The GDPR Email Compliance Checklist Most Guides Get Wrong
You launched a newsletter, grew to 10,000 subscribers, and just realized your signup form says "By creating an account, you agree to our Privacy Policy" - with marketing consent buried in paragraph nine. That's not consent. That's a liability.
Meta's EUR 1.2B fine wasn't about email marketing, but it proved regulators aren't bluffing. GDPR violations carry fines up to EUR 20M or 4% of global annual turnover - whichever is higher. Most GDPR email compliance checklists cover the basics and stop there. They miss the ePrivacy layer, the separate directive that governs your tracking pixels, your open rates, and your cold outreach. This guide doesn't skip that part.
If You're Short on Time
These five actions close the biggest compliance gaps:
- Separate marketing consent from account/service consent. Use an unchecked checkbox. "Agree to Privacy Policy" isn't marketing opt-in.
- Implement double opt-in. It's effectively mandatory in Italy and Germany, and it's your strongest proof of consent everywhere else.
- Understand that ePrivacy governs email marketing on top of GDPR. Your open-tracking pixel needs its own consent basis.
- Set concrete data retention schedules. "As long as necessary" isn't a schedule - it's an audit finding waiting to happen.
- Verify your email list before every campaign. Sending to invalid addresses is unnecessary processing and a data minimization problem.
Now let's get into the full list, including five items most teams skip entirely.
GDPR vs ePrivacy - Why Most Guides Miss This
GDPR isn't the only regulation governing your email marketing. The ePrivacy Directive is a separate law covering electronic communications, and it takes precedence over GDPR for email under the lex specialis principle. Recital 10 is commonly cited for this framing, and EDPB Opinion 5/2019 confirmed the practical rule: where a specific ePrivacy provision governs a processing operation, you apply it; otherwise GDPR applies.
Here's the thing: EDPB Guidelines 2/2023 clarified that ePrivacy Article 5(3) can apply to tracking pixels, URL tracking, and IP-based tracking originating from a user's device. That invisible image loaded when someone opens your email? It falls under ePrivacy and requires consent - consent that must meet GDPR's standard. Most marketing teams don't even know this risk exists.
The proposed ePrivacy Regulation was abandoned in early 2025 after years of failed negotiations, so we're stuck with a patchwork of national implementations. Germany and Italy are stricter. The Nordics tend to be more pragmatic. Your compliance posture needs to account for where your subscribers live, not just where you're based. The CMS GDPR Enforcement Tracker catalogs fines across Europe, and email marketing violations appear regularly.
Sending to invalid emails isn't just a deliverability problem - it's a data minimization violation under Article 5(1)(c). Prospeo's 5-step verification delivers 98% email accuracy on a 7-day refresh cycle, with signed DPAs available on request. No audit surprises.
Stop processing data you don't need. Verify every address before you send.
The Full Compliance Checklist
Identify Your Lawful Basis
Every email needs a lawful basis under GDPR Article 6. For marketing, that's almost always consent. For B2B cold outreach, legitimate interest under Article 6(1)(f) can work, but you need to document a Legitimate Interest Assessment covering purpose, necessity, and balancing per EDPB draft Guidelines 1/2024. It's what regulators ask for first.
Implement Double Opt-In
GDPR doesn't explicitly require double opt-in. But Italy's Garante fined Noi Compriamo Auto S.r.l. EUR 45,000 in June 2025 and called DOI a "minimum standard of protection." Germany treats it as de facto required through case law. Even where single opt-in is technically legal, DOI gives you a timestamped confirmation click - the strongest audit trail you can produce.
We've seen teams skip DOI to protect conversion rates, then scramble when a DPA inquiry lands. The conversion hit is real but small. The compliance protection is enormous.
Separate Marketing Consent
"By creating an account, you agree to our Privacy Policy" isn't valid marketing consent. This is the exact scenario founders stress about on r/SaaS - and they're right to worry. Marketing opt-in needs its own unchecked checkbox, specific to the type of communications you'll send.
Minimize Data on Signup Forms
Collect only what you need for the stated purpose. For a newsletter, that's email and maybe first name - not job title, company size, and phone number. Every field needs a justification under Article 5(1)(c) . If you can't explain why you need it for the newsletter, drop it.
If you're building lists for outbound, use firmographic filters and enrichment later instead of collecting everything upfront.
Disclose Content and Frequency
At the point of collection, tell subscribers what they're signing up for. Weekly product updates? Monthly digests? Promotional offers from partners? State the frequency, content type, and sender identity. "Occasional updates" won't hold up in front of a regulator.
If you need examples that keep expectations clear, borrow patterns from these email subject lines and keep the promise consistent.
Include One-Click Unsubscribe
Immediate unsubscribe, not "within 10 business days." Every marketing email needs a visible, functional unsubscribe mechanism. And distinguish between unsubscribe and right to erasure - they trigger different processes. Unsubscribe stops marketing. Erasure deletes all data. Conflating the two creates operational headaches and compliance gaps simultaneously.
Get Consent for Email Tracking
This is the compliance risk most teams don't know they have.
Per EDPB Guidelines 2/2023, tracking pixels and URL tracking fall under ePrivacy Article 5(3) and require consent separate from your marketing opt-in. The CJEU's Advocate General has argued that even editorial-style newsletters with economic objectives qualify as "direct advertising" under ePrivacy, broadening the scope further. Most ESPs don't make this easy to manage, and most companies are technically non-compliant right now. Fixing this is one of the fastest ways to reduce risk without overhauling your entire growth strategy.
If you want the technical breakdown of what counts as a pixel and what gets logged, see our guide to email tracking pixels.
Audit Your ESP's Data Processing Agreement
Every vendor processing personal data on your behalf needs a signed DPA. Check sub-processors, data storage locations, and international transfer mechanisms. Your internal incident process must support the 72-hour notification requirement under GDPR Article 33, and your DPA should require fast vendor breach notification so you can meet that deadline.
If your ESP can't produce a DPA on request, switch providers.
If deliverability is part of your vendor review, use an email deliverability guide to audit the basics alongside compliance.
Set Data Retention Schedules
Don't write "as long as necessary" in your retention policy. Use the reference table below for concrete timeframes. Regulators want specifics, and vague language is the fastest way to turn a routine audit into an enforcement action.
Verify Your List Before Every Campaign
Sending to invalid email addresses is unnecessary processing and a data minimization problem under Article 5(1)(c). Verify before you send. We use Prospeo's real-time verification for this - 98% email accuracy on a 7-day data refresh cycle, with DPAs available for GDPR compliance.
If you need a broader tool comparison, start with these email reputation tools and then pick a verifier that fits your volume.
Data Retention Schedule
| Data Type | Retention | Rationale |
|---|---|---|
| Active subscriber data | Duration of relationship | Necessary for service |
| Suppression list (email + opt-out) | Indefinite | Prevents re-contact |
| Consent evidence (timestamp, IP) | 5-7 years after end | Defends complaints |
| Engagement data (opens, clicks) | 2-3 years | Diminishing value |
| Other data post-unsubscribe | Delete within 30-90 days | Data minimization |
The suppression list is the one teams get wrong most often. You need to keep unsubscribed email addresses indefinitely - not to market to them, but to ensure you never accidentally re-add them from another source. Deleting everything on unsubscribe feels like the "privacy-friendly" move, but it actually creates more risk.
Cold Email Under GDPR
Cold email isn't illegal under GDPR. But it isn't a free-for-all either.
B2B teams typically rely on legitimate interest under Article 6(1)(f), which requires a three-part test: legitimate purpose, necessity, and a balancing exercise confirming the recipient's rights don't override your interest. Document this in a Legitimate Interest Assessment before you send a single message.
Even if GDPR gives you a lawful basis, ePrivacy rules in the recipient's country can still require prior consent for unsolicited electronic marketing. Germany and Italy are commonly treated as stricter jurisdictions for B2B outreach. The "soft opt-in" exception under ePrivacy Article 13(2) only applies to existing customers receiving marketing for similar products - it doesn't cover cross-selling unrelated products or promoting partner offers, which need separate consent.
If you're running outbound, build your process around a documented B2B cold email sequence and keep opt-out handling consistent across every step.
Our honest take: if your average deal size is under EUR 5,000, you probably don't need to cold-email EU prospects at all. The compliance overhead eats the margin. Focus your EU efforts on inbound and save cold outreach for markets with simpler rules. For teams that do run cold outreach across the US and EU, remember that CAN-SPAM penalties run $51,744-$53,088 per non-compliant message. Different law, different requirements, same principle: document everything and make opting out frictionless.
If you're unsure whether your acquisition method is defensible, read Is It Illegal to Buy Email Lists? before you scale.
Skip cold email in the EU entirely if you can't dedicate someone to maintaining the LIA documentation and monitoring local ePrivacy implementations. The risk-reward math just doesn't work for small teams.
Your GDPR compliance checklist requires a DPA from every vendor processing personal data. Prospeo is fully GDPR compliant with DPAs available instantly - no sales calls, no contract negotiations. 143M+ verified emails, 98% accuracy, and a data refresh cycle 6x faster than the industry average.
Build compliant prospect lists with data you can actually defend to a regulator.
FAQ
Is cold email legal under GDPR?
Yes, with a lawful basis - typically legitimate interest for B2B outreach targeting professional roles. But ePrivacy rules in the recipient's country can still require consent, especially in Germany and Italy. Document a Legitimate Interest Assessment, check local laws, and always include an easy opt-out.
Is double opt-in mandatory under GDPR?
Not explicitly, but Italy's DPA called it a "minimum standard of protection" in a June 2025 enforcement action, and German case law treats it as required. DOI is the strongest way to prove consent in an audit. Use it.
How do I keep my email list compliant?
Use a verification tool before every campaign to remove invalid addresses - this supports data minimization by eliminating unnecessary processing. Beyond verification, audit consent records regularly and remove contacts who haven't engaged in 12+ months. Stale contacts with no engagement are hard to justify retaining under GDPR's storage limitation principle.
What does GDPR compliant email marketing actually require?
At minimum: a lawful basis for processing (usually consent), transparent disclosures at collection, data minimization, retention schedules, and a functioning unsubscribe mechanism. Layer in ePrivacy requirements for tracking and cold outreach, and you have the full picture. This isn't a one-time project - it needs regular audits as regulations evolve and enforcement tightens.
How is marketing compliance different from general GDPR?
Marketing adds requirements specific to electronic communications, particularly consent granularity, tracking technologies, and the ePrivacy Directive. General GDPR covers data subject rights, breach notification, and DPAs, all of which still apply. But marketing teams face the additional burden of proving opt-in consent for each communication channel and tracking method separately. That layering is exactly what makes email compliance harder than most teams expect.