Legalify shield logoLegalify
Free CheckerGDPR GuideFeaturesHow it worksPricing
Log inSign up
← All articles

24 June 2026 · 8 min read

GDPR-Compliant Newsletter Signups: Consent, Copy, and Double Opt-In

An email list is only an asset if you can legally email it. Under GDPR, how you collect a subscriber decides whether you can use them — and a surprising number of signup forms collect consent that wouldn't survive scrutiny. This guide covers the copy and mechanics of a compliant newsletter signup, from lawful basis to the double opt-in question to the unsubscribe link.

It's written for marketers who are building or auditing an email programme into the EU and want a list that's both large and legally usable.

Lawful basis: consent vs legitimate interest

To send marketing email in the EU, you generally rely on one of two lawful bases:

  • Consent — the subscriber actively agreed. The standard route for newsletters.
  • Legitimate interest — possible for existing customers under the "soft opt-in" (they bought something, you're emailing about similar products, and they were given an easy opt-out at collection).

For a cold newsletter signup, consent is almost always the basis — which means the copy and the mechanics have to produce valid consent. The soft opt-in is narrower than most teams assume: it doesn't cover prospects who downloaded a guide, attended a webinar, or were imported from a list. Those are consent territory.

1. Consent must be unbundled

You cannot make newsletter consent a condition of something else. "Tick here to download the ebook and join our newsletter" bundles two things. The download and the marketing consent must be separable. If someone only wants the ebook, they must be able to get it without subscribing.

This is the same freely-given principle that governs bundled consent everywhere in GDPR (Article 7(4)). Tying a marketing opt-in to access — "subscribe to continue" — fails it. The fix is two distinct actions: deliver the content, and separately invite the subscription with its own unticked opt-in.

2. No pre-ticked boxes

A pre-ticked subscribe box is not consent — this was settled EU case law (Planet49). The box must start unticked and require an affirmative action. The same applies to any "default-on" state, including toggles and dropdowns that pre-select "yes." Silence, inactivity, and pre-selection never amount to consent.

3. Be specific about what they're signing up for

Vague signup copy creates invalid consent. Tell the subscriber:

  • Who is sending (the legal entity, not just the brand)
  • What they'll receive ("weekly product tips," not "updates")
  • How often, roughly
  • That they can unsubscribe anytime
Weak signup copy Stronger signup copy
"Sign up for updates" "Get our weekly GDPR tips for marketers. Unsubscribe anytime."
"Join our list" "Monthly product news from [Company Ltd]. No spam, one-click unsubscribe."

The stronger versions aren't just more compliant — they convert better, because the subscriber knows exactly what they're getting. Specificity is a feature, not a tax.

4. Single vs double opt-in

GDPR doesn't strictly mandate double opt-in, but it makes your consent provable — and proof is your obligation. With double opt-in, the subscriber confirms via a verification email, giving you a timestamped record that the address owner agreed. It also blocks fake and mistyped addresses, which protects deliverability.

For EU lists, double opt-in is the safer default, and in some jurisdictions (notably Germany) it's effectively expected. The trade-off is a small drop in confirmed signups in exchange for a list that's cleaner, more engaged, and defensible if a regulator or an ESP ever asks how a given subscriber joined.

5. Keep a record of consent

You must be able to show when and how each subscriber consented, and what they were told. Most ESPs store this if configured. The wording shown at signup is part of that record — which is why vague copy is a liability even after the fact. If your signup form said "updates" and you're sending hard-sell promotions, the record works against you.

6. Make unsubscribe genuinely easy

Every marketing email needs a working, one-click unsubscribe. Honour it promptly. Burying it, or requiring a login to opt out, undermines the "freely given" standard retroactively. A subscriber who can't easily leave was never truly free to join. The unsubscribe path is also where your subject-line and preheader choices matter — see the guide on email subject line GDPR compliance for how the inbox-level copy interacts with opt-out obligations.

Compliant signup checklist

  • Consent is unbundled from any other action
  • The subscribe box is not pre-ticked
  • Copy names the sender, content, and frequency
  • "Unsubscribe anytime" is stated at signup
  • Double opt-in for EU lists (proof of consent)
  • Consent records are stored, including the signup wording
  • One-click unsubscribe in every send

Re-permissioning an inherited or aging list

A common situation: you've acquired a list, inherited one from a previous agency, or you're sitting on addresses collected years ago under unclear terms. The instinct is to "just send to it." The GDPR reality is that you can only use a subscriber if you can show valid consent (or a soft-opt-in basis) for them — and if you can't, the list isn't an asset, it's a liability.

Re-permissioning is the clean fix. You send a single, honest email asking subscribers to confirm they want to keep hearing from you, with a clear description of what they'll receive and a one-click way to opt in. Only those who actively reconfirm move to the active list. It shrinks the list — sometimes dramatically — but what remains is provable, engaged, and safe to mail. The alternative, mailing an unverifiable list, risks complaints, deliverability damage, and enforcement exposure that costs far more than the lost volume.

Why compliant collection protects deliverability too

GDPR consent and inbox deliverability pull in the same direction, which is convenient. The practices that produce valid consent — unbundled opt-in, specific copy, double opt-in, easy unsubscribe — also produce an engaged list that mailbox providers trust. Fake addresses get filtered out at confirmation, uninterested subscribers never join, and the people who remain actually open and click.

Conversely, the shortcuts that create consent problems — pre-ticked boxes, bundled signups, buried unsubscribe — also create the spam complaints and low engagement that wreck sender reputation. So a compliant signup flow isn't a tax on growth; it's the same discipline that keeps you landing in the inbox. Treating consent quality and list quality as one problem tends to produce better numbers on both.

Special category and vulnerable subscribers

Some newsletters touch sensitive territory by their very topic, and that raises the bar. A list about managing a chronic illness, fertility, mental health, debt, or religion isn't ordinary marketing data — the subscription itself can reveal a special category of personal data under GDPR Article 9. Knowing that someone subscribed to a "living with diabetes" newsletter is, in effect, health data about them. That triggers a higher standard: explicit consent and heightened safeguards, not the ordinary opt-in.

If your newsletter's subject matter could reveal health, religious belief, political opinion, sexual orientation, or similar, treat the signup as special-category collection. The copy should be explicit about what the subscription involves, the consent should be unambiguous and separate, and your handling of the list should reflect the elevated obligations. This is easy to miss precisely because the "data" looks like a plain email address — the sensitivity is in what the subscription implies, not in an extra form field.

The same care applies to audiences likely to include vulnerable people. Signup copy aimed at children, or at people in distress, is judged against a higher standard of clarity and fairness.

Consent is an ongoing state, not a one-time event

It's tempting to treat consent as a box ticked at signup and then forgotten. GDPR treats it as a live state that has to remain valid. Consent can go stale — a subscriber who opted in five years ago for one type of content hasn't necessarily consented to what you send today. It can also be withdrawn at any time, and your systems have to honour that immediately and completely, across every list and integration, not just the one they clicked unsubscribe from.

Practically, this means periodically reconfirming long-dormant subscribers, keeping the scope of what you send aligned with what they originally agreed to, and making withdrawal genuinely global. A subscriber who unsubscribes from the newsletter but keeps receiving your promotional blasts will reasonably conclude their withdrawal was ignored — and they'd be right to.

Scan your signup and email copy

The signup form is small but it determines whether your whole list is usable. The free GDPR Ad Copy Checker checks signup and email copy for transparency and consent gaps — bundled consent, vague framing, and missing opt-out language — with safer rewrites for each. No login required. For the wider picture, see the GDPR advertising compliance guide.

This article is general information, not legal advice. Use it as a risk signal alongside human compliance review.

Frequently asked questions

Do I need consent to send a newsletter in the EU?

For a cold newsletter signup, yes — consent is almost always the lawful basis. Existing customers can sometimes be emailed under the 'soft opt-in' (legitimate interest), but only about similar products and only if they were given an easy opt-out when their data was collected.

Is double opt-in legally required under GDPR?

GDPR doesn't strictly mandate double opt-in, but it makes your consent provable — and proving consent is your obligation. The confirmation email gives you a timestamped record that the address owner agreed. For EU lists it's the safer default, and in some jurisdictions like Germany it's effectively expected.

Can I require a newsletter signup to download an ebook?

No. That bundles two things. Under GDPR consent must be freely given and unbundled, so the download and the marketing consent must be separable. If someone only wants the ebook, they must be able to get it without subscribing.

Are pre-ticked subscribe boxes allowed?

No. A pre-ticked subscribe box does not constitute valid consent — this was settled in the EU Planet49 case. The box must start unticked and require an affirmative action from the subscriber.

What records of consent do I need to keep?

You must be able to show when and how each subscriber consented, and what they were told at the time. Most email platforms store this if configured. The exact wording shown at signup is part of that record, which is why vague signup copy is a liability even after the fact.

How easy does unsubscribe have to be?

Very. Every marketing email needs a working, ideally one-click unsubscribe that you honour promptly. Burying it or requiring a login to opt out undermines the 'freely given' standard retroactively and can invalidate the original consent.

Free resource

Get the GDPR Ad Copy Checklist

12 checks every EU marketer should run before publishing. Free, instant, no spam.

No spam. Unsubscribe any time.

Check your ad copy for free

Paste your EU ad copy into the free GDPR Ad Copy Checker and get instant risk analysis — no login required.

Open the free GDPR checker
LLegalify

AI-powered GDPR and ad risk scanning for EU marketing agencies. Catch compliance issues before campaigns go live.

Designed for GDPR risk reviewSubprocessors listed in privacy policyDPA available on request

Product

  • Free GDPR Checker
  • GDPR Ad Compliance Guide
  • Legalify vs AuditSocials
  • How it works
  • Features
  • Pricing

Company

  • Blog
  • GDPR Guides
  • Contact

Legal

  • Privacy Policy
  • Terms of Service
  • Cookie Policy
  • DPA
  • Security
© 2026 Legalify · Y-tunnus: 3610308-7 · Not a substitute for legal advice.
PrivacyTermsCookiesSecurity