How to start a GDPR Compliant Newsletters
Newsletters are fun to write, easy to manage, and can help you speak directly to your customers.
But if you want to get things right, there are a few things to consider under the General Data Protection Regulation (GDPR) and other European laws.
This article walks you through some of the key data protection and privacy issues when publishing a newsletter.
Untangling the Law
The law can get pretty complicated, so here’s a brief explainer on the two main EU laws that apply to newsletter publishers.
The GDPR applies if you’re based in the European Economic Area (EEA), the UK (which has its own version), or if you’re targeting people in these countries with your products and services (including your newsletter, whether it’s paid or free).
The GDPR provides rules on protecting personal data about your subscribers, including keeping it secure, enabling people to access or delete it, and not using it for unrelated purposes.
But another EU law you’ll need to consider is the ePrivacy Directive, passed in 2002.
The ePrivacy Directive provides rules on privacy-related issues in the context of electronic communications (like email), including:
- Whether you need to get consent to send someone your newsletter.
- Using pixels and other trackers in your newsletter.
All EEA countries, plus the UK, have implemented the ePrivacy Directive into national law, but the national versions can vary slightly.
Subscribers and Unsubscribers
For a newsletter publisher, nothing beats watching your newsletter subscriber count grow.
Let’s look at the rules around getting subscribers for your newsletter. We’ve linked to some additional resources at the end of this section.
Generally speaking, you’ll need a person’s consent before sending them your newsletter.
Consent under the GDPR must be freely given, specific, informed, unambiguous, given via a clear affirmative action, and easy to withdraw.
This means you can’t simply send your newsletter to someone merely because you have their email address (and would you really want to do that?). You must ask their permission, and explain what you intend to do with their personal data.
However, there are some exceptions to the consent requirement.
In most European countries, the ePrivacy Directive provides an alternative to consent known as the “soft opt-in”. Under this rule, you can add a message with a pre-ticked box (e.g., “Yes—sign me up for your newsletter”) to your checkout process or sale inquiry forms.
You also won’t normally need consent to send your newsletter to generic business email addresses (e.g., “email@example.com).
Once you have a person’s consent for your newsletter, you’ll need to record when and how they provided consent.
Make sure you get consent for your newsletter unless you can use the “soft opt-in” or business-to-business exception.
Do you need to send a “verify your subscription” email to each new subscriber?
The law doesn’t require this confirmation process (known as the “double opt-in”), but some regulators consider it best practice.
It’s worth noting that while subscriber numbers matter, the quality of subscribers matters, too. If all your subscribers have confirmed they are happy to receive your newsletter, they are likelier to be active readers (and potential customers).
A double opt-in can weed out accidental and uninterested subscribers, so it might be a good strategy—even if the law doesn’t require it.
Consider implementing a “double opt-in” process to confirm your subscribers are “real people” and are happy to receive your newsletter.
Nobody likes to see their subscriber count fall. Nonetheless, you’ll need to make it easy for people to unsubscribe from your newsletter.
Under the ePrivacy Directive, you must include an “unsubscribe” link in every newsletter you send.
Under the GDPR, people must be able to withdraw consent as easily as they gave consent. This means the unsubscribe process should be quick and easy—ideally achieved in one click.
Provide a one-click “unsubscribe” link at the bottom of every newsletter email you send.
For more information about getting newsletter signups in a legally compliant way, check out these articles from our archive:
- Email Marketing in Europe: How to Comply With the Law: More information about the “soft opt-in” and business-to-business email marketing,
- Everything You Need to Know About GDPR Consent: More on the GDPR’s consent rules.
- How to Record Consent Under GDPR: Guidance on why and how you should keep records of consent.
Using a Newsletter Service Provider
Many people’s first step when creating a newsletter is to find a company to help distribute it. Hundreds of newsletter service providers will help you do this—from Substack to Mailchimp to Campaign Monitor—but not all will help you comply with the law.
Controllers and Processors
First, the basics: Under the GDPR, you’re the “data controller” for your newsletter. Your newsletter service provider is a “data processor”.
A data controller decides the “purposes and means” (the “why and how”) of processing personal data.
A data processor processes personal data on behalf of a controller.
You’re responsible for your own GDPR compliance—and (for the most part) you’re responsible for your processors’ GDPR compliance, too.
If you use a newsletter provider to help distribute your newsletter and collect people’s email addresses, that newsletter provider is your data processor.
Other relevant data processors might include your email service provider (such as Google or Microsoft), cloud storage providers, and automation platforms.
Under the GDPR, a “subprocessor” is your processor’s processor.
Newsletter service providers typically use subprocessors for storage, security, and analytics.
Here’s a small sample of MailChimp’s long list of subprocessors:
The relationship between controllers and subprocessors is more complicated than the relationship between controllers and processors. But—again, for the most part—you’re accountable for subprocessors, too.
Data Processing Agreement
Controllers and processors must have a “data processing agreement” in place.
A data processing agreement is a contract that ensures the processor is legally bound to obey the controller’s instructions and protect personal data to GDPR standards.
Here’s a look at part of Substack’s “data processing addendum”:
When choosing a newsletter provider, check that the provider has a data processing agreement (sometimes called a “data processing addendum”. This agreement must comply with Article 28 of the GDPR.
International Data Transfers
The GDPR provides strict rules about “international data transfers”.
In 2021, a German regulator found that a company violated the GDPR’s data transfer rules by using US-based service provider MailChimp.
The circumstances around US data transfers have changed since 2021, but the case is a good example of why due diligence matters when choosing a newsletter provider.
You can only share personal data with another organisation outside the European Economic Area (EEA) under certain conditions.
- When choosing a newsletter provider, check where the provider is based.
- If the provider is located outside the EEA, check whether the provider is in a country covered by an “adequacy decision”. This means you can use the provider without putting any “data transfer safeguards” in place.
- If the provider is located outside the EEA—and is not in a country covered by an “adequacy decision”—you’ll need to ensure appropriate data transfer safeguards are in place.
See our article on standard contractual clauses (SCCs) for guidance on international data transfers.
You should also check whether any of the provider’s subprocessors are located outside of the EEA. You may be held responsible if, for example, the provider uses a non-EEA cloud storage company without meeting the GDPR’s requirements.
Ensure you know where your subscribers’ personal data is being stored, and that you can meet the GDPR’s rules if the data goes outside of the EEA.
Tracking and Pixels
Many newsletter service providers will offer metrics about how people engage with your newsletter.
Obtaining this data relies on “pixels” and other tracking techniques that require consent under the ePrivacy Directive.
Consent for Pixels
A pixel (sometimes called a “tracking pixel”, “marketing pixel”, or “spy pixel”) is a tiny image file embedded in emails and websites. The recipient is unlikely to see a pixel embedded in their email, but email filters and security software might detect it.
Email marketers use pixels to track interactions with their emails. A pixel (unless blocked) can provide the sender with a lot of information about the people who receive their email, including:
- Whether a given subscriber has opened the email.
- What date and time the subscriber opened the email.
- What device and browser the subscriber used to read the email.
- What email service provider the subscriber uses.
- The region in which the subscriber is located.
- Which links the subscriber clicked.
Under the ePrivacy Directive, you must get consent to “store” or “retrieve” information from a person’s device, with limited exceptions.
As such, the law requires that you get consent for tracking pixels. And because the GDPR requires consent to be “specific” to a given purpose, you’ll need to ask for pixel consent separately from email consent.
Many newsletter authors do not request consent for tracking pixels, and some newsletter service providers don’t even provide the facility to turn them off. However, the law is pretty clear on this issue.
If you wish to track interactions with your newsletter via pixels, the law says you must request consent.
There’s another way to track interactions with your newsletter: Tracking links.
Some links track things like: Who clicked the link, when they clicked it, where they clicked it, etc.
Sometimes links in newsletters are a hashed form of the recipient’s email address. When the recipient clicks the link, the newsletter service provider knows about it.
The law applies less clearly in this area. However, it’s likely that a record of whether a particular subscriber clicked a link in your newsletter is personal data under the GDPR.
Be aware that tracking links and even “link shorteners” can apply analytics techniques to track people’s interactions with your newsletter. A fundamental part of data protection and privacy is understanding how you collect personal data and why.
But collecting personal data doesn’t always require consent. Unless cookies and pixels are involved, you might be able to rely on another “legal basis”. For more information, see our article: What is Legitimate Interests Under the GDPR?
You should provide a link to your privacy notice alongside your newsletter sign-up form, and at the bottom of each edition of your newsletter.
Here are the basic elements of a privacy notice for a newsletter publisher:
- Your identity and contact details.
- The personal data you process (e.g., email addresses, names, information collected via pixels).
- Your purposes for processing personal data (to send your newsletter).
- Your legal bases for processing personal data (likely “consent”, for the most part).
- How long you store personal data (e.g., until a subscriber unsubscribes).
- Any other companies with which you share personal data (such as your newsletter service provider and email service provider).
- If you transfer personal data outside of the EEA, details of how you handle international data transfers.
- An explanation of people’s GDPR rights and how to exercise them.
- Contact details for your country’s data protection authority (DPA) if people wish to complain.
Articles 12, 13, and 14 of the GDPR provide further detail about the law’s transparency requirements.
Overview of GDPR and ePrivacy Law for Newsletters
Let’s wrap up with an overview of some of the GDPR and ePrivacy issues relevant to publishing a newsletter:
- You’ll need consent to send a person your newsletter unless:
- You can rely on the “soft opt-in”, or
- The recipient has a commercial email address.
- Consider a “double opt-in” to verify subscriptions.
- Always include an unsubscribe mechanism in every newsletter.
- When choosing a newsletter service provider, consider:
- Whether the provider offers clients a compliant data processing agreement (DPA),
- Where the provider is based, and whether it meets any obligations around international data transfers,
- What subprocessors the provider uses—the same rules apply to them.
- If you include tracking pixels in your newsletter, you’ll need to get your subscribers’ consent.
- If you use tracking links or link shortners, you are likely processing personal data and will require a “legal basis”.
- Ensure you have a privacy notice to explain how you collect and use personal data.
The GDPR’s principles and rules apply whenever processing personal data, including your subscribers’ names, email addresses, payment information, and any personal data you process via pixels and tracking links.
Try Wide Angle Analytics!