GDPR-compliant email marketing — consent, double opt-in, logging
Not legal advice
This article is a practical, marketing-side perspective — not legal advice. For specific cases (legacy lists, sweepstakes data, co-sponsoring, cross-border sending) bring in a specialised IT/data-protection lawyer. The thresholds, fines and examples below reflect 2026 case law in Germany and the EU; supervisory authorities and courts keep refining details.
What this is about — and why email marketing is regulated differently
Email marketing looks innocent: address in, newsletter out. Legally, every send sits under two rulebooks at once — the GDPR (processing of personal data) and national rules implementing the ePrivacy directive on unsolicited communication (in Germany: §7 UWG; similar provisions in every EU member state). Both have to be satisfied, otherwise you risk warnings, fines and, in extreme cases, individual damages.
Most companies understand the GDPR side: personal data needs a lawful basis. The ePrivacy side is narrower and gets overlooked more often: a marketing email to someone without valid prior consent is unlawful — even if the address is somehow lawfully stored. The two regimes overlap but don’t match. An address may be lawfully stored and still not lawfully marketed to — and vice versa.
Taking it seriously upfront saves you from cease-and-desist letters starting at €1,500 a piece, regulator fines into the five- to six-figure range and — the most underestimated damage — a wrecked sender reputation. A compromised list produces complaints, hard bounces and spam-trap hits, and then takes down deliverability for the clean part of the list too.
The two rulebooks in short
GDPR — lawful basis for processing
The moment you store an email address, that’s processing of personal data and needs a lawful basis under Art. 6 GDPR. For marketing email there are realistically only two: consent (Art. 6(1)(a)) or legitimate interest (lit. f). Consent must be informed, freely given, specific and given by an unambiguous act — pre-ticked checkboxes have been off the table since the CJEU’s Planet49 ruling (2019). Legitimate interest almost never carries a marketing send by itself, because ePrivacy raises the bar separately.
ePrivacy — consent for the channel
National ePrivacy implementations require prior, explicit consent for marketing email — stricter than GDPR. So even if GDPR says go, the email may still be unlawful. The consent must refer specifically to email marketing from your company about reasonably specific topics — not “to anything in general”. A checkbox stating “I accept the terms and conditions” does not cover newsletter consent — that’s a coupling violation.
The single exception across most EU countries: the soft opt-in for existing customers (see below).
Double opt-in — the de facto standard
Double opt-in (DOI) isn’t strictly mandated by law in every EU state, but it’s the only path that holds up reliably as evidence in court and with regulators. The flow:
- User enters their address in a form (single opt-in).
- System sends a confirmation email with an activation link.
- User clicks the link → entry is added to the active sending list.
Only after step 3 may the first newsletter go out. The confirmation email itself must not contain advertising — only the confirmation link, a short explanation and the imprint. Otherwise the confirmation email is itself unsolicited advertising (German Federal Court, 2011 “Double Opt-In” decision; similar logic in other EU jurisdictions).
Why not single opt-in?
With single opt-in, anyone can enter someone else’s address and that person starts getting unsolicited mail. You can’t prove consent — and the burden of proof sits with the sender. In a dispute you have to show that this specific person gave consent. Without DOI, that’s practically impossible.
Confirmed opt-in as a middle ground?
Confirmed opt-in (a confirmation email with an opt-out link, but automatic addition to the list) is not treated as equivalent in German case law and is risky in most EU countries. Skipping DOI means accepting that risk.
Opt-in logging — what you have to record
Consent is only worth as much as your evidence for it. In a dispute (complaint, warning letter, regulator inquiry) you need to prove: who consented when, with what wording, on which page, to what. Minimum fields:
- email address
- timestamp of signup (single opt-in)
- timestamp of confirmation (double opt-in)
- IP address at signup and at confirmation
- source (URL of the form)
- text of the consent statement (version + hash)
- full copy of the confirmation email
Retention: as long as the consent is valid — plus a reasonable period after unsubscribe (industry practice: three years after withdrawal, matching the limitation period for unfair-competition claims), so you can still prove the original consent if challenged. This continued storage runs on legitimate interest (Art. 6(1)(f)).
In practice: every serious ESP (Mailchimp, Brevo, Rapidmail, CleverReach, Klaviyo) logs this automatically. Anyone building in-house has to capture these fields and pin them to a write path that won’t be overwritten or deleted when the contact later unsubscribes.
Soft opt-in for existing customers
The single carve-out that lets you email your own existing customers without separate newsletter consent. Four conditions, all of which must be met simultaneously:
- The address was obtained in connection with the sale of a product or service (not from inquiries, newsletters, sweepstakes, webinars without a purchase).
- The advertising is for your own, similar products or services (no cross-promo for partners, no off-topic sends).
- The customer has not objected to this use.
- The customer was informed clearly about the right to object — at the moment of collection AND in every single follow-up email.
Soft opt-in is narrow. A running-shoe shop may email buyers about new running-shoe models — but not about yoga mats, even if both count as “sport”. “Similar” is read tightly; case law varies, so when in doubt, get separate consent.
Typical examples — what works, what doesn’t
Clearly fine
- Newsletter signup with DOI, clean consent text, signup logged with timestamp + IP → send away.
- Existing customer buys running shoes, gets a follow-up four weeks later about a new running-shoe collection with a clear “unsubscribe” link → soft opt-in covers it.
- B2B prospect explicitly agrees during a sales meeting to be added to the newsletter, sales documents this in writing and a DOI confirmation follows → permitted.
Grey zone — often goes wrong
- Webinar attendees ticking “I’d like to receive the newsletter” at registration. Valid only if that’s a separate, non-pre-ticked checkbox and the wording clearly states it’s marketing — no coupling with the webinar registration itself.
- Reusing sweepstakes addresses for the newsletter: only works if newsletter consent was collected separately from the sweepstakes and the user could enter the sweepstakes regardless. Otherwise it’s an unlawful coupling.
- B2B addresses scraped from LinkedIn or public sources: business email addresses are still personal data under GDPR. ePrivacy applies in B2B too — the bar for “presumed interest” is slightly softer but cold outreach without consent is risky and gets warnings regularly.
Definitely goes wrong
- Pre-ticked checkboxes in checkout → invalid since Planet49 (CJEU 2019).
- T&C acceptance covers newsletter → unlawful coupling, invalid.
- Existing-customer mail sent to webinar attendees who never bought anything → soft opt-in does not apply.
- Advertising inside the DOI confirmation email → the confirmation itself becomes unsolicited advertising.
The big example — the bought list
You bought a list of 50,000 B2B addresses (or were given one, or inherited it from a “partner”). The seller swears: “All GDPR-compliant.” You want to send cross-promotion mails. What waters are you wading into?
Step 1: the consent doesn’t transfer to you
Consent is person-specific and purpose-specific. Even if the addresses were originally collected with DOI, the consent was “for newsletters from provider X” — not “for marketing from any third party”. ePrivacy demands consent that refers specifically to your organisation and the products being advertised. List-style consent clauses like “and our partners” are practically always invalid under current case law, because “the partners” weren’t concretely identified at the moment of consent.
The practical consequence: you have 50,000 addresses with no valid consent for you. Every single mail you send is an unlawful marketing communication.
Step 2: what actually happens
- Warning letters. Competitors, consumer associations and individual recipients (via lawyers) can issue cease-and-desist letters. Per incident typically €1,500–4,000 plus lawyer fees plus a contractual undertaking with penalties. With a 50k blast, even a small fraction of sensitive recipients lands you with five-figure costs in the first week.
- Regulator fines. If complaints reach the data-protection authority: up to €20m or 4% of global group turnover (Art. 83 GDPR). In Germany typically a few thousand to low six-figures for SMEs; authorities escalate quickly with bought lists because they treat the violation as deliberate.
- Damages under Art. 82 GDPR. Individual recipients can claim non-material damages. The CJEU has lowered the threshold significantly in 2023/2024 — even a “loss of control over personal data” qualifies. With 50k recipients, it’s a question of when, not if, a lawyer puts together a bulk claim.
- Sender reputation. External addresses generate above-average complaint rates, spam-trap hits and hard bounces. Mailbox providers downrank the sending domain — your legitimate mail to clean recipients suddenly lands in spam too. A burned domain reputation takes months to repair, often involving a domain change.
- Contractual penalties. Once you sign a cease-and-desist with penalty clauses, every further breach owes a penalty — typically €5,000–10,000 per email. A single accidental follow-up mail to the same person can multiply the damage many times over.
Step 3: is there a clean way?
Not really. The theoretical option is a permission pass — you send a single, neutrally worded mail (no advertising, no CTA except “would you like our newsletter?”) asking for fresh consent. But: that permission pass is itself a marketing email under ePrivacy and therefore itself requires consent. Most courts treat it that way. So in practice the list is burned. Bought or inherited addresses are not usable for marketing email without documented consent specifically directed at you. Full stop.
Rule of thumb on bought lists
When someone sells you “GDPR-compliant addresses”, that’s almost always marketing speak. Consent doesn’t transfer in resale. Best case the list is useless, worst case it produces warnings, fines and a wrecked domain reputation. Stay away.
What you should actively do
A short checklist for a clean setup:
- Signup form with an actively ticked checkbox (not pre-ticked), clear wording (“I’d like to receive the newsletter on X from [company] by email and can unsubscribe at any time via the link in the email”), link to the privacy policy.
- Double opt-in as a hard requirement. The confirmation email contains only the confirmation link — no advertising, no tracking pixel that would later expose behaviour.
- Logging with IP, timestamp, form URL, wording version. Test: can you produce the consent record for any randomly selected address from your list in under 60 seconds?
- Unsubscribe link in every email, one-click. No login wall, no multi-page flow. Unsubscribers are removed from active sending within 24 hours.
- Privacy policy describes: which ESP, which data, retention period, rights (access, deletion, withdrawal), data processing agreement (DPA) with the ESP signed.
- DPA with the ESP documented in writing. For US-based ESPs (Mailchimp, Klaviyo, Sendgrid): standard contractual clauses + transfer impact assessment, current Data Privacy Framework status as of 2026.
- Soft opt-in documented cleanly, if used: proof of purchase, notice at collection, notice in every follow-up mail.
Related on the deliverability side: Email deliverability — SPF, DKIM, DMARC covers why even a properly consented list also has to ship with clean technical setup to actually arrive.
FAQ
- No. Coupling prohibition — newsletter consent must be separate and freely given.
- Legally risky. ePrivacy applies in B2B too; "presumed interest" is read narrowly and gets warnings. Cleaner path: build the LinkedIn connection, ask for permission there, then email.
- No fixed limit. Industry practice: after 12–24 months without opens/clicks, send a re-engagement campaign, then delete or suppress. This also helps deliverability — inactive addresses drag down sender reputation.
- Tracking (open and click pixels) is separately consent-required in addition to the send itself, per current case law. So either ask for it during signup or include it in the consent text ("...as well as for analysis of usage behaviour (opens, clicks)..."). Asking only for the send and tracking anyway invites warning letters.
- Mandatory notification to the supervisory authority within 72 hours of becoming aware (Art. 33 GDPR). For high-risk leaks, also notify the data subjects. Failure to notify is punished more harshly than the leak itself.
Is a consent inside the T&Cs enough?
Can I cold-email employees of a company (B2B cold mail)?
How long can I keep inactive addresses?
What about tracking pixels in the email?
What happens if the address list leaks?
Conclusion
Email marketing in Germany and the EU isn’t complicated, it’s formal. Build the setup cleanly once — DOI, logging, separate consent, clear unsubscribe, DPA with the ESP — and you have lasting peace. The expensive cases almost always come from shortcuts: bought lists, pre-ticked checkboxes, “we’ll just send a one-off permission pass”, soft opt-in stretched too far.
Practical recommendation: have the setup reviewed once by a law firm specialising in IT/data protection — typically €800–2,000 one-off, often covering privacy policy, consent texts and DPA, and saves you five-figure damage at the first dispute. And when someone shows up offering a “GDPR-compliant address list”: don’t buy it. Not even when it’s cheap. Especially not when it’s cheap.
Entdecke mehr
Marketing
Corporate discipline that creates demand, wins customers and maintains relationships — from brand building and content through paid channels and SEO to CRM and loyalty.
LexikonReading email marketing KPIs in 2026 — open rate is dead, what counts now?
Open rate, CTR, CTOR, conversion rate, engagement score and revenue per email — what Apple MPP and iOS 18 distort and which metrics still hold up.
NewsApple Mail and Gmail overwrite the preheader with AI summaries
If you carefully craft preheaders, you no longer see them in the Apple inbox. What senders need to know and how to write AI-readable mails.