What are the key requirements of GDPR for email marketing?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

If you have EU subscribers, GDPR shapes nearly every part of your email program. Here's what it actually requires.

Explicit opt-in consent is the starting point. No pre-checked boxes, no consent bundled with account creation, no implied permission from a purchase (except the narrow soft opt-in exception). Subscribers must take an affirmative action specifically to receive marketing, and you need to record proof of that action. That means documenting when, how, and what they agreed to.

Transparency and granular control. At signup, tell subscribers clearly what they'll receive, how often, and from whom. Offer options where practical (newsletter vs. promotions vs. product updates). Don't combine multiple purposes into a single checkbox. In every email, the unsubscribe link must work immediately. No "we'll process this within 5-7 days" messages.

Individual rights you must honor. Subscribers can ask to see their data, correct it, export it, or have it deleted entirely. Deletion means removed from your systems, not just suppressed. Requests must be responded to within one month. You also can't charge for this or make it difficult.

Documentation throughout. If a regulator asks whether your consent was valid, you need records. If someone asks for their data, you need to be able to pull it.

GDPR compliance isn't a one-time checkbox. It's a framework you run your email program through. If you're not sure where your setup stands, book a free call and we'll go through it with you.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Help me audit my email program against GDPR requirements.

I read this on the Email Almanac about the key requirements of GDPR for email marketing. I want to audit my email program against these requirements. My situation: 1. How do subscribers currently opt in? [single opt-in / double opt-in / at purchase / imported / other] 2. Do I have documented consent records? yes / no / partially 3. Can I honor a data deletion request (not just an unsubscribe)? yes / no / unsure 4. Do subscribers have a clear way to update their preferences? yes / no 5. Does my signup form explain what they're signing up for? yes / vaguely / no --- My details: - Email platform/ESP: e.g. Mailchimp, Kit, ActiveCampaign, HubSpot - Domain(s): your sending domain - Sending volume: e.g. 5,000/month - Audience locations: EU-heavy / some EU / US only / global - Business type: B2B / B2C / newsletter / e-commerce - Laws I need to comply with: GDPR / PECR / all / unsure - Privacy policy in place: yes / no / in progress

Edit the yellow boxes, then send to the AI of your choice.