How to Make Your Emails GDPR Compliant in 2026
Your marketing team just got a data subject access request from someone on your email list, and nobody can find the consent record. The form they signed up through? Redesigned twice since then. The timestamp? Never stored. This is how GDPR enforcement actually starts - not with a massive fine, but with a question you can't answer.
We've seen this play out firsthand. Teams discover their consent records are incomplete only after a DSAR arrives, and by then it's too late to reconstruct what happened.
GDPR didn't make email marketing harder. It made bad email marketing illegal. If you're figuring out how to make emails GDPR compliant, it comes down to five things - and most teams get at least one of them wrong. Cumulative GDPR fines have crossed €5.88B across 2,245+ enforcement actions, with Spain alone issuing over 1,000 fines. Regulators aren't just targeting Big Tech. They're going after mid-market companies, agencies, and email marketers who skip the basics.
What You Need (Quick Version)
- Lawful basis - choose consent or legitimate interest, and document why
- Consent forms - built to the actual legal standard, not just "looks compliant"
- ePrivacy compliance - a separate law that layers on top of GDPR for electronic communications
- Auditable records - timestamps, source URLs, form versions, IP addresses
- Data accuracy - GDPR Article 5(1)(d) requires personal data to be accurate and kept up to date
Two Lawful Bases for Email
Every marketing email needs a lawful basis under GDPR Article 6. For email, two options are realistic: consent and legitimate interest.
Consent
Consent under GDPR means an unambiguous, affirmative, freely given, specific, and informed action. The subscriber has to do something active - tick a box, click a button, reply to a confirmation email. Silence, pre-ticked boxes, and bundled terms don't count.
This is the safest lawful basis for marketing emails because it's the hardest to challenge. If you're sending newsletters, promotional sequences, or product updates to people who opted in properly, you're on solid ground.
Legitimate Interest
Legitimate interest (Article 6(1)(f)) is the lawful basis most B2B teams rely on for outreach. The ICO breaks it into a three-part test:
- Purpose test - is there a genuine legitimate interest? Direct marketing qualifies, per the ICO's own guidance.
- Necessity test - is emailing this person actually necessary, or could you reach them another way?
- Balancing test - do the individual's rights override yours? A C-suite exec at a relevant company expects cold outreach. A random consumer doesn't.
The CJEU confirmed this framework in the Rigas case (C-13/16, 4 May 2017).
Here's the thing: legitimate interest doesn't override ePrivacy consent requirements. You still need to comply with the ePrivacy Directive's rules on electronic communications. It isn't a free pass.
What Valid Consent Actually Looks Like
Every guide tells you to "get consent." Nobody shows you what the consent record should contain. The ICO's minimum for consent requests includes the controller's name (your company, plus any other controllers relying on the consent), the specific purposes you'll use their data for, the type of processing you'll carry out, and a clear statement that consent can be withdrawn at any time.
What does NOT count: silence, inactivity, pre-ticked boxes, opt-out boxes, default settings, or consent buried in terms and conditions.
A trap we've seen repeatedly - a company offers a free whitepaper and auto-subscribes the person to their newsletter. Under GDPR, newsletter signup must be a separate, optional action. Email for an e-book is consent to receive the e-book, not your weekly promo blast. You need a separate, unchecked checkbox for marketing emails.
Double Opt-In - Required or Recommended?
Double opt-in isn't technically required by the GDPR text. But try proving consent without it when a regulator asks.
Germany is one of the strictest jurisdictions on marketing consent, and double opt-in is the safest way to prove it there. Across the EU more broadly, it's the strongest evidence you can produce during an audit - a confirmed email address, a timestamp, and a clear record that the person actively verified their subscription. The deliverability benefits alone justify it, and the compliance upside is enormous.
Our recommendation: treat double opt-in as required for EU subscribers.
The ePrivacy Layer
GDPR isn't the only law governing your emails. The ePrivacy Directive (2002, updated 2009) specifically addresses privacy in electronic communications, and it applies on top of GDPR.
Because the ePrivacy Directive is implemented through national laws, the rules vary across EU member states. Germany's implementation is stricter than France's, which is stricter than Ireland's. "Compliant" isn't a single standard - it depends on where your subscribers are.
EDPB Guidelines 2/2023 widened Article 5(3) to cover tracking pixels, URL tracking, and IP-based tracking originating from a user's device. If you're embedding tracking pixels in marketing emails - and almost everyone is - you're now squarely within ePrivacy's scope. Most competitor guides miss this entirely, which is frustrating because it affects virtually every email marketer in the EU.
The push for an ePrivacy Regulation to replace the Directive was abandoned in early 2025. As of 2026, no replacement is in sight. We're stuck with a patchwork of national implementations for the foreseeable future.
GDPR Article 5(1)(d) requires your contact data to be accurate and up to date. Prospeo refreshes all 300M+ profiles every 7 days - not every 6 weeks like competitors - and runs every email through 5-step verification including catch-all handling and spam-trap removal. 98% email accuracy means fewer bounces, cleaner lists, and one less GDPR violation to worry about.
Stop risking fines on stale data. Get emails that actually verify.
Cold Email Rules Under GDPR
B2B cold email can be legal under GDPR. It just requires more documentation than most teams bother with.
The lawful basis is legitimate interest, which means you need a documented Legitimate Interest Assessment before you start sending. That LIA should cover why you're emailing this specific person, why email is the necessary channel, and why their rights don't override your interest. Without it, your entire outreach program is legally exposed.
Country rules vary significantly. Germany is widely treated as one of the strictest countries for cold outreach, and many teams operate as if opt-in is required there. In the UK, rules are more permissive for existing customer relationships, but cold outreach to new contacts still needs a defensible LIA. Your first outreach should clearly identify who you are, include a clear opt-out, and explain the source of the recipient's data.
One area that trips up sales teams is personalization. Using a prospect's name, company, and job title is generally fine - that data is necessary for the outreach and proportionate to the purpose. But scraping behavioral data, browsing history, or social media activity to hyper-personalize a cold email introduces additional processing that your LIA probably doesn't cover. Keep personalization relevant and proportionate.
GDPR vs. CAN-SPAM vs. CASL
If you're emailing across borders, you need to know where the lines are. Default to the strictest standard - which is almost always GDPR.
| GDPR (EU/EEA) | CAN-SPAM (US) | CASL (Canada) | |
|---|---|---|---|
| Consent model | Opt-in required | Opt-out allowed | Opt-in required |
| Max penalty | €20M or 4% revenue | ~$53K/violation | $10M CAD |
| Scope | Anyone processing EU data | US commercial email | Messages to/from Canada |
| Unsubscribe | Must be honored without undue delay | 10-day processing allowed | 10-day processing allowed |
| Pre-ticked boxes | Prohibited | Not addressed | Prohibited |
The key difference: CAN-SPAM lets you email anyone until they opt out. GDPR and CASL require permission before you send.
GDPR Compliant Email Checklist
Print this. Tape it next to your ESP login.
- ☐ Double opt-in enabled for all EU/EEA subscribers
- ☐ Consent records stored with timestamp, source URL, IP address, form version, and exact consent text shown
- ☐ No pre-checked boxes anywhere in your signup flows
- ☐ Separate consent checkboxes for each email type
- ☐ Data Processing Agreements signed with your ESP and all sub-processors
- ☐ Right to erasure tested - can you actually delete someone's data across all systems within 30 days?
- ☐ Unsubscribe link in every email, accessible within 2 clicks
- ☐ List-Unsubscribe header implemented for one-click unsubscribe in Gmail and Apple Mail
- ☐ Suppression lists synced across all sending systems
- ☐ Data retention policy documented
- ☐ Email addresses verified before sending - stale data isn't just a bounce problem, it's an Article 5(1)(d) violation
- ☐ Privacy policy published and linked from every signup form
Email Data Accuracy Under GDPR
Most teams think of email verification as a deliverability tactic. It's actually a legal obligation.
GDPR Article 5(1)(d) requires that personal data be "accurate and, where necessary, kept up to date." Sending emails to addresses that are stale, misspelled, or belong to the wrong person isn't just a bounce rate problem - it's a data accuracy violation. Treating data protection as a technical hygiene task rather than a legal requirement is how teams end up exposed during audits.
Let's be honest: you can have perfect consent records and flawless opt-in forms, but if you're sending to a list full of dead addresses, you're still violating Article 5(1)(d). Verification isn't optional under GDPR. It's part of the compliance stack. Discussions on r/gdpr echo this - practitioners regularly flag data accuracy as the most overlooked compliance requirement because everyone obsesses over consent and forgets Article 5.
Prospeo's 5-step verification process catches invalid addresses, spam traps, and honeypots in real time, with a 7-day refresh cycle that keeps records current. That refresh cadence matters - the ICO's data accuracy guidance makes clear that "up to date" isn't a suggestion, it's a principle you need to demonstrate compliance with.
Running B2B cold outreach under legitimate interest? Your LIA only holds up if you're emailing real people at accurate addresses. Prospeo is fully GDPR compliant with opt-out enforcement, DPAs available on request, and a Zero-Trust data partner policy. At $0.01 per verified email, compliance doesn't have to cost enterprise prices.
Build a defensible outreach program with data you can actually trust.
What Happens If You Don't Comply
GDPR fines come in two tiers: up to €10M or 2% of global annual turnover for procedural violations, and up to €20M or 4% for substantive violations like processing without a lawful basis. The bigger number applies.
The headline cases are in nine-figure territory - Meta's €1.2B fine, Amazon's €746M penalty. Those were for data transfer and targeting violations, not email marketing specifically. But that's actually scarier for mid-market teams: email-specific enforcement happens at smaller scales through national DPAs, often triggered by a single complaint, and those investigations rarely make the news.
The more immediate risk isn't a massive fine. It's your ESP terminating your account. Mailchimp and Campaign Monitor both have ToS clauses requiring you to collect and use personal data lawfully and obtain the necessary consents. Violate those terms and you lose your sending infrastructure overnight - along with your subscriber list, templates, and automation workflows.
Skip compliance if you enjoy rebuilding your entire email program from scratch.
FAQ
Do I need GDPR compliance if my company is outside the EU?
Yes. If you process personal data of EU/EEA residents - including sending them marketing emails - GDPR applies regardless of where your company is headquartered. The regulation follows the data subject, not the sender.
Can I email someone who gave me their business card at an event?
Possibly, under legitimate interest with a documented LIA. Include an opt-out in your first email and note where you got their data. In Germany, this still likely requires explicit consent.
Is buying an email list GDPR compliant?
Almost never. You'd need proof every person gave specific, informed consent to receive emails from your company - not from the list vendor. Purchased lists virtually never provide this level of documentation.
How do I keep email data accurate under GDPR?
Article 5(1)(d) makes data accuracy an ongoing obligation, not a one-time check. Verify addresses before sending and re-verify on a regular cycle. Prospeo's 7-day refresh cycle handles this automatically, catching role changes and stale records before they become compliance gaps.
What are the best practices for GDPR cold email in B2B?
Start with a documented Legitimate Interest Assessment. Verify every email address before sending. Include a clear opt-out mechanism in your first message, and explain how you sourced the recipient's data. Keep suppression lists synced across every tool in your stack so you never email someone who's already opted out.
