GDPR Email Marketing: What You Actually Need to Do (Not Just What the Law Says)
You copied a big SaaS company's signup flow. "By creating an account, you agree to our Privacy Policy" - and somewhere on page 14 of that policy, there's a line about promotional emails. You figured if Notion or Slack does it, it must be legal. It's not. And the 2,100+ fines totaling over €4.4 billion say regulators aren't bluffing.
GDPR didn't kill email marketing. It killed lazy email marketing. The market's projected to hit $18.9 billion by 2028, and compliant senders are the ones capturing that growth - because people actually want to hear from them.
The Short Version
Use double opt-in with a separate, unchecked marketing checkbox. Never bury consent in your privacy policy or terms of service. An unchecked box that the user actively ticks is the cleanest, most defensible approach.
Existing customers get a narrow "soft opt-in" exception - but only for your own similar products, and only if you offer an easy opt-out at the point of capture and in every email.
Verify your list before every send. Stale data undermines GDPR's accuracy expectations and tanks your deliverability. Both problems are avoidable.
Two Laws, Not One
Most guides talk about GDPR like it's the only regulation that matters for email. It's not. Email marketing sits under two overlapping frameworks, and the stricter one wins.
GDPR sets the ground rules for processing personal data - lawful basis, transparency, data subject rights. The ePrivacy Directive, which EU member states implement through national legislation, specifically governs electronic communications, including marketing emails. Per the Certified Senders Alliance guidance, Article 13 of the ePrivacy Directive takes precedence over GDPR for marketing emails. That's the critical point most marketers miss.
Here's the thing: legitimate interest under GDPR Art. 6(1)(f) isn't sufficient by itself to send marketing emails. The ePrivacy Directive demands either prior consent or a valid soft opt-in. Legitimate interest can cover your internal data processing, but it doesn't give you permission to hit "send" on a promotional campaign.
Consent vs. Soft Opt-In
Two legal paths to sending GDPR compliant email, with very different requirements.
When You Need Explicit Consent
You need proper opt-in consent when you're emailing someone who hasn't bought from you - new newsletter subscribers, contacts from purchased lists, anyone receiving partner or third-party promotions. Consent must be freely given, specific, informed, and unambiguous, which means an affirmative action like ticking an empty checkbox. The CJEU's Planet49 ruling established that pre-ticked boxes and blanket "I agree" patterns don't count.
A common scenario from r/SaaS: someone buys Product A, and the company emails them promos for Products B, C, and partner products under the same sender name. Buying one product doesn't give you a blank check to promote everything in your portfolio.
When Soft Opt-In Applies
Soft opt-in is narrower than most marketers think. All four conditions must be met simultaneously:
- The recipient is an existing customer who gave you their email during a sale or negotiation.
- You're marketing your own similar products or services.
- You offered a clear, free, easy opt-out at the point of email capture.
- You include an opt-out in every subsequent email, and they haven't refused.
Miss any one of those, and you're back to needing explicit consent. Even when soft opt-in is legally valid, recipients who didn't explicitly subscribe are more likely to mark you as spam. That's why double opt-in remains the safer choice for both compliance and deliverability.
In Germany, the Unfair Competition Act (UWG) is the local legal hook for a soft opt-in-style exception, and the bar for "similar products" is treated strictly in practice.
B2B vs. B2C: Different Rules
This catches a lot of teams off guard.
| B2C | B2B (Corporate Email) | |
|---|---|---|
| Default model | Opt-in required | Rules vary by country; corporate outreach is often treated differently |
| Consent needed? | Yes, explicit | Not always - transparency + unsubscribe are still mandatory |
| Key caveat | Pre-ticked boxes invalid | Germany and some other markets apply stricter opt-in rules broadly |
| Personal email | Always opt-in | Always opt-in |
The distinction hinges on whether you're emailing a corporate address (firstname@company.com) or a personal one. Some countries treat B2B prospecting under a more permissive model, but the details depend on each country's ePrivacy implementation. EU email marketing regulations differ significantly from one member state to another, so don't assume one country's rules apply everywhere.
Let's be honest: if your average contract value is under €5k, you probably don't need to overthink B2B cold email compliance. A clear sender identity, a real reason for reaching out, and a one-click unsubscribe will keep you safe in most jurisdictions. The companies getting fined aren't sending 50 thoughtful cold emails a day - they're blasting purchased lists of 100,000 contacts with no opt-out.
Five Mistakes That Get Companies Fined
We've audited enough email programs to see the same failures repeat. These five account for the vast majority of compliance problems.
1. Consent Buried in the Privacy Policy
The most common pattern on r/SaaS: "Big companies do it, so it must be fine." Burying marketing consent inside a privacy policy that users click "agree" to doesn't meet the specificity or unambiguity requirements. You need a separate, clearly labeled marketing consent mechanism. Full stop.
2. The Receipt Email Dark Pattern
A post on r/gdpr described retail staff asking for emails "for your receipt" while secretly enrolling customers in promotional lists. Management was pushing a 60% data capture target. Textbook misleading purpose - the email was collected for one reason and used for another without consent.
3. Pre-Ticked Checkboxes
Still happening in 2026. A pre-ticked "Send me marketing emails" box doesn't count as consent. The box must start unchecked. This isn't ambiguous.
4. Cross-Selling Beyond Scope
If someone bought your CRM tool, you can't email them about your unrelated HR product under soft opt-in. "Similar products" means similar - not "anything we sell." If you're building a portfolio motion, it helps to understand cross-selling boundaries before you write the first campaign.
5. Emailing a Pre-GDPR List Without Re-Permissioning
If you built your list before May 2018 and never re-permissioned it, those contacts aren't compliant. Austrian Post was fined €9.5 million for insufficient fulfillment of data subject rights. The cost of re-permissioning is always less than the cost of a regulator's attention.
GDPR requires your contact data to be accurate and up-to-date. Stale lists mean bounces, spam complaints, and compliance risk. Prospeo refreshes all 300M+ profiles every 7 days and runs 5-step verification with spam-trap and honeypot removal - so every email you send lands at a real, active inbox.
Stop risking fines on dirty data. Start with 98% verified emails.
Building a Compliant Signup Form
Every guide tells you to "get consent." Here's what a compliant form actually looks like, drawn from Usercentrics' consent guidance.
Email field - standard input, nothing hidden. Below it, an unchecked marketing checkbox separate from any terms or privacy acceptance. Label it clearly: "Yes, send me product updates and offers via email." Keep the submit button disabled until the checkbox is ticked to prevent accidental submissions.
Near the checkbox, add a purpose statement - one or two sentences explaining what emails the user will receive and how often. Link to your privacy policy visibly, not buried in a footer. Then send a confirmation email with a verification link they must click. That's your double opt-in, proving address ownership and creating a timestamped consent record.
Double opt-in gives you a smaller list. It also gives you a defensible list. We've seen teams lose weeks to email deliverability recovery after single opt-in lists triggered spam traps - a problem that never would've existed with double opt-in.
Consent Log Template
Most compliance guides stop at "keep records." None give you the data model. Here's the schema you should be logging for every subscriber:
| Field | Example |
|---|---|
| Name | Jane Smith |
| jane@company.com | |
| Timestamp | 2026-03-15 14:22 UTC |
| Mechanism | Unchecked checkbox |
| Choice | Opted in |
| Policy version | Privacy Policy v3.2 |
| Marketing text | "Product updates & offers" |
| Status | Marketable |
| Justification | Double opt-in confirmed |
| Update log | - |
Update this log whenever status changes - unsubscribes, new purchases that trigger soft opt-in, re-permissioning campaigns. This is how you demonstrate compliance under GDPR's accountability principle.
Pre-Send Compliance Checklist
Run through this before every campaign. Skip a step, and you're gambling with your domain reputation and your legal exposure.
- ☐ Consent mechanism in place - separate, unchecked marketing checkbox or confirmed double opt-in
- ☐ Double opt-in active - confirmation email with verification link for all new subscribers
- ☐ Unsubscribe in every email - one-click, no login required, processed quickly
- ☐ Consent log maintained - timestamped records with policy version and mechanism shown
- ☐ Privacy policy linked - accessible from signup form and referenced in emails
- ☐ SPF/DKIM/DMARC authenticated - Gmail and Yahoo sender rules expect this; non-negotiable for deliverability (use these SPF record examples to sanity-check your setup)
- ☐ Complaint rate under 0.3% - a key Gmail deliverability threshold; exceed it and your emails go to spam
- ☐ List verified before send - run your list through an AI email checker to catch invalid addresses and spam traps before they damage your sender reputation
- ☐ Suppression list managed - unsubscribes and bounces permanently excluded, never re-added
- ☐ Data retention policy enforced - 12-month window for unengaged contacts; suppress or delete
- ☐ One-click unsubscribe header - enable List-Unsubscribe for major mailbox providers
Compliant cold email starts with clean data. Prospeo's 143M+ verified B2B emails cost ~$0.01 each, come with catch-all domain handling, and integrate directly with HubSpot, Salesforce, and your outreach tools. Teams using Prospeo see bounce rates drop below 4% - exactly what regulators and mailbox providers want to see.
Build GDPR-compliant prospect lists that actually reach real inboxes.
GDPR vs. CAN-SPAM vs. CASL
If you're sending globally, you're dealing with multiple frameworks.
| GDPR (EU) | CAN-SPAM (US) | CASL (Canada) | |
|---|---|---|---|
| Consent model | Opt-in required | Opt-out allowed | Opt-in required |
| Max penalty | €20M or 4% turnover | $53,088 per email | $10M biz / $1M individual |
| Unsubscribe | Required | Required, 10-day window | Required, 10-day window |
| Scope | EEA data subjects | US recipients | Canadian recipients |
The practical move: build your core process to meet GDPR consent and soft opt-in rules, then layer in the specific requirements for the US and Canada around disclosures and unsubscribe handling. If you're GDPR compliant, you're already most of the way there for the other two.
What Changed in 2026
If you rely on legitimate interests for any marketing-adjacent processing, you should still document it properly. A Legitimate Interests Assessment is a standard way to do that, and the ICO provides a sample LIA template you can use.
Real talk: this doesn't change much for email compliance in practice. The ePrivacy consent requirement for promotional emails still applies regardless of your GDPR lawful basis. Even if you can justify processing under legitimate interests, you still need consent or a valid soft opt-in to actually send marketing emails.
If you're doing outbound, build your process around cold email marketing best practices too - compliance and deliverability are the same game.
FAQ
Can I email someone who bought my product without asking for consent?
Yes, if all four soft opt-in conditions are met: they're an existing customer, you're promoting similar products, you offered an opt-out at capture, and every email includes an unsubscribe. Miss one condition and you need explicit consent. Double opt-in is still safer for deliverability.
Is legitimate interest enough to send marketing emails?
No. The ePrivacy Directive takes precedence for electronic marketing, requiring consent or a valid soft opt-in. Legitimate interest alone doesn't satisfy the ePrivacy requirement, even if it covers your underlying data processing under GDPR Art. 6(1)(f).
Do GDPR rules apply to B2B cold outreach?
It depends on the country. Some EU member states treat corporate-address outreach more permissively than consumer email, but transparency and an easy unsubscribe are always mandatory. Germany applies stricter opt-in rules. Always check the local ePrivacy implementation before prospecting in a new market.
How do I clean my email list for compliance?
Run your list through an email verification tool before every campaign. Upload a CSV, get results in minutes. Invalid addresses, spam traps, and outdated contacts get flagged before they damage your sender reputation. Prospeo's 5-step verification catches catch-all domains and honeypots too - and it's free to start.
What's the maximum fine for non-compliant email marketing?
Up to €20 million or 4% of global annual turnover, whichever is higher. Since 2018, regulators have issued 2,100+ fines totaling over €4.4 billion across all GDPR violations, with lack of legal basis being one of the most frequently cited issues.