Email marketing remains one of the most effective digital marketing channels – and one of the most heavily regulated under GDPR. If you run a newsletter, send promotional emails, or use an email marketing platform connected to your WordPress site, you are operating in an area where the rules are clear, well-established, and actively enforced. Getting it wrong is not just a compliance risk: it damages your sender reputation, reduces deliverability, and erodes the trust of your audience.
This article provides a comprehensive GDPR compliance checklist for email marketing via WordPress, covering the legal basis for sending, how to collect and manage consent, what your emails must contain, data retention, and how to handle your email list over time.
The Legal Basis for Email Marketing Under GDPR
Before anything else, you need to understand what legal basis you are relying on to send marketing emails. Under GDPR, there are two realistic options for email marketing:
1. Consent (Article 6(1)(a))
This is the most commonly used and most straightforwardly defensible basis for email marketing. The person must have actively opted in to receive marketing emails from you – a pre-ticked box does not count, and bundling marketing consent into a general terms acceptance does not count. Consent must be freely given, specific, informed, and unambiguous.
2. Legitimate Interests (Article 6(1)(f))
GDPR permits processing for legitimate interests in certain circumstances, but for direct marketing emails, this basis is subject to significant limitations. The ePrivacy Directive (which governs direct electronic marketing in the EU) generally requires consent for unsolicited commercial emails. Legitimate interests can apply in a narrow set of cases – most notably the “soft opt-in” rule, which allows you to email existing customers about similar products or services, provided you gave them a clear opportunity to opt out at the point of data collection and in every subsequent email. This rule is implemented differently across EU member states.
Practical recommendation: Use explicit consent as your default basis for all email marketing. It is cleaner, more defensible, and less likely to lead to complaints.
GDPR Email Marketing Compliance Checklist
Collecting Consent
- Use an unchecked opt-in checkbox on every form where email addresses are collected for marketing purposes. The checkbox must be unticked by default and must not be required to submit the form (if the marketing subscription is separate from the service being requested).
- Include a clear description next to the opt-in checkbox that explains what the person is signing up for. “I agree to receive the weekly newsletter with tips on [topic]” is better than “I agree to receive communications.”
- Do not bundle marketing consent with acceptance of your terms of service or privacy policy. These must be separate actions.
- Use double opt-in (also called confirmed opt-in). After a user subscribes, send a confirmation email asking them to click a link to verify their subscription. This confirms the email address is valid and provides stronger evidence of consent.
- Record the consent: Your email marketing platform should log the date, time, source (which form or page), and the opt-in wording that was shown when each subscriber consented. You must be able to produce this record if challenged.
Your Email Marketing Platform and Data Processing
- Sign a Data Processing Agreement (DPA) with your email marketing platform. All major providers (Mailchimp, Brevo, ActiveCampaign, ConvertKit, etc.) offer DPAs – accept them in your account settings or request them from the provider. Without a DPA, your data sharing relationship is non-compliant under GDPR Article 28.
- Verify where your data is stored: If your email platform stores subscriber data on servers outside the EEA, confirm the legal mechanism covering that transfer (SCCs, adequacy decision). Update your privacy policy to disclose this.
- Limit the data you store in your email platform to what is genuinely necessary. If you only need a first name and email address to personalise and send your newsletter, do not collect and store additional fields like phone number, company, or date of birth.
Your WordPress Subscription Forms
- Link to your privacy policy on every subscription form. Something like “Your data will be handled in accordance with our Privacy Policy” placed near the submit button is standard practice and helps demonstrate informed consent.
- Keep your form plugin updated: If you use WPForms, Contact Form 7, Gravity Forms, or another form plugin to capture email subscriptions, ensure it is kept up to date and that its integration with your email marketing platform is functioning correctly.
- Test your forms regularly: Submit a test entry and verify that the correct data is being passed to your email platform, that double opt-in confirmation emails are sent, and that the consent record is being logged.
Your Email Content
- Include a visible unsubscribe link in every marketing email. This is required by both GDPR and the ePrivacy Directive, and most email marketing platforms add one automatically. Never disable or hide this link.
- Include your identity and physical address: Every marketing email should identify the sender (your name or business name) and include a physical postal address. This is required by anti-spam regulations in most jurisdictions.
- Honour unsubscribe requests promptly: GDPR requires you to process opt-out requests without undue delay. Sending even one more marketing email after an unsubscribe request has been received is a violation. Most email platforms handle this automatically – verify that your setup processes unsubscribes in real time.
- Only send what was agreed to: If someone signed up for a weekly blog newsletter, do not start sending them daily promotional offers. Sending content outside the scope of what the subscriber consented to is a violation of the specificity requirement of consent.
Managing Your Email List Over Time
- Remove inactive subscribers: GDPR’s storage limitation principle means you should not hold personal data indefinitely. If a subscriber has not opened an email in 12–18 months, send a re-engagement campaign asking them to confirm they still want to receive your emails. Remove those who do not respond.
- Never purchase email lists: Purchased lists almost always contain contacts who have not consented to receive communications from you specifically. Emailing a purchased list is a textbook GDPR violation.
- Segment your list by consent source: If you have collected subscribers through different forms or campaigns with slightly different opt-in wording, tag them accordingly. This makes it easier to demonstrate what each subscriber consented to and to manage them correctly if the consent wording changes.
- Handle data deletion requests: When a subscriber requests erasure of their personal data, you must delete them from your email marketing platform as well as from any other systems that hold their data. Most platforms provide a “permanently delete contact” function – use it, and document the action.
Your Privacy Policy
- Describe your email marketing practices in your privacy policy: what data you collect, why (the purpose), the legal basis, your email platform, how long you retain subscriber data, and how to unsubscribe or request deletion.
- Disclose third-party sharing: Name the email marketing platform you use and explain that subscriber data is shared with this platform to send emails on your behalf.
Quick Reference: Email Marketing GDPR Checklist
Use this summary as a quick reference when auditing your email marketing setup:
- Explicit, unticked opt-in checkbox on all subscription forms
- Clear description of what subscribers are signing up for
- Double opt-in confirmation enabled
- Consent records logged with date, source, and wording
- DPA signed with email marketing platform
- International data transfer mechanism confirmed and disclosed
- Privacy policy link on every subscription form
- Unsubscribe link in every marketing email
- Sender identity and address in every email
- Unsubscribes processed promptly (ideally in real time)
- No purchased or rented email lists
- Inactive subscriber clean-up process in place
- Data deletion process covers the email platform
- Privacy policy describes email marketing practices in detail
Conclusion
GDPR-compliant email marketing is not about doing less – it is about doing it right. Explicit opt-in consent, honest communication about what subscribers are signing up for, and respectful list management practices are not just legal requirements. They are also the foundations of a healthy email list with strong engagement rates and low complaint rates. Sites with properly consented lists consistently outperform those built on ambiguous or purchased contacts, both in deliverability and in long-term subscriber value. Use this checklist as a starting point, review your setup annually, and address any gaps you find without delay.