Lesson 5

Email marketing: what changes

​Why newsletter marketing falls under the GDPR

You probably have an email marketing opt-in on your website that allows visitors to enter their email address to receive your newsletter. Through this process, anonymous visitors receive a ‘face’ so it therefore comes under the GDPR. Below we will explain what you have to consider in email marketing from now on.

A functioning double opt-in process is obligatory

t is critical that you thoroughly document consent to send emails. Documentation is normally undertaken by your newsletter tool. However, you also have to ensure that the visitor actually consented to receive the newsletter.

Important: Silence or inactivity are not considered to be effective consent (e.g. through systematically checking a box). Rather, a clear action such as an opt-in is necessary. Therefore, for registration, you must use the double opt-in procedure which is common in Germany.

After signing up to your newsletter, a visitor should receive an email in which they must actively confirm that they also really want to receive the newsletter. Only then will their address be added to your list. Test this process during set-up to ensure that the visitor also goes through the process completely.


Make sure you can prove that a double-opt in exists at any time.

Requirements of a valid consent

During the registration process, the customer must be transparently informed for what they are giving their consent (e.g. email newsletter). In addition, information must be provided that the consent can be revoked at any time and that the revocation has no retrospective effect. This should also be explained if you use tracking (e.g. click rates). Finally, it is also still recommended to reference the data protection policy.

Example: You have a person (Bob Smith) who has signed up to your online marketing newsletter. You now also have a special newsletter about IT law. However, Bob Smith hasn’t signed up for this newsletter. Even if you can assume that Bob Smith is interested in this topic, you are not allowed to send him this newsletter as you don’t have separate consent.

We have formulated a text template for you for this with which you meet all the minimum requirements for valid consent.

You need to change the text to match your individual situation in case of additional measures such as tracking: 

„Subscribe to the newsletter of XYZ. You can cancel your consent to the newsletter at any time. The revocation of consent does not affect the legality of the data processing carried out on the basis of the consent until the revocation. Further information can be found in our Data Protection Policy.”

It is also important that the confirmation email is neutral and doesn’t yet contain advertisements, since the customer has still not fully completed the double-opt in process until they click on the link. It is better to inform them about the newsletter once again, as well mention the possibility to cancel. At the end of each confirmation email or newsletter, you should link to your privacy policy and imprint again.

What you also need to ensure

Data minimization: When asking for information during the newsletter registration on your website, follow the motto: As little data as possible, as much as necessary (privacy by design and default). This means that the email address is obviously necessary, whereas first and last name and other possible information should be optional and provided on a voluntary basis.

Frequently asked questions

How far does my consent apply?

You need special consent for every newsletter in advance.

Only the circle of people who have actively consented may receive your newsletter - and exclusively only these.

What about my
old list?

Existing consents remain valid if

a) you received them via a double opt-in and

b) the newsletter contains only the promised information. 

What else is

In addition to the requirements listed above, you must also ensure that your imprint and functioning unsubscribe link are included in your emails.

In Austria, before you send the newsletter, you also need to match your mailing list with the so-called ECG list and exclude any of the email addresses present there.

​The next chapter continues with a special area of online marketing - landing pages and lead magnets. You can read what’s up with the so-called coupling prohibition here.

Downloads / Learning materials

Checklist for your newsletter


Getting GDPR-compliant consent for existing email contacts


←To lesson 4

To lesson 6→

Overview Lectures

Switch quickly and easily to all lessons of the course.

Course Overview
Lesson 1 GDPR basics - definitions
Lesson 2 Data protection: Your business - your responsibility
Lesson 3 Data protection declaration
Lesson 4 Data processors
Lesson 6 Lead magnets & coupling prohibition
Lesson 7 GDPR compliant tracking
Lesson 8 Internal handling of data
Lesson 9 Information request
Lesson 10 GDPR and Digistore24

We would like to expressly point out that this online course in no way replaces legal advice from a specialist lawyer and has no claim to correctness or completeness. 

www.digistore24.com | Impressum | Privacy policy

English | German

Made with Coachannel Badge