GDPR and Newsletters: What Still Trips Marketers Up

ByKeith Lacy
Why GDPR Compliance Is Still a Live Issue for Newsletter ProgrammesWhat Does Valid Consent Actually Require?Legitimate Interest: The Lawful Basis That Is Often MisappliedThe Suppression List Problem Nobody Talks AboutRe-Engagement Campaigns and the Compliance LineThird-Party Lists and Co-Registration: Where the Risk ConcentratesBuilding a Newsletter Programme That Is Compliant by DesignThe Commercial Case for Getting This Right

Get sharp marketing thinking, weekly

No fluff. Just clear, commercially grounded insights.

GDPR and newsletters have a straightforward relationship on paper: you need a lawful basis to send marketing emails, and for most newsletter programmes that means freely given, specific, informed consent. In practice, the gap between what the regulation requires and what many businesses actually do remains surprisingly wide, even years after enforcement began.

The risks are real, the rules are not especially complicated, and yet consent collection, list hygiene, and data retention practices at many organisations are still messier than they should be. This article covers where the genuine compliance problems sit, and how to build a newsletter programme that is both legally sound and commercially effective.

Key Takeaways

  • Consent for newsletter sign-ups must be freely given, specific, informed, and unambiguous. Pre-ticked boxes and bundled opt-ins do not meet the standard.
  • Legitimate interest is not a reliable lawful basis for promotional newsletters. Regulators have consistently challenged its use in direct marketing contexts.
  • Suppression lists matter as much as active lists. Removing someone from your send list does not erase your obligation to hold their opt-out on record.
  • Re-engagement campaigns sent to unengaged subscribers without a valid basis for contact can create compliance exposure, not just deliverability problems.
  • A well-run consent architecture is a commercial asset, not just a legal formality. Lists built on genuine interest perform better than lists built on ambiguity.

In This Article

  1. Why GDPR Compliance Is Still a Live Issue for Newsletter Programmes
  2. What Does Valid Consent Actually Require?
  3. Legitimate Interest: The Lawful Basis That Is Often Misapplied
  4. The Suppression List Problem Nobody Talks About
  5. Re-Engagement Campaigns and the Compliance Line
  6. Third-Party Lists and Co-Registration: Where the Risk Concentrates
  7. Building a Newsletter Programme That Is Compliant by Design
  8. The Commercial Case for Getting This Right

Why GDPR Compliance Is Still a Live Issue for Newsletter Programmes

When GDPR came into force in May 2018, there was a wave of re-permissioning campaigns, a flurry of updated privacy notices, and a general sense that marketers had sorted it out. Many had not. They had addressed the most visible surface-level issues, updated their sign-up forms, added a cookie banner, and moved on. The structural problems, how consent is captured, how it is stored, how it is honoured across systems, and how long data is retained, were often left partially resolved.

I have worked with enough organisations over the years to know that the gap between stated compliance and actual compliance is often significant. In one agency engagement, we audited a client’s email list and found three separate acquisition sources with different consent language, none of which had been mapped to the CRM in a way that allowed them to demonstrate what any individual subscriber had actually agreed to. The list had been growing for years. Nobody had asked the question until we did.

The Information Commissioner’s Office in the UK has continued to issue fines and enforcement notices well beyond the initial GDPR rush. The regulation has not faded into background noise. For newsletter programmes specifically, the core obligations around consent remain the area where most organisations carry the most risk.

If you want to understand how email fits into a broader acquisition and retention strategy, the Email and Lifecycle Marketing hub covers the full picture, from list building to programme architecture.

GDPR sets a specific standard for consent. It must be freely given, specific, informed, and indicated by a clear affirmative action. That last phrase matters more than most marketers appreciate. Silence, inactivity, or a pre-ticked box does not constitute valid consent. The subscriber must do something positive to opt in.

Freely given means the consent cannot be a condition of receiving a service. If you bundle newsletter sign-up into a checkout process in a way that makes it difficult to complete the purchase without subscribing, that consent is likely invalid. Specific means the person knew they were signing up for marketing emails, not just agreeing to terms and conditions. Informed means the consent request was clear about who was collecting the data and what it would be used for.

Mailchimp’s GDPR overview covers the core consent requirements clearly and is worth reading if you are building or auditing a sign-up flow. The practical implications for form design are significant: your opt-in checkbox must be unticked by default, the consent language must be specific to email marketing, and you need to be able to evidence that consent at any point in the future.

That last point is where many organisations fall down. Capturing consent is one thing. Storing a timestamped, auditable record of what was agreed to, on which date, via which form, is another. If a subscriber complains or a regulator asks, “we had a sign-up form” is not sufficient. You need to demonstrate exactly what that person consented to and when.

Legitimate Interest: The Lawful Basis That Is Often Misapplied

Some marketers have attempted to use legitimate interest as a lawful basis for newsletter sends, particularly when their existing consent records are weak. The logic goes: we have a genuine commercial interest in communicating with customers, so we do not need explicit consent. This reasoning is flawed in the context of direct marketing.

The ICO’s guidance is explicit that legitimate interest requires a three-part test: you must identify a legitimate interest, demonstrate the processing is necessary to achieve it, and balance it against the individual’s rights and freedoms. For promotional newsletters sent to people who have not opted in, that balancing test is very difficult to pass. Regulators across Europe have challenged legitimate interest claims in direct marketing cases repeatedly.

There are narrow scenarios where legitimate interest may apply, for example, sending service-related communications to existing customers about products directly related to what they have already purchased. But using it as a blanket workaround for weak consent records is not a defensible position. If your list was built before GDPR and you cannot evidence consent, the honest answer is that those contacts need to be suppressed or go through a proper re-permissioning process, not reclassified under a different lawful basis.

The Suppression List Problem Nobody Talks About

Most marketers understand that when someone unsubscribes, you stop sending to them. What is less well understood is the obligation around suppression lists. Deleting an unsubscribed contact from your database does not satisfy your compliance obligations. In fact, it can create a new problem.

If you delete the record entirely and then that person’s email address is later acquired through a new sign-up or a third-party list, you have no way of knowing they previously opted out. You will send to them again. The correct approach is to hold a suppression record, essentially a record that this address must not receive marketing, even if all other personal data is deleted. The suppression record itself contains minimal data and serves a compliance function.

I have seen this create real problems in organisations that have gone through CRM migrations or list consolidations. Data gets cleaned, duplicates get merged, and somewhere in that process the suppression flags get lost. The result is a wave of contacts receiving emails they explicitly opted out of. That is not just a compliance failure. It is a deliverability problem, a brand problem, and potentially an enforcement problem.

Maintaining suppression lists across all your sending platforms, your ESP, your CRM, your marketing automation tool, is a basic operational discipline that deserves more attention than it typically gets.

Re-Engagement Campaigns and the Compliance Line

Re-engagement campaigns are a standard part of list management. Contacts who have not opened or clicked in six, twelve, or eighteen months are flagged for a win-back sequence, and those who do not respond are removed. The deliverability rationale is sound: sending to large volumes of unengaged contacts damages your sender reputation and reduces inbox placement rates across your whole programme.

The GDPR dimension is less often considered. If a contact has not engaged for an extended period, the question is not just whether they are hurting your open rates. It is whether you still have a valid basis to contact them at all. Consent does not expire on a fixed schedule, but the ICO’s guidance suggests that if a significant period has passed with no engagement and no interaction with your brand, it becomes harder to argue that the original consent still reflects the person’s current wishes.

The practical answer is to treat re-engagement campaigns as a consent refresh mechanism, not just a deliverability exercise. If someone does not respond to a re-engagement email asking them to confirm they still want to hear from you, the correct action is to suppress them. Not to keep them on the list because they technically never clicked unsubscribe.

There is a commercial case for this approach too. Lists built on genuine, current interest consistently outperform lists padded with unengaged contacts. When I was running agency-side email programmes, the clients who were most protective about list quality, sometimes frustratingly so from a volume perspective, tended to have the strongest engagement metrics and the most predictable revenue from email. The correlation was consistent enough that I stopped arguing with them about it.

Third-Party Lists and Co-Registration: Where the Risk Concentrates

Purchasing email lists or using co-registration to acquire subscribers is where GDPR exposure concentrates most acutely. For a contact on a purchased list to be validly consented under GDPR, they must have given consent specifically to receive communications from your organisation, not just from the list vendor or a generic category of businesses.

In practice, this standard is almost never met by purchased lists. The consent language used at the point of capture is typically broad, the subscriber often has no idea who you are, and the connection between what they agreed to and what they are now receiving is tenuous at best. This is why most reputable ESPs, including Mailchimp, prohibit the use of purchased lists on their platforms. The reputational and deliverability risks are significant, and the legal basis is weak.

Co-registration is slightly more nuanced. If a third-party sign-up form names your brand specifically and the subscriber ticks an opt-in box for your communications, that is closer to valid consent. But the consent language, the specific naming of your brand, and the storage of the consent record all need to be verified. Taking a co-registration vendor’s word that “the consent is GDPR compliant” without seeing the actual form and consent language is not due diligence.

Building a Newsletter Programme That Is Compliant by Design

The most effective way to handle GDPR compliance for newsletters is to build it into the programme architecture from the start, rather than treating it as a legal review step at the end. That means designing sign-up flows that capture clear, specific consent; storing consent records in a way that can be retrieved and audited; building suppression list management into your data processes; and having a clear data retention policy that specifies how long you hold subscriber data and what triggers its deletion or review.

It also means being honest about the state of your existing list. If you have contacts whose consent records are unclear or predated GDPR, the commercially sensible thing to do is segment them, run a re-permissioning campaign with a clear opt-in mechanism, and suppress those who do not respond. Yes, your list will be smaller. It will also be more engaged, more deliverable, and less legally exposed.

From a content perspective, newsletters that people actually want to read are the most reliable GDPR compliance mechanism available. If your content is genuinely useful, subscribers stay subscribed and engagement stays high. The problem of lapsed consent tends to be much smaller when the newsletter itself is worth receiving. Buffer’s breakdown of what makes newsletters worth reading is a useful reference point if you are thinking about content strategy alongside compliance.

Subject line quality also plays a role in list health. Subscribers who consistently find your subject lines relevant are more likely to open, less likely to mark as spam, and less likely to go dormant. HubSpot’s subject line research covers what tends to drive open rates across different industries and contexts.

Deliverability and compliance are more connected than most marketers treat them. A list with strong engagement signals, good sender reputation, and low spam complaint rates is also likely to be a list built on solid consent practices. The two things reinforce each other. HubSpot’s guide to avoiding spam filters covers the technical side of deliverability, which sits alongside the consent and data quality work.

If you are thinking about how newsletters fit into a wider content and distribution strategy, including LinkedIn newsletters as a complementary channel, Buffer’s LinkedIn newsletter guide is worth a read. The consent dynamics on LinkedIn are different, as the platform manages the subscription relationship, but the content principles carry across.

There is also a measurement dimension worth noting. How you track engagement in a GDPR-compliant way has become more complicated as email clients have rolled out privacy features that affect open tracking. Mailchimp’s piece on zero-click content addresses some of the implications for how you read engagement data. And understanding the difference between click rate and click-through rate matters when you are using engagement metrics to inform list segmentation decisions. Semrush’s explanation of click rate versus click-through rate is a clean, clear reference on this.

The broader email marketing picture, strategy, segmentation, lifecycle design, and measurement, is covered across the Email and Lifecycle Marketing hub. GDPR compliance is one layer of that picture, and it is most effective when it sits within a well-designed programme rather than being bolted on as an afterthought.

The Commercial Case for Getting This Right

There is a tendency to frame GDPR compliance as a cost, a constraint on what you can do with your email programme. I think that framing is wrong. A newsletter list built on genuine, documented consent, with strong engagement and clean suppression records, is a more valuable commercial asset than a large, ambiguously acquired list that carries legal exposure and deliverability risk.

Early in my career, before GDPR existed, I worked on a programme where the instinct was always to maximise list size. More contacts meant more sends meant more revenue, at least in theory. What we found in practice was that the contacts acquired through the most aggressive, least permission-based methods had the highest unsubscribe rates, the lowest engagement, and the worst conversion rates. The list that performed best was the one where people had actively sought out the brand and chosen to hear from it.

GDPR formalised something that was commercially true before the regulation existed: marketing to people who want to hear from you works better than marketing to people who do not. The compliance requirements are not an obstacle to good email marketing. They are, if you treat them seriously, a forcing function for building a programme on the right foundations.

The organisations that have used GDPR as an opportunity to clean up their data practices, tighten their consent architecture, and focus on list quality over list size tend to have email programmes that perform more consistently and carry less operational and legal risk. That is a better position to be in, regardless of what the regulation requires.

About the Author

Keith Lacy is a marketing strategist and former agency CEO with 20+ years of experience across agency leadership, performance marketing, and commercial strategy. He writes The Marketing Juice to cut through the noise and share what works.

Frequently Asked Questions

Do I need explicit consent to send a newsletter under GDPR?
For most newsletter programmes, yes. Consent must be freely given, specific, informed, and indicated by a clear affirmative action, such as ticking an unticked opt-in box. Pre-ticked boxes, bundled opt-ins buried in terms and conditions, and assumed consent from a prior purchase do not meet the standard. There are narrow scenarios where legitimate interest may apply, but regulators have consistently challenged its use for promotional direct marketing.
How long does GDPR consent last for email newsletters?
There is no fixed expiry date in the regulation, but the ICO’s guidance makes clear that consent should reflect a current, active relationship. If a subscriber has had no engagement with your brand for an extended period, it becomes harder to argue that the original consent still represents their current wishes. Best practice is to treat re-engagement campaigns as a consent refresh mechanism and suppress contacts who do not respond, rather than continuing to send on the basis of a very old opt-in.
Can I use a purchased email list for newsletter sends under GDPR?
In almost all practical cases, no. For a purchased list to be GDPR-compliant, each contact must have given consent specifically to receive communications from your organisation, not just from a generic category of businesses or from the list vendor. That standard is rarely met by commercially available lists. Most reputable email service providers prohibit the use of purchased lists on their platforms, and the legal exposure from using them is significant.
What is a suppression list and why does it matter for GDPR compliance?
A suppression list is a record of email addresses that must not receive marketing communications, typically because the person has unsubscribed or objected to processing. Under GDPR, simply deleting an unsubscribed contact’s record is not sufficient, because if their address is later re-acquired you will have no record of their previous opt-out. Maintaining suppression records across all your sending platforms, your ESP, CRM, and marketing automation tools, is a basic compliance requirement that is frequently overlooked during list consolidations and system migrations.
Does GDPR apply to B2B newsletter sends?
GDPR applies to any processing of personal data, and a business email address that identifies an individual is personal data. For B2B sends, the Privacy and Electronic Communications Regulations (PECR) in the UK also apply alongside GDPR and have their own requirements around consent for electronic marketing. Sending to generic business addresses such as info@ or sales@ sits in a different position to sending to named individuals, but the safest approach for any B2B newsletter programme is to use an opt-in consent model and maintain clear records of how and when contacts were acquired.

Similar Posts