Compliance · Consent

GDPR for Email: Consent, ePrivacy, and the Strictest-Standard Rule

GDPR makes email marketing an opt-in activity: you generally need freely given, specific, informed consent before sending marketing email to anyone in the EU, and that consent has to be documented and as easy to withdraw as it was to give. It works alongside the ePrivacy rules, which separately govern the act of sending and provide a narrow “soft opt-in” for existing customers. This puts GDPR at the strict end of the spectrum compared to the US CAN-SPAM, which is opt-out and lets you mail until someone objects, while Canada’s CASL sits closer to GDPR with its own opt-in requirement. For any list that spans jurisdictions, the simplest compliant approach is to follow the strictest standard you touch — usually GDPR — across the whole list. This is general information, not legal advice.

Key takeaways

  • GDPR is opt-in. You need documented consent before marketing to EU residents — no pre-checked boxes, no implied consent.
  • Two frameworks apply. GDPR governs processing the data; ePrivacy governs the act of sending, with a narrow soft opt-in.
  • Withdrawal is immediate. Unlike CAN-SPAM’s ten-day window, GDPR requires honouring withdrawal right away.
  • The spectrum runs CAN-SPAM to GDPR. CAN-SPAM is opt-out, CASL and GDPR are opt-in — and one doesn’t satisfy the others.
  • Follow the strictest standard. For a multi-jurisdiction list, applying GDPR-level opt-in across the board is simplest.

Most email teams know GDPR requires consent, but fewer understand exactly what kind, how it interacts with the separate ePrivacy rules, and where it sits relative to the other big email laws they’re probably also subject to. That last point matters because a single contact list usually spans jurisdictions, and the laws don’t substitute for one another. This guide focuses on the consent side of GDPR and how to operate it across a multi-jurisdiction list — it’s general information, not legal advice.

Does GDPR require opt-in for email?

Yes — GDPR makes email marketing fundamentally an opt-in activity. Before you can send marketing email to someone in the EU, you generally need their consent, and the regulation is specific about what counts: consent must be freely given, specific, informed, and unambiguous, expressed through a clear affirmative action. That rules out pre-checked boxes, bundled agreements, and any form of implied or assumed consent. You also have to tell people exactly how their data will be used, keep evidence that consent was given, and be able to produce that proof if challenged.

One detail often missed is that this applies to business addresses too. A named professional email address — jane.smith at a company — is personal data identifying an individual, so B2B marketing to EU recipients needs the same lawful basis as B2C. There’s sometimes a legitimate-interest argument available for B2B, but it’s narrow and contested, so consent remains the safer route. The practical upshot is that under GDPR, a clean opt-in is the foundation of every compliant email program, not an optional nicety.

Holding consent isn’t enough under GDPR — you have to be able to prove it, which makes consent provenance a core operational requirement rather than an afterthought. For every subscriber, you should record where the consent came from, when it was given, and the exact disclosure language they saw at the time. That metadata is what lets you demonstrate a lawful basis if a supervisory authority asks, and without it a technically valid consent becomes indefensible because you can’t show it existed.

This record-keeping discipline pays off beyond GDPR, because the same provenance data is what makes a multi-jurisdiction list manageable. When you know the source and circumstances of each record’s consent, you can determine which law governs that contact and whether the consent meets its standard — and you can produce evidence for CASL’s record retention or a GDPR audit alike. Storing consent metadata as a first-class part of the subscriber record, rather than reconstructing it later, is the single most useful habit for staying defensible across regimes.

GDPR and ePrivacy: the two frameworks

GDPR doesn’t operate alone — email marketing in the EU sits under two parallel frameworks that address different parts of the same activity. GDPR governs the lawful basis for processing the personal data, which is the email address itself. The ePrivacy rules, derived from the EU ePrivacy Directive and implemented in each member state’s national law, separately govern whether you may send the direct marketing communication at all. They prohibit unsolicited electronic marketing without prior consent, which is why consent is effectively required for marketing even where you might construct a GDPR basis another way.

The ePrivacy framework is also where the one meaningful exception lives: the soft opt-in. If you have an existing customer relationship, you can market similar products or services to that customer without fresh consent, provided you offered an opt-out at the point of collection and include an easy opt-out in every message. It’s a genuinely useful provision, but a narrow one — using it for non-customers, or for products unrelated to the original purchase, is a violation. National implementations also vary, with some member states applying stricter rules than the baseline.

Where does GDPR sit among email laws?

GDPR is best understood by placing it on the spectrum of the world’s major email laws, because a typical list is subject to several at once. At the permissive end is the US CAN-SPAM Act, which is an opt-out law: you may send commercial email without prior consent and must simply stop when someone unsubscribes, honouring the request within ten business days. At the strict end is GDPR, requiring documented opt-in before the first message. Canada’s CASL sits close to GDPR, also requiring opt-in consent. The diagram places them.

The consent spectrum: permissive to strictpermissive (opt-out)strict (opt-in)CAN-SPAMUS · opt-outCASLCanada · opt-inGDPREU · documented opt-inQuebec Law 25 sits alongside GDPR
One law’s compliance doesn’t satisfy another — CAN-SPAM compliance leaves you short of CASL and GDPR’s opt-in requirements.

The critical implication is that these regimes don’t substitute for one another. A database built to CAN-SPAM’s opt-out standard will lack the consent records, geographic segmentation, and documentation that CASL and GDPR demand, so being compliant in the US tells you nothing about your EU or Canadian exposure. The table compares the three on the dimensions that drive day-to-day operations.

GDPR, CASL, and CAN-SPAM compared for email.
DimensionCAN-SPAM (US)CASL (CA) / GDPR (EU)
Consent modelOpt-outOpt-in required
Before first messageNo consent neededConsent or lawful basis
Opt-out timingWithin 10 daysImmediate (GDPR)
Applies to B2BYesYes
Max penalty~$50k+ per email€20M / 4% (GDPR)

The immediate-withdrawal requirement

GDPR’s withdrawal rules are stricter than the unsubscribe handling most senders are used to, and the timing is the key difference. Under Article 7, withdrawing consent must be as easy as giving it was, and a withdrawal or objection requires an immediate pause in sending — not the ten-business-day processing window that CAN-SPAM and CASL permit for opt-outs. If your suppression logic queues unsubscribes for batch processing on a schedule, that’s compliant for US contacts but not for EU ones, which is exactly the kind of cross-jurisdiction gap that catches programs out.

This has a concrete architectural consequence. Your suppression system needs to evaluate which law applies to a given contact before a send executes, not after a complaint arrives, so that an EU subscriber’s withdrawal halts mail immediately while a US contact’s can follow the slower queue. In practice, the cleaner solution most teams adopt is to process all withdrawals immediately regardless of jurisdiction, since meeting the strictest requirement everywhere is simpler than maintaining different suppression speeds per contact — a theme this guide returns to.

Is double opt-in required under GDPR?

Not strictly, but it’s the strongest evidence you can hold. GDPR doesn’t explicitly mandate double opt-in — the confirmation step where a subscriber clicks a link in a follow-up email to verify their address — and single opt-in with clear, documented consent satisfies the regulation in most member states. What double opt-in provides is the cleanest possible proof of consent, a timestamped confirmation that the address belongs to someone who genuinely asked to be on the list, which is why it’s widely treated as best practice for EU subscribers.

The notable exception is Germany, which stands out as the primary jurisdiction whose court rulings have effectively made double opt-in necessary in practice for German audiences. Germany also imposes extra identification requirements in commercial email and has a voluntary certification, the Certified Senders Alliance, that functions as a deliverability signal for German inboxes. For most senders the practical takeaway is that double opt-in isn’t a universal legal requirement but is the safest default for EU mail — the mechanics of which our double opt-in guide covers in full.

Multi-jurisdiction lists and the strictest standard

This is where the theory meets reality, because almost no list is purely one jurisdiction. A single contact can fall under several laws at once — a Canadian resident working at a company with EU operations could be subject to both CASL and GDPR — and you can’t assume which applies without knowing the contact’s circumstances. Handling this contact by contact, applying the precise minimum each law requires, is technically possible but operationally fragile, since it means your system must correctly classify every record’s jurisdiction before every send.

The operationally sound approach, and the one most mature programs adopt, is the strictest-standard principle: default to the most restrictive requirements across the entire list. In practice that means treating the whole list as opt-in, documenting consent provenance for every record, and processing opt-outs immediately for everyone. The terminal captures the operating model.

strictest-standard-operating-model
# Operate a multi-jurisdiction list to the strictest standard
CONSENT … opt-in for the whole list (GDPR-level)
PROVENANCE … log source + timestamp + language for every record
B2B … treat named work addresses as personal data too
WITHDRAWAL … process opt-outs immediately, all contacts
RECORDS … retain consent proof; track any implied-consent expiry
EVALUATE … resolve which law applies BEFORE the send, not after
DOUBLE OPT-IN . default for EU; required in practice in Germany
# One opt-in list is simpler than per-contact legal minimums.

This isn’t only about compliance simplicity; it’s usually the better business decision too. Opt-in lowers your initial list size — by some estimates thirty to fifty percent — but the subscribers who remain engage substantially more over time, while opt-out maximises raw reach at the cost of complaints and deliverability damage. Following the strictest standard gives you a single, clean, well-documented list that satisfies every regime you touch, which is both less legally exposed and more effective than juggling jurisdiction-specific minimums.

The global drift toward opt-in

The wider trend worth noting is that the world is moving steadily toward GDPR’s opt-in model, not away from it. Canada’s Quebec Law 25 is the clearest example — it’s the strictest privacy regime in Canada, requiring explicit opt-in, granting a thirty-day data-access right, and carrying penalties up to twenty-five million Canadian dollars or four percent of worldwide turnover, putting it alongside GDPR at the strict end. New privacy laws across US states and other jurisdictions keep tightening consent expectations, so the permissive opt-out model is becoming the exception rather than a safe default.

For senders, this means building to the strict standard isn’t just the safest way to handle today’s multi-jurisdiction list — it’s also future-proofing. A program designed around documented opt-in and immediate withdrawal adapts to new regimes as they appear, while one built to the minimum of a permissive law has to be rebuilt each time a stricter requirement reaches its audience. The direction of travel makes the strictest-standard approach look less like over-compliance and more like sensible preparation, which our Quebec Law 25 guide illustrates in detail.

Does compliant email perform better?

Here’s the honest synthesis, and it’s the reassuring one: the disciplines GDPR forces are the same ones that make email work. Explicit opt-in, documented consent, easy withdrawal, and relevant content produce an engaged, permission-based list — and engagement is what drives inbox placement. Subscribers who actively chose to hear from you open more, convert better, and complain less, so the list you build to satisfy GDPR is also the list that reaches the inbox. Compliance and performance pull in the same direction far more often than they conflict.

That said, it’s worth being clear-eyed about the trade-offs. Opt-in genuinely costs you reach up front, the soft opt-in is narrower than many senders assume, and the immediate-withdrawal requirement demands real suppression infrastructure rather than a weekly batch job. None of these are reasons to avoid compliance — they’re the cost of a list that won’t generate the complaints that poison your sender reputation. For senders who want full control over where their EU data lives and how their consent and suppression logic runs, our PowerMTA server hosting gives you direct command of the sending infrastructure, while the broader data-handling and transfer obligations are covered in our companion GDPR email guide. The discipline of genuine permission does the rest.

Frequently asked questions

Does GDPR require opt-in for marketing email?
Yes. GDPR makes email marketing an opt-in activity — you generally need consent before sending marketing email to EU residents, and that consent must be freely given, specific, informed, and unambiguous, expressed through a clear affirmative action. Pre-checked boxes, bundled agreements, and implied consent don’t qualify. You must also document the consent and be able to prove it if challenged. This applies to B2B addresses too, since a named work email identifies an individual.
What is the soft opt-in under ePrivacy?
The soft opt-in is a narrow exception in the ePrivacy rules that lets you market to existing customers without fresh consent, but only for similar products or services, only if you offered an opt-out when you collected their address, and only with an easy opt-out in every message. It doesn’t apply to non-customers or to products unrelated to the original purchase — using it more broadly is a violation. National implementations vary, with some EU states applying stricter rules.
How does GDPR compare to CAN-SPAM and CASL?
GDPR is at the strict end of the spectrum, requiring documented opt-in before the first message and immediate withdrawal. CAN-SPAM in the US is the most permissive — opt-out, allowing commercial email without prior consent as long as you stop within ten days of an unsubscribe. Canada’s CASL sits close to GDPR, also requiring opt-in. Critically, compliance with one doesn’t satisfy the others: a CAN-SPAM-compliant list lacks the consent records and documentation GDPR and CASL require.
Is double opt-in legally required by GDPR?
Not strictly. GDPR doesn’t explicitly mandate double opt-in, and single opt-in with clear, documented consent satisfies the regulation in most member states. What double opt-in provides is the strongest possible proof — a timestamped confirmation that the address belongs to someone who genuinely subscribed. The exception is Germany, where court rulings have made it necessary in practice. For most senders it’s the safest default for EU mail rather than a universal legal requirement.
How do I handle a list with contacts in multiple countries?
Follow the strictest standard that applies. Because a single contact can fall under several laws at once and classifying every record’s jurisdiction before each send is fragile, most mature programs default to the most restrictive requirements across the whole list: treat everyone as opt-in, document consent provenance for each record, and process opt-outs immediately for all contacts. Operating one clean, well-documented opt-in list is simpler and less risky than maintaining per-jurisdiction legal minimums.