Newsletter Signup Forms: GDPR Requirements

Every business with a newsletter signup form on their website is collecting personal data. An email address is personal data under the GDPR. That means the rules apply to you, even if you only send one email a month to 50 subscribers.

The good news: getting this right isn't complicated. Most of it comes down to being clear about what you're doing and giving people a real choice.

What GDPR requires for newsletter consent

The GDPR sets four conditions for valid consent. It must be freely given, specific, informed and unambiguous. That sounds abstract, so here's what each one means for your signup form.

Freely given means people can't be forced or pressured into signing up. Bundling newsletter consent with a purchase or hiding it inside terms and conditions doesn't count. The signup has to be a separate, voluntary action.

Specific means you need to tell people exactly what they're signing up for. "Stay updated" is too vague. "Receive our monthly email with baking tips and offers" is specific. If you plan to send different types of emails, say so.

Informed means people know who is collecting their data and what you'll do with it. Your signup form needs a link to your privacy policy that covers email marketing. No privacy policy link near the form? That's a gap.

Unambiguous means the person has to take a clear action to consent. Typing their email and clicking "Subscribe" counts. A pre-ticked checkbox does not. The EU Court of Justice ruled in the Planet49 case (2019) that pre-checked boxes don't qualify as valid consent. Read more about why pre-checked checkboxes are illegal.

What your signup form actually needs

Here's a practical checklist for your form.

A clear description of what they'll receive. "Subscribe to our newsletter" is the bare minimum. Better: "Get our weekly email about website compliance tips." Best: include the frequency and general topics.

No pre-checked boxes. If you use a checkbox for consent, it must start unchecked. The subscriber has to tick it themselves. This applies to any checkbox on your site that involves personal data processing.

A link to your privacy policy. Place it right next to the submit button or the consent checkbox. Something like "By subscribing you agree to our privacy policy" with a working link. Make sure your privacy policy actually mentions email marketing, not just cookies.

Only ask for what you need. If you only need an email address to send a newsletter, don't require a phone number, date of birth or home address. Collecting more data than necessary violates the GDPR's data minimisation principle.

No tricky design. The submit button shouldn't say "Yes, I want to be amazing!" while the decline option is a tiny grey link saying "No, I prefer to stay uninformed." These dark patterns violate the same consent principles that apply to cookie banners.

Double opt-in: not always required, but always smart

Double opt-in means that after someone fills in your form, they get a confirmation email. They have to click the link in that email before they're actually subscribed.

In Germany, double opt-in is effectively required. German courts have consistently ruled that without it, you can't prove consent was given by the actual email address owner. The Bundesgerichtshof confirmed this approach, and German data protection authorities enforce it.

In the Netherlands and most other EU countries, double opt-in isn't strictly legally required. But it's strongly recommended. Here's why: if someone types in the wrong email address or a fake one, you end up emailing people who never consented. That's a GDPR violation you could have prevented.

Double opt-in also gives you cleaner email lists and better deliverability. Check our full guide on why double opt-in matters for setup instructions.

What consent records you need to keep

The GDPR puts the burden of proof on you. If someone claims they never signed up, you need to show they did. That means storing records of consent.

For each subscriber, keep:

• The email address and any other data they provided
• The date and time of signup
• The exact wording they consented to (a snapshot of your form text at the time)
• How they signed up (which page, which form)
• Their IP address at the time of signup
• The double opt-in confirmation date and time, if you use it

Most email marketing tools like Mailchimp, Brevo and ConvertKit store some of this automatically. But check what yours actually records. If it only saves the email and date, you may need to supplement that with your own logs.

Keep these records for as long as the person is subscribed, plus a reasonable period after they unsubscribe. Two to three years after unsubscription is a common practice.

Every email needs an unsubscribe option

This one is simple but still gets missed. Every marketing email you send must include a working unsubscribe link. Not buried in size-8 font at the bottom of a wall of text. Visible and functional.

The unsubscribe process should work with one click. Don't make people log in, fill out a form or send an email to unsubscribe. Google and Yahoo now require one-click list-unsubscribe headers too, so this is good practice beyond just GDPR.

Process unsubscribe requests within 48 hours. Ideally it's instant.

Country-specific rules to know

GDPR applies across the EU, but some countries add extra requirements through national laws.

Netherlands. The Telecommunicatiewet (Article 11.7) governs electronic marketing. You need prior consent for email marketing to individuals. There's a limited exception for existing customers: if someone bought something from you, you can email them about similar products. But they must be able to opt out easily, and you still need to identify yourself clearly.

Germany. The strictest approach in Europe. Double opt-in is expected by courts and regulators. The Gesetz gegen den unlauteren Wettbewerb (UWG) adds competition law requirements on top of GDPR. German businesses regularly sue competitors for non-compliant email marketing. Don't skip double opt-in if you have German subscribers.

United Kingdom. Post-Brexit, the UK follows the UK GDPR plus PECR (Privacy and Electronic Communications Regulations). The rules are similar to EU GDPR. Consent is required for marketing emails. The "soft opt-in" exception exists for existing customers, similar to the Dutch rule.

Belgium, Ireland and Nordics. These countries generally follow the standard GDPR approach without major additions. Consent before sending, clear unsubscribe in every email, proper records.

Common mistakes on signup forms

These are the problems we see most often when scanning websites.

The hidden newsletter checkbox. A checkbox buried inside a checkout or contact form that auto-subscribes people. This isn't freely given consent because people don't expect a contact form to sign them up for marketing emails.

"Get 10% off" in exchange for email. Offering a discount for newsletter signup is fine. But the consent still needs to be specific and informed. Don't conflate the discount with ongoing marketing. Make it clear: "Enter your email for 10% off. You'll also receive our weekly newsletter."

No unsubscribe in emails. We still see marketing emails without any unsubscribe link. This violates both the GDPR and the ePrivacy rules in every EU country.

Buying email lists. People on purchased lists never gave you consent. Sending them marketing emails is a clear GDPR violation. It doesn't matter that the list seller claims the emails are "opt-in."

Sharing subscribers with partners. Unless your signup form specifically says "we'll share your email with Partner X for their marketing," you can't do this. Generic "trusted partners" language doesn't meet the specificity requirement.

How to check your own form

Open your website and look at your newsletter signup with fresh eyes.

1. Is there a clear description of what you'll send and how often?
2. Are there any pre-checked boxes?
3. Is your privacy policy linked near the form?
4. Are you collecting only the data you actually need?
5. Does the design give equal weight to subscribing and not subscribing?
6. After signing up, does the subscriber get a confirmation email?
7. Does every marketing email you send include a visible unsubscribe link?

If you answered "no" to any of these, you've got something to fix. Our GDPR compliance checklist covers the full picture beyond just email forms.

---

Check your website now. Run a free scan to catch newsletter form issues, missing privacy policies and other GDPR problems. No signup needed. Takes 2 minutes.

---

Frequently asked questions

Do I need consent for transactional emails like order confirmations?

No. Emails that are necessary to fulfil a contract (order confirmations, shipping updates, password resets) don't require marketing consent. But you can't sneak marketing content into transactional emails. Keep them separate.

Can I email existing customers without separate newsletter consent?

In most EU countries, there's a "soft opt-in" exception. If someone bought from you, you can email them about similar products or services. But you must have offered an opt-out at the time of purchase, and every email must include an unsubscribe option. This exception doesn't apply in Germany for practical purposes.

What happens if I don't have proper consent records?

If a data protection authority investigates, the burden of proof is on you. Without records, you can't demonstrate valid consent. Fines for email marketing violations typically range from €5,000 to €50,000 for small businesses, though larger violations can cost much more.

Is a popup newsletter form GDPR compliant?

A popup can be compliant if it meets all the same requirements: clear description, no pre-checked boxes, privacy policy link and proper consent recording. The popup format itself isn't the problem. But aggressive popups that block content until someone subscribes start looking like a form of coercion, which undermines the "freely given" requirement.

Do these rules apply to B2B newsletters?

Yes, but with some nuance. If you're emailing individual business contacts, GDPR applies because you're processing personal data. Some countries (like the UK and Netherlands) have softer rules for B2B email, but you still need a lawful basis and an unsubscribe option in every email.