Email Marketing GDPR Compliance Guide for EU Campaigns
GDPR applies to both how you collect email subscribers and what you say to them. This guide covers the compliance obligations that apply to your email copy — subject lines, body content, and the consent claims you make in the email itself.
Updated 25 June 2026
EU email marketing compliance sits at the intersection of GDPR and the ePrivacy Directive (sometimes called the 'cookie law', which also covers direct electronic marketing). In most EU member states, sending marketing emails requires prior consent (opt-in) under the ePrivacy Directive. GDPR layers on top: how you obtained that consent, what you said you would send, and whether your email copy matches those commitments. This guide covers the copy layer — what your emails can and cannot say.
Consent for send and the double opt-in question (Art. 7, ePrivacy)
Marketing emails to EU subscribers generally require prior consent under the ePrivacy Directive and Art. 6(1)(a) GDPR. The consent must be specific to the type of content you will send. If you obtained consent for a 'newsletter' and are now sending promotional offers for third-party products, the purpose has changed — the original consent no longer covers it. Email copy that implies a different purpose than what was consented to is a transparency violation even if the subscriber did consent to receive emails.
Subject lines and pre-header text (Art. 5, UCPD)
GDPR Art. 5 requires that personal data is processed fairly and transparently. A subject line that is misleading — implying a personal relationship, an account notification, or a transaction when it is actually a marketing email — is a transparency violation. The UCPD also prohibits misleading commercial practices, including misleading subject lines. Common violations: 'Your account requires attention' (when it is promotional), 'Re: your enquiry' (when no enquiry was made), and faux-personal subject lines that imply prior communication.
Health, financial, and sensitive claims (Art. 9, UCPD)
Email campaigns for health products, supplements, financial services, and similar categories carry Art. 9 risk when copy implies knowledge of the recipient's health status or financial situation. A campaign for a weight-loss supplement sent to a list of previous buyers can infer a health condition about those individuals. Art. 9(2)(a) explicit consent is almost never in place for this. The UCPD additionally prohibits outcome guarantees and unsubstantiated health claims.
Unsubscribe and opt-out requirements (Art. 7(3), ePrivacy)
GDPR Art. 7(3) requires that withdrawal of consent is as easy as giving it. Every marketing email must include a clear, functional unsubscribe mechanism. Beyond the technical requirement, email copy that discourages unsubscribing — 'Are you sure you want to miss out?', confirmation pages with dark patterns, re-subscription prompts sent immediately after unsubscribe — can constitute an unfair commercial practice. The unsubscribe flow must be single-click and immediate.
Third-party list hygiene and consent chain (Art. 28, 44)
Sending to purchased or third-party lists is high-risk in the EU. The consent chain must trace back to the individual's original opt-in, including what they consented to and who they consented with. Using a list broker's 'GDPR-compliant' label does not transfer liability to you. Email copy sent to third-party lists that makes personalisation claims — 'as a subscriber who is interested in…' — asserts a relationship that the consent chain may not support.
Common violations to avoid
- Misleading subject lines — transactional-looking subjects for marketing emails ('Your account update', 'Re: your recent enquiry')
- Purpose drift — sending promotional offers to subscribers who consented only to a newsletter
- Health condition inference — supplement or wellness campaigns implying knowledge of the recipient's health status
- Outcome guarantees — 'Lose 10kg' or 'Guaranteed returns' claims without substantiation (UCPD + ASA equivalent bodies)
- Difficult unsubscribe — multi-step opt-out, re-confirmation requirements, or emails sent after opt-out
- Third-party list personalisation — 'As someone interested in…' copy sent to purchased lists where the consent chain is unverified
Get the GDPR Ad Copy Checklist
12 pre-launch compliance checks for EU campaigns. Free, instant delivery.
No spam. Unsubscribe any time.
Frequently asked questions
Do I need double opt-in for EU email marketing?
Double opt-in (confirmed opt-in) is not technically required by GDPR, but it is strongly recommended because it provides evidence that the subscriber genuinely consented. Many DPAs (including the German BfDI) effectively require it through their interpretation of what constitutes valid, demonstrable consent. Single opt-in with a pre-ticked box is clearly non-compliant.
Is it GDPR-compliant to send newsletters to existing customers?
Sending marketing emails to existing customers may be permitted under the 'soft opt-in' exception in the ePrivacy Directive — but only if you are selling similar products/services, you gave them the option to opt out at the point of sale, and they have not opted out. This exception is narrower than many businesses assume and does not apply to all EU member states equally.
What GDPR violations are most common in email subject lines?
Misleading subject lines are the most frequently complained-about issue. Using transactional-sounding subjects for promotional emails ('Your order update', 'Important account information') violates GDPR Art. 5 transparency principles and the UCPD's prohibition on misleading commercial practices.
How do I check my email campaign copy for GDPR compliance?
Paste your email body, subject line, and any consent copy into Legalify's free GDPR Ad Copy Checker. It scans for GDPR article-level risk including consent language issues, health inference, and transparency gaps, with findings and compliant rewrites.
Check your Email Marketing ad copy now
Paste your ad copy into the free GDPR Ad Copy Checker and get article-level findings in seconds — no login, no card required.