GDPR and Email Marketing: The Rules Most Senders Get Wrong

Double Opt-In: Required or Not?

GDPR doesn't require double opt-in. This surprises people. The regulation requires freely given, specific, informed, and unambiguous consent — but it doesn't specify the mechanism. A single opt-in form with a clear unchecked checkbox can be valid.

But double opt-in is strongly recommended anyway, for one practical reason: it's proof. GDPR requires you to demonstrate that consent was given. A double opt-in creates a timestamped confirmation email click in your logs. Without it, if someone disputes they subscribed, your evidence is a form submission IP address and a timestamp — much weaker.

Platforms: Mailchimp has double opt-in as an off-by-default setting you have to manually enable per audience. Klaviyo also defaults to single opt-in. ConvertKit calls theirs "incentive email" and it's opt-in at the form level. None of them enable it automatically. You have to turn it on yourself.

The Consent Must Be Specific — This Is Where Most Sites Fail

Consent is only valid for the purpose it was collected for. If someone signs up for a "free checklist download," you can't then add them to your weekly promotional newsletter. Those are different purposes. You need separate consent for each.

Bundled consent is specifically prohibited. You cannot include a pre-ticked checkbox in your checkout flow that says "I agree to the Terms of Service and to receive marketing emails." These have to be separate, and the marketing one must be opt-in not opt-out.

Bought Lists Are Illegal. Full Stop.

This gets overlooked because buying email lists is still common practice in some industries. Under GDPR, it's illegal to send marketing emails to people who haven't specifically consented to receive emails from you. A third-party "opt-in list" where someone consented to receive emails from "marketing partners" doesn't cut it — consent must name the specific data controller.

The vendor who sold you the list may have their own legal problems. But so do you, the moment you send to it.

What to Do With Legacy Lists

If you have subscribers collected before May 2018 or via non-compliant forms, you have a few options. The cleanest is a re-permission campaign: send one email explaining you're updating your records, with a clear opt-in button, and archive everyone who doesn't re-confirm.

Most marketers hate this because list sizes drop dramatically — typically 30–60% of a legacy list won't re-confirm. But continuing to mail those people is the legal exposure. The clean list that remains after re-permissioning is actually worth more per subscriber.

B2B and the Soft Opt-In

There's a legitimate interests carve-out that applies to B2B marketing, sometimes called the "soft opt-in." It works like this: if someone enquired about your product or bought from you, you can email them about similar products without separate consent — as long as you offer an opt-out in every message and you're emailing their work address.

This doesn't apply to consumers (B2C). And "similar products" is narrower than people think — an accountancy firm that has a client can email them about accountancy services, not about an unrelated webinar series.

The platforms provide infrastructure. Compliance is on you. They'll process whatever list you upload and won't warn you if the consent basis is questionable.