Email subject lines feel too small to matter for compliance. They aren't. Under GDPR and the ePrivacy Directive, a subject line can mislead, imply a relationship that doesn't exist, or hide the commercial nature of a message — all of which create risk. This guide covers what actually matters in the few words that decide whether your email gets opened, and whether it gets you a complaint.
Why the subject line is a compliance surface
The subject line and preheader are the first commercial communication the recipient sees, and EU rules on misleading commercial communication don't start at the body. If the subject sets a false expectation — a relationship, a transaction, an outcome — the deception has already happened by the time the email is opened. Treat the subject as ad copy that happens to be short, because legally that's what it is.
The subject line can't be deceptive
ePrivacy and consumer-protection rules prohibit misleading commercial communication. Subject lines that fake a personal relationship or a transaction are the usual offenders:
- "Re: your order" — when there was no order
- "I tried to reach you" — when you didn't
- "You've won" — when nobody won
- "Final notice" — when it isn't
These aren't just spammy; they're a legal risk in the EU because they disguise the commercial intent of the message. The "Re:" and "Fwd:" tricks are particularly exposed because they manufacture a thread that never existed — a clear misleading action under the UCPD's average-consumer test.
Opt-out clarity is required — and it starts in the inbox
GDPR requires a clear, easy way to withdraw consent. While the unsubscribe link lives in the body, the subject and preheader shouldn't actively work against it — for example, by impersonating transactional mail to dodge the marketing rules that mandate unsubscribe. Transactional emails (receipts, password resets) have different obligations than marketing, and dressing marketing up as transactional to escape the opt-out requirement is exactly the kind of evasion regulators look for.
A reliable signal of a compliant marketing email: the copy clearly mentions you can unsubscribe or manage preferences. If that language is missing entirely, that's a flag — and it ties back to how you collected the subscriber in the first place. See the companion guide on GDPR-compliant newsletter signups for the consent side.
Consent and the relationship behind the send
If you're emailing EU contacts, you need a lawful basis — usually consent or the "soft opt-in" for existing customers. The copy shouldn't imply a relationship or permission you don't have. "As discussed…" to a cold list is both ineffective and risky: it asserts a prior exchange that didn't occur, which is a misleading framing on top of a possible lawful-basis problem.
The subject line can't manufacture consent, but it can expose its absence. If the only way your subject makes sense is by pretending you already have a relationship, the underlying basis is probably missing.
Claims in the subject line still count
A subject line is ad copy. "Guaranteed 300% ROI" or "Doctors hate this trick" carries the same advertising-claim risk as any other marketing surface — unverifiable superlatives, guaranteed outcomes, and exaggerated promises are all flaggable, especially in finance, health, and supplements. The 50-character constraint doesn't lower the bar; if anything, the compression tempts marketers toward exactly the punchy, unsubstantiated claims that draw scrutiny. Our UCPD guide to misleading claims covers what counts.
Examples
| Risky | Safer |
|---|---|
| "Re: your invoice" (no invoice) | "Your June marketing tips from [Brand]" |
| "You're pre-approved" | "See if you qualify — check in 2 minutes" |
| "Guaranteed results or your money back" | "How [Customer] cut review time by 40%" |
| "Final notice" (it isn't) | "Last day for the June offer" |
| "I tried calling you" | "A quick idea for your Q3 campaigns" |
The safer column isn't weaker — it's specific and honest, which tends to build the kind of sender reputation that improves deliverability over time. Deception buys one open and costs long-term inbox placement.
Quick checklist
- Subject is not deceptive or fake-transactional
- Commercial intent isn't disguised
- No guaranteed-outcome or unverifiable claims
- No faked prior relationship ("Re:", "as discussed")
- Body has a clear unsubscribe / preference path
- You actually have a lawful basis to email this list
The preheader is part of the subject line
Most compliance reviews stop at the visible subject and ignore the preheader — the snippet of text the inbox shows next to or beneath it. Legally, the preheader is the same surface: it's commercial communication the recipient reads before opening, and it carries the same rules. A clean subject paired with a deceptive preheader ("Your account requires action") is still misleading. Worse, marketers often leave the preheader on autopilot, letting it pull the first line of the email — which might be "Unsubscribe | View in browser," or a hard-sell claim — into the inbox preview without review.
Treat the subject and preheader as a single unit. If the subject is honest but the preheader fakes urgency or a transaction, the message as received is deceptive. When you audit subject lines, audit the preheader in the same pass, and make sure the combination reflects the actual content and commercial nature of the email.
How subject-line risk compounds at scale
A single risky subject line is a small exposure. The problem is volume. Performance email programmes test dozens of subject variants a week, and the highest-performing ones are frequently the most aggressive — the fake "Re:", the manufactured "final notice," the unqualified guarantee. Optimisation pressure pushes a list precisely toward the language that draws complaints, because deception often wins the open-rate test in the short term.
That's why subject-line compliance is a process problem, not a one-off check. The variant that your A/B test crowns as the winner is also the one most likely to be the riskiest, so the review has to sit inside the testing workflow rather than after it. Catching the deceptive variant before it ships to the full list is the difference between a quiet optimisation and a regulator-worthy pattern across thousands of sends.
The transactional-versus-marketing classification trap
The line between a transactional email and a marketing email matters more than most teams realise, because the two carry different obligations. Transactional messages — order confirmations, password resets, shipping updates — don't require marketing consent or an unsubscribe link, because they're a service the user asked for. Marketing emails do. The trap is dressing one up as the other.
A "transactional" receipt that's 80% upsell is a marketing email wearing a costume, and labelling it transactional doesn't change its legal nature. Regulators look at the dominant purpose of the message, not the label. If the subject line says "Your order update" but the content is a product promotion, you've made a marketing send without the consent or opt-out a marketing send requires — and the subject line is the first piece of evidence of the disguise.
The honest approach is to keep the categories clean. Let transactional emails do their job, and if you want to market inside them, do it in a clearly secondary, non-deceptive way that still respects the recipient's marketing preferences. Don't let the subject line claim a transactional identity the content doesn't earn.
Localisation changes subject-line risk
A subject line that's fine in English can become misleading when translated, because claims and tone don't map cleanly across languages and markets. An idiom that reads as obvious puffery in one language can read as a literal factual claim in another. Some EU markets — Germany is the standard example — apply stricter interpretations to promotional language and aggressive claims, so the same subject can clear review in one country and draw a complaint in another.
If you run multi-market email, review subject lines per language, not just once in your source language. The average-consumer test is applied in the recipient's market, against the recipient's understanding — so the only review that counts is the one done on the version they actually receive.
Check email copy before you send
A subject line is small, but it's the most-read sentence you'll write, and it carries real risk. The free GDPR Ad Copy Checker scans subject lines and full email copy for GDPR, ePrivacy, and advertising-claim risk — flagging deceptive framing, missing opt-out language, and overclaiming before the send goes out. No login required. For the full framework, see the GDPR advertising compliance guide.
This article is general information, not legal advice. Use it as a risk signal alongside human compliance review.