GDPR and Email Newsletters: How to Run a Compliant List in 2026

Email newsletters are one of the most valuable marketing channels available — and one of the most frequently mismanaged from a privacy compliance standpoint. The rules around consent, list management, and unsubscribe handling are specific enough that even well-intentioned marketers regularly get them wrong.

This guide covers everything newsletter operators need to know to run a legally compliant list under GDPR in 2026: how to collect consent, what your forms need to say, what to do with old subscribers, how to handle cold contacts, and when the rules are different for B2B.

---

Why Newsletters Require Consent (Not Legitimate Interest)

GDPR requires a lawful basis for every processing activity. The six bases are consent, contract, legal obligation, vital interests, public task, and legitimate interest. Some marketers try to use legitimate interest to avoid asking for explicit consent — arguing that sending newsletters is a reasonable business interest.

Regulators have consistently rejected this approach for direct marketing emails.

The Article 29 Working Party (now the European Data Protection Board) has stated that direct marketing can qualify as a legitimate interest, but only in narrow circumstances — and the balance test will almost always fail when it comes to sending unsolicited marketing emails to people who have not engaged with your brand.

The ePrivacy Directive (which sits alongside GDPR and governs electronic communications) is even clearer: sending commercial email to individuals requires prior consent. This applies across the EU and, post-Brexit, under the UK's PECR.

The practical conclusion: if you run a newsletter, you need consent. Full stop.

---

What Valid Opt-In Consent Looks Like

GDPR sets a high bar for valid consent. It must be:

• Freely given — no bundling consent with terms of service, no pre-ticked boxes, no coercion
• Specific — the person must know what they're consenting to (your newsletter, not "marketing from our partners")
• Informed — you must explain who you are, what you'll send, and how they can withdraw
• Unambiguous — a clear affirmative action, not passive acceptance

The Double Opt-In Debate

Double opt-in — where a new subscriber receives a confirmation email they must click before being added to your list — is not legally required under GDPR. But it is strongly recommended for several reasons:

1. It creates a clear, timestamped record of consent
2. It verifies the email address belongs to the person who signed up
3. It reduces spam complaints and improves deliverability
4. It provides a more defensible audit trail if you're ever questioned by a regulator

Single opt-in is permissible if you record the timestamp, IP address, form version, and exact consent language at the point of sign-up. In practice, maintaining that audit trail reliably is harder than simply implementing double opt-in. Most compliance-focused newsletter operators use double opt-in by default.

---

What Your Subscribe Form Must Say

Your subscribe form is a legal document. It needs to tell prospective subscribers:

• Who you are — your company name and, if not obvious, a brief description
• What they'll receive — be specific ("a weekly newsletter covering SaaS marketing") rather than vague ("updates and news")
• How often — or at minimum an indication of frequency
• That they can unsubscribe at any time — and how
• A link to your privacy policy — where they can read how their data will be stored and processed

What you must not do:

• Use pre-ticked checkboxes
• Bundle newsletter consent with account creation or purchase completion
• Make the consent request confusing or buried in terms
• Ask for more data than you need (email address is sufficient for most newsletters)

A compliant subscribe form is not complicated. Something like: "Enter your email to receive [Newsletter Name] — a weekly round-up of [topic]. You can unsubscribe at any time. Read our [Privacy Policy]." That sentence, with a clear submit button and no pre-ticked boxes, meets the standard.

---

Importing Existing Lists: When You Can and Can't

If you're migrating from one email platform to another, or consolidating lists, this question comes up constantly: can you import subscribers collected before GDPR, or collected under different terms?

The answer depends on how and when that consent was obtained.

You can import if:

• The original consent clearly covered the type of email you're now sending
• The consent was obtained in a GDPR-compliant manner (specific, informed, unambiguous, freely given)
• You have a record of that consent — not just that they signed up, but what they were told when they did

You cannot import if:

• Subscribers were collected with vague consent language ("sign up for updates") that doesn't clearly cover your newsletter
• Subscribers were added automatically when they made a purchase or registered for an account without explicit newsletter consent
• You bought, rented, or scraped the list from a third party
• The original consent was obtained before GDPR and not refreshed under compliant terms
• You don't have a reliable record of when and how consent was obtained

If in doubt, run a re-permission campaign to these contacts before importing them. Send a single email explaining that you'd like to keep sending content and asking them to confirm. Those who confirm can be imported. Those who don't should be removed.

---

Segmentation and Consent Tracking

Modern newsletters are often segmented — different content for different subscriber groups, sometimes different consent for different types of content. This creates a more complex consent management challenge.

Under GDPR, your consent records need to capture not just "this person subscribed" but what they specifically consented to. If you send both a weekly newsletter and a separate product update series, and someone subscribed only to the newsletter, you cannot add them to the product update series without separate consent.

What your consent records should capture per subscriber:

• Date and time of sign-up
• The form or source used (and the exact consent language shown)
• IP address (where technically available)
• Whether double opt-in confirmation was completed
• The specific communication types consented to
• Any subsequent changes to consent (additional opt-ins, withdrawals)

Most major email platforms (Mailchimp, Kit, ActiveCampaign, Brevo) store some of this automatically. But check that your configuration is actually recording what you need — default settings sometimes capture less than you think.

---

What to Do When Subscribers Go Cold

Inactive subscribers are a compliance issue as well as a deliverability issue. GDPR's storage limitation principle requires that you don't retain personal data longer than necessary for the purpose it was collected.

If someone signed up to your newsletter but hasn't opened an email in 18 months, the purpose of the processing — sending them content they want to read — has arguably lapsed. Continuing to hold and process their data becomes harder to justify.

The practical standard in the industry is a 12-18 month inactivity threshold, after which subscribers should either be:

1. Sent a re-engagement campaign (see below)
2. Moved to a suppression list (no further emails, but retained to prevent accidental re-addition)
3. Deleted from your list entirely

Suppression lists are often the right choice because they prevent someone who previously unsubscribed from being accidentally re-added if their email appears in a future import.

---

Unsubscribe Requirements: One-Click, Honour Within 10 Days

Every marketing email you send must include an easy, functional unsubscribe mechanism. Under GDPR, there are specific requirements:

• One-click unsubscribe — the subscriber should be able to opt out without having to log in, complete a survey, or navigate multiple pages. A single click on an unsubscribe link should be sufficient.
• Honour within 10 days — once someone unsubscribes, you must stop sending within 10 days. In practice, most reputable platforms process unsubscribes immediately. The 10-day window is a ceiling, not a target.
• Preference centres are permitted — you can offer a preference centre where subscribers can choose which types of email to receive, but you must also offer a simple "unsubscribe from all" option. You cannot force them to use the preference centre.
• No re-adding unsubscribers — once someone unsubscribes, you cannot add them back to the list without fresh, explicit consent. Not even if they later make a purchase.

The CAN-SPAM Act in the US has a 10-day window codified in law. GDPR does not specify a number but expects prompt action. 10 days is the generally accepted standard.

---

Re-Engagement Campaigns and Consent Refresh

Re-engagement campaigns (sometimes called "win-back" sequences) are a legitimate tool for managing cold subscribers — but they must be handled carefully to avoid GDPR issues.

The key principle: a re-engagement email is still a marketing email, and sending it requires a valid existing consent. If that consent has lapsed or was never properly obtained, you cannot use a re-engagement campaign to fix the problem — you need consent before you send.

For legitimately subscribed but inactive contacts:

• Send 1-3 re-engagement emails over a 2-4 week period
• Make it clear what you're asking (do they want to stay subscribed?)
• Include a prominent unsubscribe option
• Remove those who don't respond by the end of the campaign

Consent refresh campaigns — where you proactively ask existing subscribers to re-confirm their consent — are best practice when your consent records are incomplete or your consent language has changed significantly. They reduce list size but dramatically improve list quality and compliance standing.

---

List Cleaning Under Storage Limitation

GDPR's storage limitation principle is not just about inactive subscribers. It applies to all personal data you hold. For newsletter operators, this means:

• Hard bounces — email addresses that permanently fail should be removed (or added to a suppression list) promptly. Continuing to store and process a dead email address serves no purpose.
• Unsubscribes — move to suppression list; document the date and method of unsubscription
• Inactive subscribers — apply your inactivity policy consistently, not selectively
• Consent records — retain these even after a subscriber leaves, as they serve a legal purpose (demonstrating you had valid consent during the period you sent). Standard practice is to retain consent records for 3 years after the relationship ends.

Run a formal list cleaning process quarterly. Your email deliverability will improve, your compliance posture will strengthen, and your engagement metrics will become meaningful again.

---

B2B Newsletters and the Soft Opt-In Exception

The rules are different for business-to-business communications, and specifically for the soft opt-in exception.

Under the ePrivacy Directive, you can send commercial email to a business contact without prior consent if:

1. You obtained their email address in the context of a sale of a product or service (or negotiation of one)
2. You are marketing similar products or services
3. The recipient was given the opportunity to opt out at the time their data was collected, and has not done so
4. You include an unsubscribe option in every subsequent email

This is the soft opt-in. It applies to existing customers, not cold contacts. If someone downloaded your free tool, attended your webinar, or bought from you previously, you may be able to email them under the soft opt-in — but only for similar offers, and only if they had a clear opportunity to opt out when you first collected their data.

Critically: the soft opt-in typically applies in B2C and B2B contexts alike when the recipient is an individual. For truly corporate contacts (generic role addresses like info@company.com or contact@agency.com), different rules may apply in some jurisdictions — but you should not rely on this without legal advice specific to your situation.

When in doubt, get explicit consent. The soft opt-in is a narrow exception, not a loophole.

---

Newsletter Compliance Checklist

Use this checklist to audit your newsletter operation:

Consent collection

• [ ] Subscribe forms use affirmative, unchecked consent
• [ ] Forms clearly describe what subscribers will receive
• [ ] Forms link to your privacy policy
• [ ] Double opt-in is implemented (or consent records are comprehensive)
• [ ] Consent records capture timestamp, source, and exact consent language

List management

• [ ] Existing list was collected with compliant consent (or re-permissioned)
• [ ] Bought/scraped/rented lists are not in use
• [ ] Segmentation reflects the scope of original consent
• [ ] Separate consent is captured for separate communication types

Ongoing compliance

• [ ] Every email includes a functioning one-click unsubscribe
• [ ] Unsubscribes are processed immediately (within 10 days at most)
• [ ] Unsubscribers are moved to suppression lists, not deleted outright
• [ ] Inactive subscriber policy is documented and applied (12-18 month threshold)
• [ ] List cleaning is run quarterly
• [ ] Re-engagement campaigns are used before deletion, not instead of consent

B2B

• [ ] Soft opt-in is only applied to existing customers, not cold contacts
• [ ] Soft opt-in contacts were offered an opt-out at point of data collection
• [ ] Soft opt-in emails market similar products/services only

---

The Bottom Line

Running a compliant newsletter is not particularly complicated once you understand the rules. The main failure modes are: collecting consent lazily, importing contacts without verifying their consent, ignoring inactive subscribers, and making it hard to unsubscribe. All of these are fixable.

The cost of getting it right is a few hours of setup work. The cost of getting it wrong — fines, reputational damage, and email deliverability problems caused by spam complaints — is significantly higher.

If you want to understand what your current website and sign-up flows look like from a compliance perspective, scan your site with Custodia. It takes 60 seconds and shows you exactly where you stand.