GDPR Marketing & Email Compliance Checklist

Pre-ticked boxes, bundled consent with terms of service, and vague language like "I agree to receive communications" are all invalid under GDPR. Each consent request must name your company, specify the channel (email, SMS, phone), and be a separate affirmative action.

Purchased lists, co-registration lists, and pre-GDPR legacy lists often cannot be used without reconsent campaigns. Audit the collection date, method, and consent wording for every segment before sending.

Email newsletters and promotional campaigns typically require consent (Art. 6(1)(a)). B2B prospecting may rely on legitimate interests (Art. 6(1)(f)), but requires a Legitimate Interests Assessment (LIA) documented before processing begins.

The LIA must balance your business interest against the data subject's rights. For direct marketing, the three-part test is: purpose test (is the interest legitimate?), necessity test (is processing necessary?), balancing test (do your interests override theirs?). Document the outcome.

Every commercial email must contain a clear unsubscribe link. Unsubscribes must be honored within 10 business days in the US (CAN-SPAM), and immediately for GDPR purposes. No re-opt-in prompts, no barrier to unsubscribe.

Third-party marketing pixels (Meta Pixel, Google Ads, LinkedIn Insight Tag) cannot fire until the user gives informed, specific consent. Pre-ticked consent, consent assumed from continued browsing, and "cookie walls" are invalid. Use a compliant CMP (Cookiebot, OneTrust, etc.).

Record what data is collected (email, name, IP address, behavioral data), the source (website form, import, ad platform), the lawful basis, the retention period, and every third party the data is shared with.

Email platforms (Mailchimp, HubSpot, Klaviyo), ad networks (Google Ads, Meta), CRMs (Salesforce, HubSpot), and analytics tools (Google Analytics) are all processors that require signed DPAs before you share EU personal data.

Using US-based email platforms, ad networks, or CRMs to process EU personal data requires a valid transfer mechanism: EU-US Data Privacy Framework, Standard Contractual Clauses (SCCs), or Binding Corporate Rules. Verify your vendors have current SCCs or DPF certification.

EU subscribers need to be managed separately with GDPR-compliant consent records. This also helps avoid applying GDPR restrictions globally when other regions may have different legal bases available.

You must be able to prove consent: who consented, when they consented, what they were shown, the IP address, and the form version. Most compliant email platforms store this automatically — verify yours does.

Your privacy notice must explain what data you collect for marketing, the lawful basis, how long you keep it, who you share it with, and how users can exercise their rights. Plain language is required — legal jargon will not satisfy regulators.

EU residents can request what personal data you hold about them, including their email address, behavioral data from pixels, and purchase history. You must respond within 30 days. Your email platform and CRM must be able to export individual records quickly.

When an EU resident requests deletion of their marketing data, you must delete their record from your CRM, email platform, ad platform custom audiences, and any analytics tools — not just unsubscribe them. Document each deletion.

Custom audiences uploaded to Meta Ads, Google Ads, or LinkedIn from EU email lists require GDPR-compliant consent for that specific use — not just email marketing consent. Review every audience source and remove non-consented data.

Only collect the personal data you actually need for the stated marketing purpose. If you only need an email address for a newsletter, do not require name, phone, company, and industry. Every extra field increases your compliance surface area.

Inactive subscribers (no opens or clicks in 12-24 months) should be automatically purged or re-consented. Consent records must be kept for as long as you rely on them. Define retention periods for each data type in your data inventory.

Tools like Marketo, HubSpot, and Pardot create detailed behavioral profiles. Ensure personal identifiers are not stored longer than necessary, pseudonymization is used where possible, and EU data is not processed in non-adequate countries without SCCs.

Marketing teams are a primary source of GDPR violations — particularly around consent, list hygiene, and ad targeting. Annual training covering lawful basis, consent mechanics, and DSARs reduces enforcement risk significantly.

If you are processing EU personal data at scale (mass email campaigns, behavioral profiling, cross-context tracking), a Data Protection Impact Assessment may be required before processing begins. When in doubt, conduct one anyway — regulators view voluntary DPIAs favorably.