Scroll Top

11 GDPR requirements for adding subscribers into mailing list


11 GDPR requirements for adding subscribers into mailing list

As newsletter sign-up forms are personal data collection tools, under EU law (particularly the GDPR) it is obligatory that you obtain the informed consent of the owner prior to subscribing them to any newsletter service. Under EU regulations, getting consent can be (but not mandatory) a two-step process that consists of informing the user and acquiring verifiable consent by means of affirmative action.

When informing the owner you should always:

1. – Be specific: You need to clearly mention the kind of email that the user will be consenting to;

2. – Be clear and unambiguous: The typical user ought to be easily able to comprehend what they’re granting;

3. – Make it clear that registering is optional: Consent needs to be “freely provided”; you may not push users into joining your mailing list OR make it appear as if joining the list is compulsory. State clearly, that signing up IS OPTIONAL. This is specifically relevant in cases where you offer SOMETHING FREE, like white-papers / case-studies (or pdf/e-books) for download. While the user’s e-mail address is required for the delivery of the service, signing up for your newsletter IS NOT. EVEN in these specific cases, you must make it clear that it is optional. So in practice, if, for instance, you likewise wanted to add individuals that download your e-book to your newsletter list, you need to include something similar to the following, above the pdf download form:




A compliant and sustainable long-term operational behaviour. Have a rock-solid foundation for privacy procedures and GDPR mandate compliance.

4. – Getting approval: The consenting action must be specific and proven. The procedure for getting user consent need to be uncomplicated and involve a clear “opt-in” action. This suggests that mechanisms such as pre-ticked newsletter sign-up boxes at checkout are not accepted (nor compliant), as EU policy particularly prohibits pre-ticked boxes and similar “opt-in” solutions.



5. – Consenting action must be specific and verifiable: You may, nevertheless, utilize any method that would allow the user to take a direct affirmative action. This can consist of any proven consenting action, like a reply to an e-mail; clicking a check-box; filling out a form.

6. – You need to give users the ability to withdraw consent: Under the GDPR, users have the particular right to withdraw consent. This suggests that you’re FORCED to make it as simple as possible to withdraw authorization. This can be quickly attained by consisting of a visible and legitimate unsubscribe link in EACH of your newsletters. Users ought to also have the capability to handle their mail choices from within their account.



A Partner You Can Depend on to Help Your Organisation Meet GDPR Compliance. Industry leaders. Award-winning experience. All you need to know, to keep your business safe.

7. – Withdraw approval: The approval needs to be specific to the kind of material being sent. This means that the newsletter must only contain details that the user consented to get. So for instance, if the user only granted get emails about your brand-new items, you need to not send them promotional e-mails associated with partner/3rd-party deals.

8. – Multiple consents: In cases where you want to send more than one kind of email to your users, you’re needed to get additional consent particular to those uses as you should have individual approvals for each individual purpose. Just include a number of checkboxes notifying the owner of each extra purpose and allowing them to provide permission specific to those cases. You ALWAYS must acquire extra approval if sending out emails about 3rd-party products/services in addition to your own.



9. – Exceptions: There are some exceptions to the requirement for the type of active consent mentioned above. The exceptions are as follows:

9.1. – Soft opt-in: (where the recipient provided their e-mail address while buying a product and services). If the email address was gathered as part of a previous sales process on your site, then you may use the details collected to send marketing emails connected to similar product or services. This, however, only applies if the user was properly informed of this occurrence (e.g. a notice on the sales page) and if they pick not decline such usage.

9.2. – Explicit Form : (where the function of the sign-up system is unquestionable). So for example, in a situation where your site has a pop-up window that invites users to sign up to your newsletter using a clear phrase such as: “Sign up for our newsletter for access to discount rate vouchers and item updates!”, the affirmative action that the user performs by typing in their email address would be thought about legitimate permission.

10. – Records of Consent: Since permission under the GDPR is such an essential issue, it’s crucial that you keep clear records connected to the authorization achieved. Records of permission ought to a minimum of contain the following details:

  • – The Identity of the user providing permission;
  • – When they consented;
  • – What disclosures were made (what they were told) at the time they consented;
  • – Method used for acquiring permission (newsletter form; checkout checkbox; etc);
  • – Whether they have withdrawn consent or not.


11. – Single Opt-In vs. Double Opt-In: While ‘single opt-in’ just needs that users send their details in order to be added to your list, ‘double opt-in’ requires that users first confirm their email address prior to being contributed to your mailing list. The validation is performed when users click a particular link consisted of in a “confirmation” message sent to their email address. With this technique, you can ensure the e-mail address receiving your communication in fact belongs to the person offering the permission and hereby additional guarantee that you avoid high unsubscribe rates, keep the stability of your list and the credibility of your address. This approach of registration is considethe red finest practice in lots of countries in the EU.


data protection OFFICER

Identify high-risk problems. Taking access and rights management into serious consideration is the foundation for a safely guarded online presence throughout your domain.

Do you have any concerns with sending emails and newsletters because of GDPR?
Leave your thoughts in the comments below!

Related Posts