Legalify shield logoLegalify
Free CheckerGDPR GuideBlogFeaturesHow it worksPricing
Log inSign up
← All articles

6 June 2026 · 6 min read

How to Write GDPR-Compliant Email Marketing Copy

Email marketing to EU audiences sits at the intersection of GDPR and the ePrivacy Directive — and most teams have at least one compliance gap. The common failures aren't exotic: they're the same issues that have generated enforcement notices and fines since 2018. Pre-ticked boxes, hard unsubscribes, vague purpose statements, and legacy lists retained without valid consent are the recurring problems.

This guide covers what GDPR actually requires in marketing email copy and process, where the most common gaps are, and what a compliant setup looks like.

The legal framework for EU email marketing

Email marketing in the EU is governed by two overlapping frameworks:

ePrivacy Directive (implemented as national law in each EU country): Governs the right to send unsolicited electronic communications. In most EU countries, sending marketing emails to individuals requires prior opt-in consent. The standard is higher than GDPR's general consent definition — it's the most restrictive form of direct marketing regulation in EU law.

GDPR: Governs the collection, processing, and retention of personal data. Even where ePrivacy allows marketing (e.g., some B2B soft opt-in scenarios), GDPR's transparency, purpose limitation, storage limitation, and data subject rights obligations still apply to every email address in your database.

The practical test for most EU email marketing: does the person on your list have an active, opt-in consent that covers exactly what you're sending them, and can you prove it?

Consent collection: what works and what doesn't

Valid consent:

  • An unticked checkbox labelled specifically ("Yes, I'd like to receive [Brand]'s weekly GDPR compliance newsletter")
  • A sign-up form with a single, specific purpose and an active opt-in gesture
  • A double opt-in flow where the subscriber confirms their email and consent
  • Consent with a timestamp, IP, and form version recorded in your ESP

Invalid consent:

  • A pre-ticked opt-in box (GDPR Article 4(11) requires an active act)
  • "By submitting this form you agree to receive marketing emails" — this is notification, not consent
  • A generic "agree to our privacy policy" that embeds marketing consent
  • Consent given years ago with no record of what was consented to
  • Bundled consent: "I agree to the terms of service and consent to marketing communications" in one checkbox

The double opt-in flow is the gold standard for EU email consent. It provides a timestamped confirmation email that the subscriber actively opened and clicked — a stronger audit trail than a single opt-in, and one that largely prevents spam address submissions.

The consent record requirement

GDPR's accountability principle (Article 5(2)) requires you to be able to demonstrate that consent was obtained. For email marketing, this means your records must capture:

  • When consent was given (timestamp)
  • Where it was given (which form, page URL, or touchpoint)
  • What was consented to (exact copy of the consent statement at the time)
  • How — what version of the form, what language

Your ESP's "subscribed" flag is not enough. You need to be able to produce the consent record for a specific email address on a DPA audit or a data subject access request.

Unsubscribe requirements

Every marketing email sent to EU recipients must include a functional unsubscribe mechanism. The requirements:

Visibility: The unsubscribe link must be clearly visible. Burying it in 6pt grey text in the footer may technically include it, but DPAs have found that deliberately obscured unsubscribes violate ePrivacy principles.

Friction: Unsubscribing must be easy. Requiring the subscriber to log in, enter their email address, or navigate multiple confirmation pages is not acceptable in most EU jurisdictions. One-click or one-step unsubscribe is the standard.

Promptness: Unsubscribes must be honored within a reasonable time. The UK ICO and most EU DPAs expect processing within 10 business days at the latest; most compliant programs process within 24–48 hours.

Scope: The unsubscribe must match the scope of the consent. If the subscriber consented specifically to a newsletter, unsubscribing from the newsletter should not automatically unsubscribe them from transactional emails.

Retention: Even after unsubscribing, you need to retain a suppression record — the email address on a do-not-contact list — so you don't accidentally re-add them from another source. This is the "right to object" in practice.

Copywriting considerations in EU marketing emails

The copy inside a marketing email doesn't usually contain the GDPR violation — that's in the consent or the unsubscribe flow. But copy creates secondary obligations:

Purpose consistency: The content of the email must match the consent purpose. If someone signed up for a "weekly tips newsletter" and they receive promotional emails for paid products every other day, that's arguably outside the scope of the consent.

Claim substantiation: Under the UCPD (Unfair Commercial Practices Directive), marketing claims in EU emails must be substantiated. "Scientifically proven," "number one in Europe," and similar superlatives require evidence. GDPR adds that claims about what the company will or won't do with personal data must be accurate.

Automated personalisation disclosure: If you're using AI or automated systems to select personalised content for each subscriber, your privacy policy should describe how this works. Most email personalisation (product recommendations, send-time optimisation) doesn't trigger Article 22's mandatory disclosure obligation, but it's good practice to be transparent.

Suppression list email: If you send a re-engagement campaign to users who haven't interacted in 12+ months, that email should not assume continuing consent. It should explicitly ask for re-confirmation of consent to continue receiving marketing. If the user doesn't re-confirm, they should be moved to suppression.

List hygiene and storage limitation

GDPR's storage limitation principle (Article 5(1)(e)) requires that personal data is not kept longer than necessary for the purpose it was collected. For email marketing:

  • Inactive subscribers (no opens, no clicks, no purchases) after 24–36 months should be reviewed for re-permissioning or deletion
  • Bounced addresses should be removed — retaining hard bounces indefinitely serves no purpose
  • Suppression list records should be retained (you need to know who opted out), but non-suppression data (engagement history, preferences) can be reduced
  • Legacy lists from data purchases, co-registration, or acquired databases should be audited for valid consent before sending

Retaining a list of 200,000 addresses that haven't engaged in three years is not defensible under storage limitation. It's also a deliverability liability.

The soft opt-in exception

Several EU countries' ePrivacy implementation includes a "soft opt-in" or "existing customer" exception that allows marketing emails to customers who:

  • Gave their contact details in the context of a sale of a product or service
  • Were given the opportunity to opt out at the time of collection (and did not)
  • Receive marketing only for similar products or services to those they purchased
  • Are given opt-out in every communication

This exception is narrower than it sounds. "Similar products" must be genuinely similar. If a customer bought a physical product and you send them marketing for a subscription service, that may not qualify. The exception also does not apply in all EU countries — Germany, for example, requires explicit consent even from existing customers for email marketing.

Scan your email copy before you send

The free GDPR Ad Copy Checker scans ad copy, lead forms, and landing pages for these exact GDPR and advertising-claim signals in seconds — flagging bundled consent, special-category inference, undisclosed third parties, and missing opt-outs, with safer rewrites for each. No login required.

This article is general information, not legal advice. Use it as a risk signal alongside human compliance review.

Frequently asked questions

What does GDPR require for marketing emails to EU recipients?

Marketing emails to EU individuals require a valid lawful basis — most commonly explicit opt-in consent under the ePrivacy Directive. The consent must be freely given, specific, informed, and unambiguous. Pre-ticked boxes, implied consent from form submission, or bundled consent with terms of service are not valid. Every marketing email must also include a clear, easy unsubscribe mechanism.

Can I email someone who gave me their address without explicitly opting in to marketing?

Only in limited circumstances. The 'soft opt-in' or 'existing customer' exemption in some EU countries (implemented differently per member state) allows limited follow-up marketing to existing customers about similar products or services — but only if the customer had an opportunity to opt out at the time of collection and in every subsequent communication. This exemption is narrow and should not be treated as a general workaround for consent.

How quickly must I process unsubscribes?

GDPR's accountability principle requires unsubscribes to be honored promptly. Most DPAs expect processing within 10 business days. Many email platforms process unsubscribes within 24–48 hours. If your system cannot process unsubscribes faster than your send cadence, you need to fix the system before your next campaign.

What must an unsubscribe link in a marketing email include?

At minimum: a functional unsubscribe link in every marketing email (not just in a footer privacy link), a one-click or low-friction process (requiring login to unsubscribe violates ePrivacy principles in most EU countries), and confirmation that the unsubscribe has been processed. An unsubscribe page that asks the user to also log in or justify their decision is not compliant.

Can I use AI to personalise marketing emails under GDPR?

Yes, but with disclosure obligations. If you use automated decision-making to personalise email content (selecting which products to show, which offers to include, which subject line variant to send) in a way that has a significant effect on the individual, Article 22 GDPR may require you to disclose the logic. In practice, most AI-driven email personalisation is below the Article 22 threshold, but your privacy policy should describe how personalisation works.

Free resource

Get the GDPR Ad Copy Checklist

12 checks every EU marketer should run before publishing. Free, instant, no spam.

No spam. Unsubscribe any time.

Check your ad copy for free

Paste your EU ad copy into the free GDPR Ad Copy Checker and get instant risk analysis — no login required.

Open the free GDPR checker
LLegalify

AI-powered GDPR and ad risk scanning for EU marketing agencies. Catch compliance issues before campaigns go live.

Designed for GDPR risk reviewSubprocessors listed in privacy policyDPA available on request

Product

  • Free GDPR Checker
  • Meta Ad Rejected?
  • GDPR Ad Compliance Guide
  • Legalify vs AuditSocials
  • How it works
  • Features
  • Pricing

Company

  • Blog
  • GDPR Guides
  • Contact

Legal

  • Privacy Policy
  • Terms of Service
  • Cookie Policy
  • DPA
  • Security
© 2026 Legalify · Y-tunnus: 3610308-7 · Not a substitute for legal advice.
PrivacyTermsCookiesSecurity