GDPR and email marketing: what to know before you send to Europe
The EU is a large, high-purchasing-power market with one specific complication: GDPR. Get it wrong and you are looking at fines up to 20 million euros or 4% of annual global turnover. This guide is for marketers who want to work with EU audiences without breaking the law.
GDPR has been in force since May 2018. Eight years on, most teams outside the EU still treat it as someone else's problem. The most common assumption: "We're not based in Europe." That is not how jurisdiction works here. GDPR applies based on where the recipient is located, not where the sender is registered. Send a campaign to a Berlin subscriber from an office in New York, Almaty, or Moscow — GDPR covers that send.
The fines are one concern. The complaints are another. GDPR violations generate subscriber complaints that feed into inbox provider databases. Gmail and Outlook both factor complaint rate into filtering decisions. A few dozen complaints from European subscribers can push your messages into spam across your entire list, not just the EU segment.
Below are the specific rules that affect daily email operations: what to collect, how to send, and how to keep your list clean. No legal paraphrasing, no generic privacy advice.
Consent: the foundation
GDPR defines six lawful bases for processing personal data. For marketing email, two are relevant: consent and legitimate interest. In practice, consent is the only reliable basis for bulk campaigns.
What counts as valid consent under GDPR:
- 1. Freely given — the person cannot be required to consent. Pre-ticked boxes are banned. "Subscribe to download the PDF" is fine if subscription is not the only way to get the content.
- 2. Specific — consent for email marketing must be separate from consent for other data processing purposes. A single "I agree to everything" checkbox does not cut it.
- 3. Informed — the subscriber needs to know what they are signing up for. "Weekly company news" works. "Newsletter" with no further detail does not.
- 4. Unambiguous — an active step is required: a checkbox the user ticks themselves. Silence and inaction do not equal consent.
One critical point: the burden of proof sits with the sender. The regulator does not need to prove consent was absent — you need to prove it was given. Record the timestamp, IP address, consent wording, and page URL. Keep those records for as long as you hold the address.
No consent record means no consent. EU regulators have held this position since 2018 and have not moved.
Double opt-in: not required, but the de facto standard
GDPR does not formally require double opt-in. But regulators treat it as the cleanest proof of consent, and Germany's Act Against Unfair Competition (UWG) effectively mandates it for sends to Germany, the largest EU market.
The flow: user fills out the form, receives a confirmation email, clicks the link. Only after that click does the address enter your sending list. Two steps instead of one.
Marketers often note that double opt-in cuts subscription conversion by 20-30%. That is accurate. But those who complete both steps are people who genuinely want your email. They complain less, open more, and stay subscribed longer. On a per-subscriber LTV basis, double opt-in almost always comes out ahead.
There is a secondary benefit: double opt-in filters out bots, typos, and accidental signups. Confirmed addresses are 95%+ valid, which directly lowers bounce rate and protects domain reputation.
Legitimate interest: where it actually applies
Legitimate interest is the second basis cited in email marketing, and it applies in narrow cases. The textbook example: a customer bought from you, and you send offers on similar products. Recital 47 of GDPR and Article 6(1)(f) both cover this scenario.
The conditions are real. You need a Legitimate Interest Assessment (LIA) — a documented weighing of your business interest against the recipient's rights. Every message needs a clear opt-out. And you must stop sending immediately if someone objects.
In practice, legitimate interest works for transactional and near-transactional email: delivery notifications, upsells tied to a recent purchase, subscription renewals. For cold outreach to a new audience, regulators are skeptical, fines are rising, and using legitimate interest as a shield for bulk sends is a real risk.
Tip: if you are working with EU audiences and unsure which basis to use, collect consent. It closes all questions. Save legitimate interest for situations where you already have an established customer relationship.
Subscriber rights that affect your operations
GDPR gives EU residents a set of rights over their personal data. Four matter most for email marketers:
Right of access (Article 15)
A subscriber can request all data you hold on them: email, signup date, campaign history, segments, tags, scoring results. You have 30 days to respond, at no charge.
Right to erasure (Article 17)
The "right to be forgotten." When a subscriber asks you to delete their data, you must delete it everywhere: main list, CRM, analytics platform, and any backups that will be restored. Unsubscribing is not the same as deletion — they are separate operations.
Right to rectification (Article 16)
If a subscriber finds that you hold inaccurate data about them, you must correct it. In practice this request comes up rarely, but the process needs to exist.
Right to portability (Article 20)
A subscriber can request their data in a machine-readable format (CSV, JSON) for transfer to another provider. For email marketing, this means exporting a subscriber profile on request.
Each right requires a documented process, not an improvised response when the first request arrives. Decide who handles requests, what the timeline is (up to 30 days), and how you verify the requester's identity. Regulators check for the existence of those processes, not just whether individual requests were fulfilled.
Data storage: collect less, keep it shorter
GDPR enforces data minimization: collect only what you need for the stated purpose. For email campaigns, that means an email address. First name is optional if you use it for personalization. Date of birth, phone number, city — only if there is a specific documented reason in your data processing policy.
The second principle is storage limitation. Data cannot be kept longer than necessary. A subscriber who has not opened an email in two years gives you no basis for holding their record. You need a sunset policy: a defined period after which inactive addresses are deleted from your list. Not archived. Deleted.
A practical retention window for email marketing is 12-24 months since last engagement. Write it into your privacy policy and automate the deletion in your ESP. This satisfies GDPR and improves list quality at the same time.
Your ESP and third-party tools: compliance does not delegate
When a third-party service — your ESP, CRM, or analytics platform — processes EU subscriber data, you need a Data Processing Agreement (DPA) in place. This is a contract specifying that the processor complies with GDPR, which data they receive, for what purposes, and how they protect it.
Major platforms (Mailchimp, HubSpot, Brevo, Sendsay) include DPAs in their standard agreements. Still, check where data is physically stored. US-based servers require additional safeguards: Standard Contractual Clauses (SCCs) or confirmation that the provider participates in the EU-US Data Privacy Framework.
Cross-border data transfers caught many companies off-guard after Privacy Shield was invalidated in 2020. Audit your vendors. If they store data in the EU, you are covered. If not, confirm the transfer mechanism is documented and current.
Practical checklist for marketers
Eight steps that cover the main GDPR requirements for the email channel:
Implement double opt-in for all signup forms targeting EU audiences. The confirmation email should clearly state what the subscriber is signing up for.
Record proof of consent: timestamp, IP address, consent wording, page URL. Store these in a dedicated table or field in your CRM.
Include a visible unsubscribe link in every email. Since 2024, Gmail and Yahoo require one-click unsubscribe headers — confirm your ESP supports them.
Build a process for erasure requests (right to be forgotten). Assign ownership, set a deadline (within 30 days), and decide how you verify the requester's identity.
Audit third-party services: ESP, analytics, CRM. Each needs an active DPA. For services outside the EU, confirm SCC or Data Privacy Framework participation.
Set a retention period for email data. 12-24 months since last engagement is a reasonable default. Automate deletion of inactive addresses.
Update your privacy policy: specify what data you collect for email campaigns, on what legal basis, how long you keep it, who you share it with, and how subscribers can exercise their rights.
Validate your list before each send to your EU segment. Invalid addresses generate bounces, bounces lead to complaints, and complaints attract regulatory attention.
Fines: numbers to understand the scale
GDPR runs on two tiers. Violations of procedural requirements (record-keeping, breach notification) can draw up to 10 million euros or 2% of global annual turnover. Violations of core principles — no valid consent, ignoring subject rights — go up to 20 million euros or 4%.
A few real enforcement actions from email marketing and adjacent areas:
- CNIL (France) — fined multiple companies for sending without valid consent. Amounts ranged from 20,000 to 400,000 euros for small and mid-size businesses.
- AEPD (Spain) — consistent fines for sending marketing email after unsubscribe. 5,000-50,000 euros per incident.
- DPC (Ireland) — the 1.2 billion euro fine against Meta in 2023 for cross-border data transfers. Not about email directly, but a clear precedent for anyone moving EU resident data outside the bloc.
The fine is not the worst outcome. An order to stop processing data is. That means a complete halt to email sends until the violation is remediated. For any business that depends on the email channel, that costs more than any financial penalty.
List validation as a GDPR compliance step
Article 5(1)(d) requires that personal data be "accurate and, where necessary, kept up to date." Email addresses age out: people change jobs, close accounts, let domains expire. By our data, a list loses 20-25% of its valid addresses over a year.
Regular validation is not just a technical step for managing bounce rate. Storing a known-invalid address violates the data minimization principle: the data no longer serves the stated purpose (delivering a campaign), so there is no basis for keeping it.
A pre-send validation check handles three things at once: removes invalid addresses (compliance), cuts bounce rate (reputation), and filters spam traps (deliverability safety).
In uChecker you can check a list in minutes: syntax, MX records, mailbox existence, disposable and role-based addresses. The result is a clean list that meets both technical provider requirements and GDPR accuracy principles.
GDPR as a quality filter, not a blocker
Companies that build GDPR-compliant processes tend to notice a side effect: their email metrics improve. Consent-based lists produce higher open rates, lower complaint rates, and better deliverability. This is not a coincidence. GDPR pushes you to do what good marketers were already doing: collect real consent, clean the list, respect unsubscribes, drop stale data.
The difference now is that non-compliance carries financial consequences large enough to matter for businesses of any size.
Start with an audit of your current EU segment. For each address, is there proof of consent? If yes, you are in good shape. If not, move those addresses to a separate list and run a re-consent campaign. Then audit your vendors, update your privacy policy, and set up retention automation.
For most teams, this is one to two weeks of focused work. After that, you can scale EU campaigns without watching for regulatory action.
Start with the technical layer: make sure your list is clean. Check your addresses in uChecker — remove invalid, risky, and disposable emails before your next send.