliance Checklist
Lawful Basis
- Identified and documented the lawful basis for processing each category of subscriber data
- For consent-based processing: consent collected via unchecked checkbox with specific, clear wording
- For legitimate interests: Legitimate Interests Assessment documented and reviewed
- For UK B2C senders: PECR soft opt-in conditions met (prior purchase, similar products, opt-out offered at collection)
Consent Collection
- Opt-in checkboxes are unchecked by default — no pre-checked boxes anywhere in sign-up flows
- Consent language identifies your company name, specific purpose, and right to withdraw
- Email marketing consent is separate from terms of service acceptance
- Consent records capture: timestamp, IP address, source URL, and exact wording shown
Data Subject Rights — Operational Processes
- Unsubscribe mechanism in every marketing email — one-click, no barriers, no payment required
- Erasure request process: documented workflow to delete all personal data within 30 days
- Subject Access Request process: documented workflow to compile and respond within 30 days
- Rectification mechanism: subscribers can update their own data (preference centre or contact form)
- Objection process: mechanism to stop processing when a legitimate interests objection is received
Supplier Compliance
- Data Processing Agreement signed with email marketing platform
- Sub-processor list reviewed — all international transfers covered by SCCs, IDTAs, or adequacy decision
- Privacy policy updated to reflect current processing activities and reflect subscriber rights
Email Content
- Every marketing email includes a functioning unsubscribe link
- Transactional emails contain no promotional content (to maintain transactional exemption)
- Data minimisation: only the personal data necessary for the email programme is collected
Breach Preparedness
- Internal process for identifying and escalating personal data breaches
- Breach notification process documented: 72 hours to supervisory authority, without undue delay to data subjects if high risk
- Contact details for relevant supervisory authority (ICO for UK; lead supervisory authority for EU) recorded
Ongoing Maintenance
- Consent records retained for the duration of the relationship plus a defensible post-relationship period
- Re-permission campaign scheduled for subscribers inactive for 12+ months
- Annual GDPR compliance review conducted
- Staff with email marketing responsibilities have received GDPR training
Frequently Asked Questions
Does GDPR require double opt-in for email marketing?
No — GDPR does not explicitly require double opt-in. A single unchecked checkbox with clear, specific consent language constitutes valid GDPR consent. However, double opt-in produces a stronger consent record — confirming the email address is valid and under the subscriber's control, and generating an additional timestamped record of the confirmation click. For consumer audiences in regulated industries, double opt-in is strongly recommended as a risk management measure even though it is not legally mandated.
Can I use existing email subscribers under GDPR if I did not get explicit consent before GDPR came into force?
This depends on how the original consent was obtained. If subscribers were added to your list before GDPR with a consent mechanism that meets GDPR's standard — an unchecked checkbox with specific wording, a genuine double opt-in — that consent remains valid. If subscribers were added without any consent mechanism, or with a mechanism that does not meet the GDPR standard (pre-checked box, bundled consent), you need to obtain fresh GDPR-compliant consent before continuing to send marketing email to those subscribers. A re-permission campaign is the standard approach: one email asking subscribers to confirm they want to continue receiving your communications. Those who do not respond must be suppressed.
What is the difference between a GDPR unsubscribe and an erasure request?
An unsubscribe stops marketing email — the subscriber's email address remains in your suppression list and their data may remain in your CRM for other legitimate purposes. An erasure request (right to be forgotten) requires you to delete all personal data you hold about the individual — from your email platform, CRM, analytics tools, and any other system — within 30 days. The only data you may retain after an erasure request is a suppression record (email address plus erasure date) to prevent the address from being re-added to your list. If a subscriber sends you an email asking you to "delete all my data," treat it as an erasure request regardless of whether they used that specific term.
Does GDPR apply to B2B email marketing?
Yes — GDPR applies to personal data of individuals, including business email addresses that identify or can be used to identify a natural person. john.smith@company.com is personal data under GDPR. A generic role address like info@company.com that does not identify a specific individual is typically not personal data. For B2B email marketing to individually identifiable business contacts in the EU or UK, GDPR applies. Legitimate interests may be a valid basis for B2B marketing email in some circumstances — where there is a genuine and relevant business relationship and the marketing is directly relevant to the contact's business role — but this requires a documented Legitimate Interests Assessment.
What are the fines for GDPR violations related to email marketing?
GDPR fines are tiered: lower-tier violations can result in fines up to €10 million or 2% of global annual turnover, whichever is higher. Upper-tier violations — including processing personal data without a lawful basis, which covers sending marketing email without consent — can result in fines up to €20 million or 4% of global annual turnover, whichever is higher. UK GDPR provides for equivalent fines in GBP. The highest single fine issued to date was €1.2 billion against Meta in 2023. For email marketing specifically, fines have typically been issued for large-scale sending without consent, failure to honour unsubscribe requests, and inadequate consent mechanisms. Small businesses are not typically subject to maximum fines for first-time or inadvertent violations, but enforcement risk is real.
Summary
GDPR email marketing compliance in 2026 rests on five operational pillars:
1. Lawful basis: Identify and document a valid GDPR lawful basis for processing subscriber data before you send the first email. For most B2C consumer marketing, this is consent. For B2B in some circumstances, legitimate interests may apply with a documented LIA.
2. Valid consent: Collect consent via unchecked checkboxes with specific, clear wording identifying your organisation, the purpose, and the right to withdraw. Record consent timestamp, IP address, source URL, and exact wording for every subscriber.
3. Data subject rights: Have documented processes for handling unsubscribe requests, erasure requests, subject access requests, and objections — all within the required timeframes.
4. Supplier compliance: Sign a GDPR-compliant Data Processing Agreement with your email platform and review sub-processor lists for international transfer compliance.
5. Ongoing maintenance: Re-permission inactive subscribers, retain consent records for the relationship duration, conduct annual compliance reviews, and train staff with email responsibilities.
GDPR compliance is not a one-time project — it is an ongoing operational discipline. The email list segmentation guide and email marketing best practices guides cover the list management and campaign practices that make GDPR compliance operationally sustainable rather than a constant compliance burden.
Start your free trial to access Migomail's GDPR-ready email infrastructure — real-time unsubscribe processing, erasure workflow support, consent-aware list management, and GDPR-compliant Data Processing Agreement available on all plans.
This guide provides general informational content about GDPR as it applies to email marketing and should not be construed as legal advice. GDPR interpretation and enforcement varies by jurisdiction, industry, and specific circumstances. Consult a qualified data protection professional or solicitor for advice specific to your organisation's situation.
