Email marketing to EU audiences sits at the intersection of GDPR and the ePrivacy Directive — and most teams have at least one compliance gap. The common failures aren't exotic: they're the same issues that have generated enforcement notices and fines since 2018. Pre-ticked boxes, hard unsubscribes, vague purpose statements, and legacy lists retained without valid consent are the recurring problems.
This guide covers what GDPR actually requires in marketing email copy and process, where the most common gaps are, and what a compliant setup looks like.
The legal framework for EU email marketing
Email marketing in the EU is governed by two overlapping frameworks:
ePrivacy Directive (implemented as national law in each EU country): Governs the right to send unsolicited electronic communications. In most EU countries, sending marketing emails to individuals requires prior opt-in consent. The standard is higher than GDPR's general consent definition — it's the most restrictive form of direct marketing regulation in EU law.
GDPR: Governs the collection, processing, and retention of personal data. Even where ePrivacy allows marketing (e.g., some B2B soft opt-in scenarios), GDPR's transparency, purpose limitation, storage limitation, and data subject rights obligations still apply to every email address in your database.
The practical test for most EU email marketing: does the person on your list have an active, opt-in consent that covers exactly what you're sending them, and can you prove it?
Consent collection: what works and what doesn't
Valid consent:
- An unticked checkbox labelled specifically ("Yes, I'd like to receive [Brand]'s weekly GDPR compliance newsletter")
- A sign-up form with a single, specific purpose and an active opt-in gesture
- A double opt-in flow where the subscriber confirms their email and consent
- Consent with a timestamp, IP, and form version recorded in your ESP
Invalid consent:
- A pre-ticked opt-in box (GDPR Article 4(11) requires an active act)
- "By submitting this form you agree to receive marketing emails" — this is notification, not consent
- A generic "agree to our privacy policy" that embeds marketing consent
- Consent given years ago with no record of what was consented to
- Bundled consent: "I agree to the terms of service and consent to marketing communications" in one checkbox
The double opt-in flow is the gold standard for EU email consent. It provides a timestamped confirmation email that the subscriber actively opened and clicked — a stronger audit trail than a single opt-in, and one that largely prevents spam address submissions.
The consent record requirement
GDPR's accountability principle (Article 5(2)) requires you to be able to demonstrate that consent was obtained. For email marketing, this means your records must capture:
- When consent was given (timestamp)
- Where it was given (which form, page URL, or touchpoint)
- What was consented to (exact copy of the consent statement at the time)
- How — what version of the form, what language
Your ESP's "subscribed" flag is not enough. You need to be able to produce the consent record for a specific email address on a DPA audit or a data subject access request.
Unsubscribe requirements
Every marketing email sent to EU recipients must include a functional unsubscribe mechanism. The requirements:
Visibility: The unsubscribe link must be clearly visible. Burying it in 6pt grey text in the footer may technically include it, but DPAs have found that deliberately obscured unsubscribes violate ePrivacy principles.
Friction: Unsubscribing must be easy. Requiring the subscriber to log in, enter their email address, or navigate multiple confirmation pages is not acceptable in most EU jurisdictions. One-click or one-step unsubscribe is the standard.
Promptness: Unsubscribes must be honored within a reasonable time. The UK ICO and most EU DPAs expect processing within 10 business days at the latest; most compliant programs process within 24–48 hours.
Scope: The unsubscribe must match the scope of the consent. If the subscriber consented specifically to a newsletter, unsubscribing from the newsletter should not automatically unsubscribe them from transactional emails.
Retention: Even after unsubscribing, you need to retain a suppression record — the email address on a do-not-contact list — so you don't accidentally re-add them from another source. This is the "right to object" in practice.
Copywriting considerations in EU marketing emails
The copy inside a marketing email doesn't usually contain the GDPR violation — that's in the consent or the unsubscribe flow. But copy creates secondary obligations:
Purpose consistency: The content of the email must match the consent purpose. If someone signed up for a "weekly tips newsletter" and they receive promotional emails for paid products every other day, that's arguably outside the scope of the consent.
Claim substantiation: Under the UCPD (Unfair Commercial Practices Directive), marketing claims in EU emails must be substantiated. "Scientifically proven," "number one in Europe," and similar superlatives require evidence. GDPR adds that claims about what the company will or won't do with personal data must be accurate.
Automated personalisation disclosure: If you're using AI or automated systems to select personalised content for each subscriber, your privacy policy should describe how this works. Most email personalisation (product recommendations, send-time optimisation) doesn't trigger Article 22's mandatory disclosure obligation, but it's good practice to be transparent.
Suppression list email: If you send a re-engagement campaign to users who haven't interacted in 12+ months, that email should not assume continuing consent. It should explicitly ask for re-confirmation of consent to continue receiving marketing. If the user doesn't re-confirm, they should be moved to suppression.
List hygiene and storage limitation
GDPR's storage limitation principle (Article 5(1)(e)) requires that personal data is not kept longer than necessary for the purpose it was collected. For email marketing:
- Inactive subscribers (no opens, no clicks, no purchases) after 24–36 months should be reviewed for re-permissioning or deletion
- Bounced addresses should be removed — retaining hard bounces indefinitely serves no purpose
- Suppression list records should be retained (you need to know who opted out), but non-suppression data (engagement history, preferences) can be reduced
- Legacy lists from data purchases, co-registration, or acquired databases should be audited for valid consent before sending
Retaining a list of 200,000 addresses that haven't engaged in three years is not defensible under storage limitation. It's also a deliverability liability.
The soft opt-in exception
Several EU countries' ePrivacy implementation includes a "soft opt-in" or "existing customer" exception that allows marketing emails to customers who:
- Gave their contact details in the context of a sale of a product or service
- Were given the opportunity to opt out at the time of collection (and did not)
- Receive marketing only for similar products or services to those they purchased
- Are given opt-out in every communication
This exception is narrower than it sounds. "Similar products" must be genuinely similar. If a customer bought a physical product and you send them marketing for a subscription service, that may not qualify. The exception also does not apply in all EU countries — Germany, for example, requires explicit consent even from existing customers for email marketing.
Scan your email copy before you send
The free GDPR Ad Copy Checker scans ad copy, lead forms, and landing pages for these exact GDPR and advertising-claim signals in seconds — flagging bundled consent, special-category inference, undisclosed third parties, and missing opt-outs, with safer rewrites for each. No login required.
This article is general information, not legal advice. Use it as a risk signal alongside human compliance review.