← Back to Blog

GDPR Newsletter Sign-Up: What EU Businesses Must Do in 2026

May 2026 · MailCompare.eu Editorial · 5 min read

To legally collect newsletter subscribers under GDPR, you need a clear opt-in checkbox, specific consent language, a link to your privacy policy, and a record of when and how each subscriber consented. Double opt-in is not legally required by GDPR but is strongly recommended — it proves consent and reduces spam complaints. Here's exactly what your sign-up form needs.

What GDPR Requires for Newsletter Sign-Ups

Under GDPR, consent must be:

  • Freely given: You cannot make newsletter sign-up a condition of buying something or accessing content
  • Specific: Subscribers must know exactly what they are consenting to — "marketing emails about our products" not just "communications"
  • Informed: Your privacy policy must be linked and accessible at the point of sign-up
  • Unambiguous: Pre-ticked checkboxes do not count. The subscriber must actively opt in
  • Documented: You must be able to prove when a subscriber consented and what they consented to

What Your Sign-Up Form Needs

A GDPR-compliant newsletter sign-up form needs four elements:

  1. An unchecked opt-in checkbox
    Never pre-tick it. The subscriber must check it themselves.
  2. Clear consent language next to the checkbox
    Something like: "I agree to receive the [Business Name] newsletter. You can unsubscribe at any time." Avoid vague language like "I agree to terms."
  3. A link to your privacy policy
    The privacy policy must explain how you use email addresses, who processes the data, and how subscribers can request deletion.
  4. A timestamp and consent record stored by your email tool
    You need to be able to prove consent if challenged. Good email tools (Brevo, MailerLite) store this automatically.

Double Opt-In: Required or Optional?

Double opt-in (where a subscriber must click a confirmation link in a welcome email before being added to your list) is not legally required by GDPR — but it is strongly recommended for three reasons:

  • It provides a clear audit trail of consent (the confirmation click is logged)
  • It removes invalid email addresses and reduces spam complaints
  • Some EU data protection authorities — particularly in Germany — effectively require it in practice, even if GDPR itself does not

If you operate in Germany or have significant German subscribers, treat double opt-in as mandatory. For all other EU businesses, it is best practice.

Which Email Tools Handle GDPR Consent Best

The best GDPR newsletter tools for EU businesses automatically store consent timestamps, make double opt-in easy to enable, and give you a Data Processing Agreement (DPA). The EU-based tools have a further advantage: subscriber data stays in Europe, which removes the cross-border transfer complication entirely.

Tool EU-Based Consent Timestamps Double Opt-In DPA
Brevo ✓ France ✓ Built-in
MailerLite ✓ Lithuania ✓ Built-in
GetResponse ✓ Poland ✓ Built-in
Mailchimp ✗ USA ✓ Built-in

What to Include in Your Confirmation Email

Your double opt-in confirmation email (the one sent after sign-up asking subscribers to confirm) should be simple and clear:

  • A single clear call to action: "Confirm your subscription"
  • Your business name in the sender field and subject line
  • A brief reminder of what they signed up for
  • No marketing content — just the confirmation link

After they confirm, your welcome email can include marketing content. The confirmation email itself should stay clean.

What to Do With Your Existing List

If you have subscribers who signed up before you had a proper GDPR consent process, you have three options:

  1. Send a re-consent campaign asking them to confirm they still want to hear from you — keep only those who click
  2. Delete contacts without documented consent and focus on rebuilding the list properly
  3. Rely on legitimate interest if you have an existing customer relationship — but this requires careful documentation and is a higher legal bar

Option 1 is the most common approach. Yes, you'll lose some contacts. But a smaller, genuinely consented list outperforms a large unconsented one on every metric: open rates, deliverability, and legal safety.

Bottom Line

GDPR newsletter compliance comes down to four things: explicit opt-in, clear consent language, privacy policy linked at sign-up, and a documented consent record. Enable double opt-in in your email tool, sign the DPA, and use an EU-based tool if you want the simplest possible compliance story. For a full comparison of GDPR compliance across tools, see the EU Compliance table or read our guide on which tools are GDPR compliant in 2026.

EU Compliance Table → Brevo → MailerLite →

Related pages

GDPR Email Marketing Guide → EU Compliance Comparison → Brevo → MailerLite → Mailchimp for EU Businesses →