GDPR compliance for email marketing isn't optional — fines reach 4% of global annual revenue. Here's what you need to know for 2026.
The Core Requirement: Lawful Basis
Under GDPR, you need a lawful basis to process personal data (including email addresses). For marketing email, this is almost always explicit consent — legitimate interest rarely applies to direct marketing.
What Valid Consent Looks Like
- Freely given — not bundled with terms of service as a condition of service
- Specific — must say what you'll send, not just "marketing communications"
- Informed — subscriber knows who is collecting data and how it will be used
- Unambiguous — affirmative action (checkbox) required. Pre-ticked boxes are invalid.
Records You Must Keep
- When consent was given
- What the subscriber was told at the time
- How consent was obtained (which form, page, date)
- IP address of signup (recommended)
Rights You Must Honor
- Right to erasure — delete all data about a person on request, within 30 days
- Right to access — provide all data you hold about a person on request
- Right to portability — provide data in machine-readable format
- Right to object — must be able to opt out of any processing at any time
Double Opt-In Is Best Practice
Not legally required by GDPR, but the confirmation email creates a clear record that the subscriber actively wanted to sign up — invaluable if consent is ever challenged.
Data Retention
You can't keep subscriber data indefinitely "just in case." Define a retention period (e.g. 2 years after last engagement) and delete automatically.
Compliant, high-deliverability sending — ZeroPhantom tools →