Email Marketing and GDPR: What You Need to Know

Every email marketer sending to EU contacts operates under GDPR, whether they know it or not. Fines under the regulation reached €1.2 billion in 2024 alone, and cumulative penalties since 2018 have now surpassed €5.88 billion. The rules are not new, but the enforcement is. And in 2025, two significant developments changed the landscape again: the European Commission withdrew the long-anticipated ePrivacy Regulation after years of failed negotiations, and France’s data regulator (CNIL) launched a public consultation on tracking pixels in email — which could require explicit consent for even basic open-rate tracking.

This guide explains what GDPR actually requires from email marketers in practical terms, what changed recently, and how to check whether your setup is compliant.

What GDPR Requires for Email Marketing

GDPR (the General Data Protection Regulation) is EU law that governs how organisations collect, store, and use personal data. An email address is personal data. Sending a marketing email is processing personal data. That means GDPR applies to any business that sends marketing email to contacts in the EU or UK, regardless of where the business is based.

You Need a Lawful Basis to Send

You cannot send marketing emails to EU contacts without a lawful basis under GDPR. There are six possible lawful bases, but in practice, email marketing relies almost exclusively on two:

Consent — the subscriber actively opted in to receive marketing emails from you. This is the cleanest and most defensible basis for cold contacts or newsletter subscribers.

Legitimate interests — you have a legitimate business reason to contact someone, and that interest is not overridden by their privacy rights. This basis is available in limited cases — for example, following up with an existing customer about a product they purchased. It is not a backdoor to contact people who never heard of you.

What Valid Consent Looks Like

GDPR sets specific standards for consent. It must be:

• Freely given — no bundling consent with a terms of service acceptance, no conditional access to a product
• Specific — the person must know what they are consenting to (receiving marketing emails from your company, specifically)
• Informed — the consent request must identify who is collecting the data and for what purpose
• Unambiguous — an affirmative action is required (no pre-ticked boxes, no inactivity as consent)

A double opt-in process — where a subscriber confirms their email address by clicking a link before they are added to your list — is not strictly required by GDPR, but it produces the cleanest consent records and is widely recommended by data protection authorities.

The Tracking Pixel Problem in 2026

Here is a development most email marketers are not yet aware of: EU regulators are now scrutinising email tracking more closely. The EDPB (European Data Protection Board) Guidelines 2/2023 explicitly confirmed that URL tracking and pixel tracking in emails fall within scope of ePrivacy and GDPR rules.

In June 2025, France’s CNIL launched a public consultation on tracking pixels specifically, indicating that requiring explicit consent for individual-level email open tracking could be the direction of travel. As of early 2026, this consultation has not resulted in binding rules — but the signal is clear: blanket open-rate tracking without disclosure is under pressure.

What this means practically for now:

• If you use tracking pixels to measure opens at an individual subscriber level, disclose this in your privacy policy
• Aggregate tracking (knowing your overall open rate without tying opens to specific individuals) is lower-risk
• Tracking links for clicks is considered to have a stronger legitimate basis since it is more clearly necessary for the email to function
• If you serve EU subscribers and want to stay ahead of potential regulation, your privacy policy should explicitly mention email tracking

Rights You Must Respect

GDPR gives individuals rights over their data that apply to your email list:

Right to withdraw consent — unsubscribing must be easy, must take effect promptly, and your tool must process it immediately. One-click unsubscribes are not just a Google/Yahoo requirement — they are part of your consent obligations.

Right to erasure (“right to be forgotten”) — if a subscriber asks to be deleted, you must remove their data, not just unsubscribe them. Suppression lists that keep an email address around “to prevent resubscription” need to be handled carefully — you may need to keep a minimum record to demonstrate they opted out, but nothing more.

Right to access — a subscriber can ask what data you hold about them. Your email tool should be able to export this.

Right to data portability — subscribers can ask for their data in a machine-readable format.

Most established email marketing platforms handle the operational side of these rights through their tools. Where it falls apart is when companies use multiple systems and data is fragmented across a CRM, email tool, and analytics platform — with no clear owner of erasure requests.

What Changed When the ePrivacy Regulation Was Withdrawn

For years, email marketers in the EU operated under a double compliance burden: GDPR for data protection, and the ePrivacy Directive (implemented differently in each EU member state) for electronic communications. A new ePrivacy Regulation had been in negotiation since 2017 and was expected to replace the Directive with a single unified EU rule.

In February 2025, the European Commission withdrew the ePrivacy Regulation proposal entirely, after failing to reach agreement among member states. The result: the original 1997/2002 ePrivacy Directive still applies, implemented inconsistently across EU countries. Germany, France, Spain, and others each have their own national versions.

What this means for email marketers:

• No single EU-wide cookie/tracking law — you need to check the rules in the specific countries where your subscribers are based, or default to the strictest standard (which is effectively GDPR-level consent)
• Unsubscribe rules vary by country — the core requirement (honour unsubscribes promptly) is consistent, but implementation details differ
• B2B vs B2C rules differ by country — some member states permit unsolicited B2B email with an opt-out, while others require opt-in regardless

The practical answer for most email marketers is to build around GDPR consent standards as a baseline. If you are compliant with GDPR’s consent requirements, you are compliant with the strictest interpretation of the ePrivacy Directive in every country.

GDPR Compliance Checklist for Email Marketers

Run through this list to identify gaps in your current setup.

Consent and List Building

• Every subscriber on your list has an active opt-in record (not a purchased list, not a scraped list)
• Your signup forms use an unchecked checkbox or explicit button — no pre-ticked “yes, email me”
• Your consent wording is specific: “I agree to receive marketing emails from [Company Name]”
• You store consent records (timestamp, source, IP address) for every subscriber
• Double opt-in is enabled, or you have another way to verify consent quality
• You do not use “subscribe me to your newsletter” as a condition of accessing a free download or using your product

Ongoing Sending

• Every marketing email includes a clear, working unsubscribe link
• Unsubscribes are processed within a reasonable time (your tool should handle this automatically — verify it works)
• Your emails include your business name and a physical postal address (also required by CAN-SPAM, if you send to US contacts)
• You do not re-subscribe contacts who have previously opted out

Data Management

• Your privacy policy mentions email marketing, what data you collect from subscribers, and how you use it
• If you use tracking pixels or link tracking, this is disclosed in your privacy policy
• You have a process for handling data access, portability, and erasure requests from subscribers
• If you use a third-party email tool, you have a Data Processing Agreement (DPA) in place with that tool

Third-Party Tools

• Your email marketing provider offers a DPA (Data Processing Agreement) — most major providers do, but you need to execute it
• If your provider stores data in the US (or outside the EU/EEA), it operates under standard contractual clauses (SCCs) or another adequacy mechanism
• If you store subscriber data in multiple systems (CRM, email tool, analytics), you have a process for propagating erasure requests across all of them

GDPR-Friendly Email Marketing Tools

Not all email marketing tools are equal when it comes to GDPR compliance features. Here is what matters: data processing agreements, EU/EEA data storage options, consent record-keeping, unsubscribe handling, and the ability to export or delete subscriber data on request.

Brevo

Brevo (formerly Sendinblue) is a French company, which means GDPR is baked into its product from the ground up rather than bolted on as an afterthought. It offers EU data storage by default, a GDPR-ready DPA, double opt-in on signup forms, consent record-keeping, and subscriber data export and deletion tools. For EU-based businesses or those with a large EU audience, Brevo is a natural fit. It stores all data in the EU and has never been the subject of a major data transfer enforcement action. See our full Brevo review for a deeper look at its features.

The trade-off: Brevo’s automation builder is less sophisticated than ActiveCampaign’s, and its template library is more limited than Mailchimp’s. It is better suited to straightforward email marketing than complex multi-branch automation.

MailerLite

MailerLite is a Lithuanian company — EU-based — and its GDPR compliance features are solid. It provides a signed DPA, EU data center options, double opt-in, consent record storage, unsubscribe management, and subscriber data export. MailerLite has published detailed GDPR documentation and its platform includes tools to help you maintain a consent-auditable list. Read our MailerLite review for more detail on its features and limitations.

MailerLite updated its free plan in late 2025, halving the included subscriber limit to 500. Paid plans (Growing Business) start at under $15/month for small lists — check their current pricing page as the exact figure varies by contact count. It is one of the more affordable options in this space. The weakness: MailerLite’s customer support response times have drawn complaints, and the platform’s CRM functionality is minimal.

ActiveCampaign

ActiveCampaign is a US-based company, which means EU subscriber data is transferred to the US under standard contractual clauses. This is legally valid but does add a layer of compliance documentation compared to using an EU-based provider. ActiveCampaign does offer a DPA, GDPR-compliant forms and consent management, and data deletion tools. Its compliance features are thorough — the concern is primarily about the US data transfer question, which regulators in some EU countries (Germany in particular) have historically scrutinised.

The strength: ActiveCampaign’s automation is genuinely more capable than any other platform in this category. If you need complex branching workflows alongside GDPR compliance, it is the right tool. On annual billing, the Plus plan starts at $49/month for 1,000 contacts (monthly billing runs higher). See ActiveCampaign’s pricing page for current figures.

Mailchimp

Mailchimp is US-based (owned by Intuit) and has faced regulatory scrutiny in Europe, particularly after EU data transfer rules became stricter in the years following Schrems II. It offers a DPA and operates under the EU-US Data Privacy Framework following its 2023 certification. For most businesses, Mailchimp’s compliance documentation is sufficient — but EU-based businesses with particularly sensitive audiences may prefer a European provider.

Mailchimp’s GDPR tools include consent checkboxes on forms, a GDPR marketing permissions feature (where subscribers can specify exactly which types of communications they consent to), and unsubscribe management. As of January 2026, Mailchimp reduced its free plan limit to 250 contacts (down from 500). Paid plans start at around $20/month for the Standard plan at 500 contacts — verify exact figures on Mailchimp’s pricing page, as these change frequently.

CAN-SPAM: A Note for US-Based Senders

If you are based in the US and send to US contacts, GDPR may not apply — but CAN-SPAM does. CAN-SPAM is the US federal law governing commercial email. Its requirements are notably less strict than GDPR:

• No opt-in requirement — you can send unsolicited commercial email (though this is generally bad practice from a deliverability standpoint)
• You must include a clear opt-out mechanism
• Opt-out requests must be processed within 10 business days
• Your subject line must not be deceptive
• Your “From” name must accurately identify the sender
• You must include your physical postal address

If you send to both EU and US contacts, you need to comply with both laws — in practice, building to GDPR standards satisfies CAN-SPAM too.

Common Mistakes That Lead to Fines

The enforcement record gives a clear picture of where companies go wrong.

Buying or renting email lists. Purchased lists do not come with GDPR-valid consent. The people on those lists never consented to receive email from you specifically. This is one of the most common causes of GDPR complaints to data protection authorities.

Pre-ticked consent boxes. Regulators have fined companies specifically for using pre-ticked checkboxes on signup forms. It is not consent if the user did not actively tick the box.

Making consent a condition of service. Bundling marketing consent with terms of service acceptance is invalid consent under GDPR. The two must be separate.

Slow or broken unsubscribe processing. If a subscriber can demonstrate they sent an unsubscribe request and continued to receive marketing emails, that is a clear violation. Your email tool should handle this automatically — but if you have multiple systems, verify there are no gaps.

Not having a DPA with your email provider. If your email marketing tool is processing EU subscriber data on your behalf, you are the data controller and they are the data processor. A DPA is legally required. Most major providers offer one — you just need to execute it. Many businesses skip this step.

Vague or outdated privacy policies. Your privacy policy must accurately describe how you use email data, including any tracking. “We collect your data to improve our services” is not sufficient disclosure for email tracking.

Practical Next Steps

If you have never formally reviewed your email marketing practices against GDPR, start here:

1. Audit your list. Can you prove consent for every subscriber? If you imported a list from a CRM, a previous tool, or an event, do you have documentation of how those contacts opted in?
2. Check your forms. Remove any pre-ticked consent boxes. Make the consent wording specific to email marketing.
3. Execute a DPA with your email tool. Log into your account, find their legal or compliance section, and sign the DPA if you have not already.
4. Update your privacy policy. Add a section on email marketing that describes what data you collect, how you use it, and whether you use tracking.
5. Test your unsubscribe. Actually unsubscribe a test address and verify the process works end-to-end.

GDPR compliance is not a one-time project — the regulation requires ongoing accountability. But for most email marketers, the baseline changes above are 90% of what regulators actually look for. Get those right first. Improving your technical setup — including email deliverability fundamentals like authentication — goes hand in hand with compliance: the same SPF, DKIM, and DMARC records that protect your sender reputation also demonstrate to regulators that you are running a properly managed email operation.

For choosing an email platform that makes compliance easier, see our comparison of Brevo and Mailchimp and our best email marketing tools overview. If you are specifically focused on EU compliance, Brevo and MailerLite are the two European-headquartered options in the mainstream market.

Sources

1. MailerLite — Pricing — accessed 2026-04-05
2. ActiveCampaign — Pricing — accessed 2026-04-05
3. Mailchimp — Marketing Pricing — accessed 2026-04-05