Email marketing and GDPR: how to collect a database legally and avoid fines?

Email marketing remains one of the most effective channels for communicating with your audience, but only under one important condition: if it is legal. With the advent of the General Data Protection Regulation (GDPR), the rules of the game have become much stricter, and ignoring them can result in huge fines. In this article, we will take a detailed look at how to set up your email database so that your legal email marketing is transparent, lawful, and brings only benefits, not problems.

Section 1. The golden rule of GDPR: active and informed consent

The entire philosophy of GDPR regarding marketing communications revolves around one central concept: consent. But not just any consent, rather consent that meets four strict criteria: it must be freely given, specific, informed, and unambiguous. Gone are the days when you could automatically add anyone who simply left their email address on your website to your mailing list. Now the law requires that the initiative must come entirely from the user. This means that a person must take a clear, positive, and conscious action to confirm their desire to receive emails from you. Let’s break down what this means in practice.

1.1. What is “Opt-in”: the user must take active steps to subscribe

Opt-in is a consent model that is the cornerstone of legal email marketing. It means that the user must actively agree to receive messages from you. This is their own voluntary step towards your brand. The opposite is the “opt-out” model, where the user is automatically “signed up” for the mailing list and must take active steps to “opt out” (unsubscribe). The GDPR completely prohibits the opt-out model for marketing communications.

What is considered an active action (Opt-in)?

• Checking an empty checkbox: This is a classic and most reliable example. The user personally checks the box “I agree to receive news.”
• Clicking on a clearly marked button: For example, the “Subscribe to our newsletter” button after entering your email address in a special subscription form.
• Sending a letter with a specific word to your address: For example, “Send the word START to [email protected] to subscribe.”

What is not considered an active action and constitutes a violation?

• Inaction: The user did not uncheck the pre-selected checkbox.
• Silence: No response to your invitation letter.
• Continued use of the site: Banners such as “By continuing to use the site, you agree to our newsletter” are illegal.

The opt-in model is not just a legal requirement. It is a filter that immediately weeds out uninterested audiences. Only those who genuinely want to listen to you will be included in your database. This is the foundation for building high-quality, trusting relationships.

1.2. Why pre-checked boxes in subscription forms are illegal

Pre-ticked boxes were one of the most popular “gray” methods used by marketers. The logic was simple: most people are inattentive and will not notice a pre-ticked box when registering or placing an order, which allowed marketers to grow their subscriber base rapidly.

The GDPR has put an end to this practice. The reason is very simple: it directly contradicts the requirement for unambiguous consent. Consent must be expressed through “clear affirmative action.” When the check mark is already there, the user is not making any affirmation. Their inaction (the fact that they did not uncheck the box) cannot be interpreted as consent. They did not say “Yes”; they simply remained silent.

Why is this so important?

• Legal risk: Using pre-checked boxes is one of the most obvious and easiest GDPR violations to prove. It is the first thing that supervisory authorities look for, and it guarantees a fine in the event of an inspection.
• Low quality and engagement of the database: People who ended up in your database this way do not expect your emails. They did not give their conscious consent to receive them. As a result, they will not open them (low open rate), will not click on the links (low click-through rate), and, worst of all, will often click the “This is spam” button.
• Damage to the sender’s reputation: A high percentage of spam complaints is a clear signal to email services (Gmail, Outlook) that your emails are unwanted. Your sender reputation (sender score) will plummet, and your emails (even transactional ones, such as order confirmations) will start ending up in the spam folder, even for those who have consciously subscribed to you.

Therefore, removing pre-checked boxes is not only a legal requirement but also a strategically sound decision for the health of your email marketing.

1.3. Consent to receive mailings cannot be required in exchange for the main service. Consent must be freely given.

This is another critically important aspect—consent must be freely given. This means that the user must have a real choice—to agree or refuse—and their refusal must not result in a deterioration of conditions or the inability to obtain the main service. In other words, you cannot blackmail the user into subscribing to marketing.

A classic example of a violation is “forced subscription” in exchange for a lead magnet. The download form has only one field, “Your email,” and a button, “Get the checklist.” The user enters their email address, receives the file, and a day later receives the first email from your weekly advertising newsletter. This is a direct violation.

• Why? The user provided their email address for a specific purpose—to receive a file. This can be interpreted as the fulfillment of a micro-contract (“I give you my email address, you give me the file”). They did not give separate, conscious consent to receive marketing materials in the future. You “linked” the provision of the service to the provision of consent to marketing, depriving the user of choice.

How to do it correctly? Your form should separate these two actions. Below the email input field, there should be a separate, optional checkbox:

Email field: [[email protected]]

Button: [Get checklist]

Checkbox: [ ] Yes, I would also like to receive your helpful articles and special offers by email.

With this approach:

• The user can leave their email address and receive their checklist without checking the box. In this case, you have the right to send them only one email with the checklist itself, and nothing else.
• If, in addition to entering their email address, they deliberately tick the box, this will constitute their free, separate consent to the mailing list, independent of the main service GDPR. It is this contact that you can legally add to your marketing database.

This principle of “unbundling consent” is fundamental. Consent to process an order, consent to the terms and conditions of the website, and consent to receive marketing communications are three different types of consent, and each must be provided separately.

Section 2. Anatomy of a Proper Subscription Form

The theoretical principles of consent must be put into practice in a specific element of your website—the subscription form. Its design, text, and functionality will determine whether your database collection process is legal. The right form is not only a tool for obtaining email addresses, but also your main proof that consent was obtained in accordance with GDPR requirements. Let’s look at the four key components that make up the form.

2.1. Separate checkbox for consent, not checked by default

This is a visual embodiment of the “Opt-in” principle we discussed in the first section. The best way to demonstrate active and unambiguous consent is to give the user the opportunity to check a box in an empty square.

Where this is particularly important:

• Website registration form: When a user creates an account, they fill in the fields “Name,” “Email,” and “Password.” Below this, there should be a separate checkbox: [ ] I want to receive news and promotional offers. This cannot be combined with the “I agree to the Terms and Conditions of the website” checkbox. These must be two separate, independent checkboxes.
• Checkout form: The customer enters their details for the purchase. At this stage, they consent to the processing of their data for the performance of the contract (delivery of goods). Marketing consent must be a separate option. For example: [ ] Sign me up for your email newsletter to be the first to know about new products and discounts.
• Lead magnet download form: As we have already discussed, the checkbox for subscribing to the newsletter should be separate and not mandatory for receiving the file.

An empty checkbox that the user ticks themselves is the most obvious and easiest way to record proof of their active intent. In your website logs, you can always record that for this particular user, the value of the is_subscribed field was set to true because they activated it themselves.

2.2. Clear and transparent explanation: what exactly you will be sending and how often

The principle of informed consent requires that users clearly understand what they are signing up for. Abstract calls to action, such as “Subscribe to us!” are not enough. Your subscription form should contain concise but meaningful text that answers two questions: what? And how often?.

Examples of good explanations:

• For a content project:
• For online stores: “Want to be the first to know about private sales and exclusive offers? Subscribe to our newsletter! We send out emails 1-2 times a month.”
• For SaaS services: “Receive useful tips on how to use our service, announcements of new features, and special offers for subscribers. No more than one email per week.”

What to avoid:

• Vague wording: “Subscribe to stay informed.” Informed about what?
• False promises: Don’t promise “no advertising” if you plan to send out promotional codes and discount information. It’s better to be honest and write “useful content and the best deals.”

The more transparent you are at this stage, the fewer disappointments and rejections you will encounter in the future. You immediately set the right expectations.

2.3. Mandatory reference to your Privacy Policy

This is another mandatory element of informed consent. Users have the right to know not only what you will send them, but also how you will handle their personal data in general. Therefore, there should be a link to your Privacy Policy next to the subscription form (usually under the checkbox or button).

Example of correct formatting:

[ ] I agree to receive newsletters and accept the terms of the [Privacy Policy](link).

Why is this necessary?

• GDPR compliance: The regulation explicitly requires informing users about their rights, the purposes of processing, data retention periods, etc. All this information is contained in the Privacy Policy.
• Transparency and trust: Having an accessible and understandable policy demonstrates that you are serious about data protection and have nothing to hide.
• Legal protection: By agreeing to the policy, the user confirms that they have been informed about all aspects of the processing of their data.

Your privacy policy for your newsletter (or general website policy) should be a living document that is easy to find and read.

2.4. Double opt-in (two-step confirmation) as the best way to prove consent

Double Opt-in is a process whereby, after filling out a form on a website, the user must take one more step: confirm their subscription by clicking on a link in an email that is automatically sent to their email address.

How it works:

1. The user enters their email address on the website and clicks “Subscribe.”
2. He sees the message: “Almost done! We have sent you an email to confirm your subscription.”
3. He receives an email with the subject line “Please confirm your subscription” and a large button/link labeled “Yes, confirm.”
4. Only after the user clicks on this link will their email be added to your main mailing list.

Why is this best practice, even though GDPR does not explicitly require it?

• Ironclad proof of consent: You will have irrefutable proof that the email address owner actually subscribed. You can record the exact time and IP address from which the confirmation was made. This is your strongest argument in any potential dispute.
• Protection against spam traps and errors: This prevents situations where someone enters someone else’s email address (intentionally or accidentally) or where bots fill out your forms with “junk” addresses.
• Maximum database quality: Only the most interested and motivated users who are willing to take two steps to subscribe will be added to your database. This guarantees high open and engagement rates.

Yes, you may lose a small percentage of people who are too lazy to confirm their subscription. But those who remain will be your most valuable audience.

Section 3. What to do with your existing contact database?

Many companies that have been operating for several years have accumulated thousands or even tens of thousands of email addresses before the GDPR requirements became widely known. This database was collected in various ways: from order forms, business cards at exhibitions, and sometimes even from purchased lists. Now this “gold mine” is turning into a potential “time bomb.” It cannot be ignored, but it would be a shame to simply delete it. Let’s take a look at how to properly “inventory” the old database and what to do with it next.

3.1. Database audit: Can you prove for each contact how and when consent was obtained?

This is the first and most important step. You need to conduct an honest internal audit. The GDPR accountability principle requires that you be able to prove that you have consent for each contact in your database. Try answering three questions for each contact group:

1. Where did this contact come from? (Source: website subscription form, webinar registration, customer who made a purchase, contact from an exhibition).
2. When was consent obtained? (Date and time).
3. How exactly was consent obtained? (Text of the form, screenshot of the checkbox, entry in the CRM about verbal consent).

If your database was collected using a modern double opt-in form and your mailing service (e.g., Mailchimp) records the date and IP address of confirmation, congratulations, you’re all set.

But if you’re looking at a list of 10,000 email addresses exported from your old CRM system and can’t say for sure how these people got on the list and whether they consented to receiving marketing communications, you have a problem. For all contacts whose origin is questionable or for whom you have no proof of consent, further mailing is illegal and risky.

3.2. “Reactivation campaign”: how to ask “old” subscribers to reconfirm their consent

If you have a large database with a “gray” origin, the only legal way to “clean” and legitimize it is to conduct a re-engagement campaign. Its goal is to obtain new, fresh, and verifiable consent from old subscribers.

How it works in practice:

1. Segmentation: You create a separate segment from your “gray” database.
2. Preparing the letter: You create one (maximum two) special letters. It should be as honest, transparent, and valuable to the user as possible.
   • Subject line: “We missed you! Would you like to continue receiving our emails?” or “Please update your subscription.”
   • Body of the letter:
     • Remind them who you are and how you might have their email address (“You once purchased from us / registered on our website…”).
     • Explain that you are updating your database in accordance with new privacy standards.
     • Tell us what value you will provide in future emails (useful tips, exclusive discounts).
     • Add a large, prominent button that says “Yes, I want to stay subscribed!”. This is a key element.
3. Launch and analysis: You send this letter to your “gray” database.
4. “Cleaning”: After a certain period of time (for example, a week), you take the most important step:
   • Those who clicked the confirmation button will be transferred to a new, “clean” and legal database. The date and time of this click will be recorded in your system, which will serve as proof of your new consent.
   • Anyone who did not open the email, opened it but did not click on the button, or unsubscribed, should be permanently removed from your mailing list.

Yes, you may lose 70-90% of your old base. It hurts. But as a result, you will be left with a significantly smaller, but 100% legal, active, and interested audience. This is the only right way.

3.3. Why purchased or parsed databases are a guaranteed path to problems

It is very tempting to “take a shortcut” and simply buy a ready-made database of email addresses for “your target audience” or order parsing (automatic collection) of contacts from websites. Let’s be honest: this is the worst thing you can do for your business.

Why this is guaranteed to fail:

• 100% illegal: You have no consent from these people to receive your emails. This is a direct and gross violation of GDPR and Ukrainian law. You are sending spam.
• Huge fines for spam: If someone complains about you, you risk not only a GDPR fine (if there are EU citizens in your database), but also fines for violating advertising and telecommunications laws in Ukraine.
• Instant destruction of the sender’s reputation: The very first mailing to such a database will result in >90% spam complaints. Your domain and IP address will instantly end up on all possible blacklists. After that, even your legitimate emails (transactional, customer) will not reach their recipients. It is almost impossible to restore your reputation after that.
• Zero effectiveness: People from purchased databases do not know you, do not expect your emails, and are not your target audience. Conversion from such mailings is always close to zero.

Buying databases is not marketing, it’s suicide for your email channel. Invest time in honest and organic contact collection. It’s slower, but it’s the only way that works.

Section 4. Mandatory elements in every letter

Work on GDPR compliance does not end at the database collection stage. Every email you send to your subscribers must also contain certain mandatory elements. Their presence is not just good practice, but a direct requirement of the law. These elements ensure transparency of communication and enable users to easily exercise their rights, in particular the right to be forgotten.

4.1. A simple and clear unsubscribe link in every email

This is the most important user right in email marketing – the right to unsubscribe. The GDPR clearly states that withdrawing consent should be as easy as giving it. This means that the unsubscribe process cannot be complicated, confusing, or require any extraordinary effort on the part of the user.

What should the unsubscribe link be:

• Included in every letter: Without exception. It must be included in all marketing and promotional letters.
• Prominent: Do not hide it in white font on a white background or use a size 1 font. It is usually placed in the footer (bottom) of the letter and should be clear and legible.
• Simple: Ideally, the unsubscription process should take one or two clicks.
  • Ideal scenario: The user clicks “Unsubscribe” and is redirected to the “You have successfully unsubscribed” page.
  • Acceptable option: The user clicks “Unsubscribe,” goes to a page where they are asked to confirm the action by clicking another button, “Yes, unsubscribe me.” On the same page, you can politely ask for the reason for unsubscribing (this is useful for your analytics), but this response should be optional.
• No authorization requirements: You cannot require users to log into their accounts on your website in order to unsubscribe. This creates an unnecessary barrier and is a violation.

Not having an unsubscribe option or making it hard to use is the quickest way to get someone to hit the “Report spam” button instead of “Unsubscribe.” And as we already know, that’s really bad for your reputation as a sender. Respect the user’s wish to leave—and maybe they’ll come back someday.

4.2. Sender information (your company name and address)

This requirement applies not only to the GDPR, but also to most anti-spam laws around the world, including the US CAN-SPAM Act. Users must clearly understand who is sending them emails. Transparency regarding the sender’s identity is a key element of trust.

What information should be included in the letter:

• Company name: Your official name (LLC, sole proprietorship) or brand name.
• Physical address: Your official legal or mailing address. Yes, this is mandatory. It confirms that you are a real company and not a one-day spammer.
• Contact details: You can also add a link to your website, phone number, or email address for communication purposes.

Usually, all this information is placed in the footer of the letter, next to the unsubscribe link.

Example of a correct footer:

You received this email because you subscribed to our newsletter on the website [website name].

Unsubscribe from the mailing list

© 2025 Your Company LLC. All rights reserved. Our address: 1 Marketingova Street, Kyiv, Ukraine, 01001.

Including these simple elements in every email you send not only ensures compliance with the law, but also demonstrates your professionalism and respect for your subscribers. These are small but important details that build a lot of trust.

Conclusions

Legal email list collection is not so much about fear of fines as it is about building trust and long-term relationships with your audience. People who have consciously and voluntarily agreed to receive your emails are not just contacts in a database. They are your most valuable and most convertible audience. Therefore, the answer to the question of how to collect a contact database legally lies in respect and transparency.

This approach is an integral part of modern marketing, and you can learn more about general rules for marketing in our main article “Legal checklist for marketers: from content creation to launching an advertising campaign.“

You need to be especially careful if you collect emails during a giveaway, as this requires compliance with additional conditions. We discuss these in detail in the article “Contests and sweepstakes on Instagram/Facebook: how to set rules to avoid legal problems?“. Invest in transparency today, and it will pay off in customer trust and loyalty for years to come.