Is Your Newsletter Signup GDPR Compliant? 5 Things to Check Right Now

Check 1: Is the Consent Checkbox Unchecked by Default?

Pre-ticked checkboxes are explicitly invalid under GDPR. Article 7(2) requires that consent is given by "a clear affirmative action" — and a box that's already ticked doesn't require any action. The user didn't consent; they just didn't un-consent.

Some newsletter signups don't have a checkbox at all — just an email field and a "Subscribe" button. The legal position here depends on how clear the consent is. If the button says "Subscribe to our weekly newsletter" and there's no ambiguity about what the person is signing up for, some lawyers argue this constitutes clear affirmative action. But if it says "Get updates" and you're also adding them to a promotional list, that's a stretch.

The safe route: add a checkbox. Unchecked. Labelled specifically.

Check 2: Is the Purpose Stated Specifically?

"Stay updated" isn't a specific purpose. "Receive our weekly product digest and occasional promotional offers" is. Consent must be informed — the person needs to know what they're signing up for.

Bundled consent fails here. You can't collect consent for a newsletter and also use it to justify adding the person to a separate retargeting audience, or sharing their email with "partners." Each distinct purpose needs its own consent basis.

Specific platform note: ConvertKit's default form text often says "Get exclusive content and updates." That's marginally better than nothing but still vague. Edit the form text to be specific about what you actually send and how often.

Check 3: Are You Using Double Opt-In?

Not legally required — but if you're not using it, you need to have something else that constitutes proof of consent. Double opt-in gives you a confirmation email click with a timestamp and IP address. Without it, your evidence is a form submission record.

Beehiiv enables double opt-in by default. Mailchimp calls it "Enable double opt-in" and it's per-audience in your Audience Settings. In Klaviyo it's per-form under "Form behavior." ConvertKit has it under "Incentive email" in your form settings. All of them require you to explicitly turn it on.

Check 4: Is There an Unsubscribe Link in Every Email?

This one's table stakes. Every marketing email must contain a clearly visible, functional unsubscribe link. All major ESPs add this automatically, but verify your templates actually include it and that it works. It should be one-click — not "click here to go to a page where you can manage your preferences and then eventually unsubscribe."

Making unsubscribe harder than subscribe is a documented dark pattern that regulators are actively pursuing. Google and Facebook were each fined €60–150 million by CNIL in 2022 for making "reject" harder than "accept" in their cookie flows. The same principle applies to email.

Check 5: Are You Storing Consent Records With Timestamps?

Under Article 7(1), you must be able to demonstrate that consent was given. This means your records need to show: who consented, when, to what, and via which mechanism. Your privacy policy should describe the consent mechanism you use and what records you retain.

Mailchimp, Klaviyo, and ConvertKit all store signup timestamps and source information — check your subscriber records and verify the data is there. If you're using a custom form that feeds into a spreadsheet, you're likely missing this data entirely.

The record should survive even if the subscriber later unsubscribes. You need to prove they were legitimately subscribed while you were mailing them, not just that they're currently on your list.