GDPR-friendly lead capture: how to do it right
Unsure about GDPR rules for email marketing? Here's the practical guide to consent, double opt-in, documentation, and right-to-delete — without the legal jargon.
You want to build an email list. You know email marketing works. But then you encounter GDPR, and suddenly it feels like a legal minefield.
It doesn’t have to be. GDPR is fundamentally about respect: ask people for permission, be honest about what you do with their data, and make it easy to opt out. If you already do those three things, you’re 90% of the way there.
This guide gives you the practical implementation — what you need to do, how to do it, and what to document. No legal jargon, just concrete steps.
The six legal bases for data processing
GDPR defines six lawful bases for processing personal data. For email marketing, two are relevant:
1. Consent (Article 6(1)(a))
The person has given explicit permission to receive marketing. This is the most common basis for newsletters and email campaigns.
Requirements for valid consent:
- Freely given (not conditional on a service)
- Specific (clear what they’re agreeing to)
- Informed (they know who you are and what you’ll send)
- Unambiguous (active action, e.g., checking a box)
2. Legitimate interest (Article 6(1)(f))
You determine that your marketing is in the recipient’s interest. Used primarily in B2B where you contact a person in their professional role about something relevant to their work.
Requirements:
- Documented balancing test (LIA — Legitimate Interest Assessment)
- The recipient’s interests don’t override your interest in contacting them
- They can easily opt out
Rule of thumb: For B2C and newsletters, use consent. For B2B cold outreach to relevant professionals, legitimate interest can be used — but document your assessment.
Consent in practice: The signup form
Your signup form is the legal foundation of your entire email marketing. Get it right from the start.
What the form must include
1. Clear purpose Tell them exactly what they’re signing up for. “Receive weekly email marketing tips” is good. “Sign up” is insufficient.
2. Sender identity Who sends the emails? Your company name must be clearly visible.
3. Frequency How often do you send? “Weekly” or “2-3 times per month” sets expectations.
4. Active checkboxes (for separate purposes) If you want to use data for multiple purposes — e.g., newsletter AND product offers — each purpose needs its own checkbox. None may be pre-ticked.
5. Link to privacy policy A visible reference to your full privacy policy.
Example of a good form
[Email field]
[First name field]
☐ Yes, send me weekly email marketing tips from [Company Name]
☐ Yes, also send me offers and product news
By signing up you accept our privacy policy.
You can unsubscribe at any time with one click.
[Sign me up]Example of a bad form
[Email field]
[Submit]No information about what they’re signing up for, who’s sending, or how to unsubscribe. That’s not valid consent under GDPR.
Double opt-in: Your safety net
Double opt-in means new subscribers must confirm their email address by clicking a link in a confirmation email. It’s not a GDPR requirement, but it’s strongly recommended.
Why double opt-in
Better list quality. You avoid typos, fake addresses, and bot signups. Your bounce rate drops dramatically.
Stronger consent proof. You have a logged action (click on confirmation link) with timestamp and IP address. It’s the strongest proof you can have.
Better deliverability. ISPs see that your list has high quality, which improves your sender reputation and inbox placement rate.
You’ll lose 10-20% of signups. That’s the cost. But those who remain are real, engaged contacts. It’s a good trade.
Implementing double opt-in
Step 1: Signup User fills out the form. You save data with status “pending.”
Step 2: Confirmation email Send immediately an email with a unique confirmation link. The email should:
- Explain they need to click to confirm
- Have a clear CTA button
- Expire after 48 hours
- Mention what they signed up for
Step 3: Confirmation User clicks the link. Status changes to “confirmed.” Timestamp and IP are logged.
Step 4: Welcome email Now you can send your welcome sequence. Not before.
What if they don’t confirm?
Send one reminder after 24 hours. If they still haven’t confirmed after 48 hours, delete them. Never send marketing to an unconfirmed address.
Consent documentation: Your audit trail
GDPR requires that you can prove consent was given. “We have a signup form” isn’t enough. You need to document the specific consent for each individual contact.
What to store per contact
| Data | Example |
|---|---|
| lars@example.com | |
| Signup timestamp | 2026-03-15 14:32:07 UTC |
| IP address | 192.168.1.1 |
| Source | Website signup form, /en/newsletter/ |
| Form version | v3 (with text “Receive weekly tips…”) |
| Double opt-in confirmed | 2026-03-15 14:45:22 UTC |
| Consent text | ”Yes, send me weekly email marketing tips from CompanyName” |
Form versioning
Every time you change the text in your signup form, create a new version. Save the old text. If a data protection authority asks what a contact agreed to, you need to show the exact text they saw — not your current form.
How to implement it
Most email marketing platforms automatically save timestamp and source. But you’re responsible for:
- Saving form versions
- Logging consent text
- Making data available for audit
Store it in your database, not in a spreadsheet. It needs to be searchable and exportable.
Right to deletion: Make it easy
GDPR gives all EU citizens the right to have their data deleted. You must be able to handle it within 30 days.
What “deletion” means in practice
Delete:
- Email address
- Name and other personal identifiers
- Consent logs (after documenting the deletion)
- All data in third-party integrations (your ESP, CRM, analytics)
Keep (anonymized):
- Aggregate campaign statistics (total opens, clicks)
- Anonymized engagement data
- Business-critical transaction data (with legal basis)
Process for deletion requests
1. Receive request — via email, form, or your contact center.
2. Verify identity — confirm the person is who they say they are. Send a confirmation email to the address being deleted.
3. Delete data — in all systems. Make a checklist: ESP, CRM, analytics, backups.
4. Confirm deletion — send a final email confirming data has been deleted. Document the process.
5. Keep deletion log — you need a log that the deletion was performed, but without personal data. Store: “Deletion request received [date], executed [date], system ID [hash].”
Make it proactively easy
Put a “Delete my data” button in your email footer or on your website. The easier you make it, the fewer complaints and legal issues.
Unsubscribe: One click, no explanation
Every marketing email must have a visible unsubscribe link. This isn’t just GDPR — it’s also required by Google’s sender guidelines and Yahoo’s sender requirements from 2024.
Best practices
One click. Click “Unsubscribe” and you’re unsubscribed. No “are you sure?” page, no login required, no survey (you can offer one, but it must not be required).
Visible link. In the email footer, clearly marked. Not hidden behind “manage preferences” in 8pt gray text.
List-Unsubscribe header. Technical: include a List-Unsubscribe header in your emails. This gives Gmail and Outlook the ability to show an “Unsubscribe” button directly in the email client.
Immediate effect. Unsubscription must take effect immediately. Not “within 10 days.” Immediately.
Preference center as alternative
Instead of a hard unsubscribe, you can offer a preference center where contacts can:
- Reduce frequency (from weekly to monthly)
- Choose specific topics
- Pause for a period
This reduces your unsubscribe rate without breaking any rules. But the full unsubscribe option must always be available.
Practical implementation: Your GDPR checklist
Signup flow
- Form with clear purpose and sender
- No pre-ticked checkboxes
- Separate checkboxes for separate purposes
- Link to privacy policy
- Double opt-in enabled
- Confirmation email with 48-hour expiry
Documentation
- Consent timestamp logged per contact
- IP address logged
- Source logged
- Form version logged
- Consent text saved
Emails
- Visible unsubscribe link in footer
- List-Unsubscribe header
- One-click unsubscribe
- Physical address in footer (CAN-SPAM requirement)
Data management
- Process for deletion requests (under 30 days)
- Process for data export requests
- Regular cleanup of unconfirmed signups
- Annual review of consent documentation
The most common GDPR mistakes
Bundled consent. “By creating an account you agree to receive marketing.” No. Account creation and marketing are separate purposes and require separate consent.
No proof of consent. You have 10,000 subscribers but can’t document when and how they signed up. If a data protection authority comes knocking, you have a problem.
Ignoring deletion requests. You receive a “delete my data” email and forget about it. That’s a violation. Set up a process now.
Buying lists. Even if the seller says “they gave consent.” They didn’t give consent to you. Read more in our guide to building a list organically.
Sending to unconfirmed addresses. Someone filled out your form but never confirmed. You send anyway. That’s neither legal nor smart — it destroys your deliverability.
GDPR is not your enemy
GDPR compliance sounds like a burden, but it’s actually a competitive advantage. A clean, confirmed list with documented consent has:
- Higher open rates because everyone actually asked for your emails
- Lower bounce rate because all addresses are confirmed
- Better sender reputation because fewer people mark you as spam
- Zero legal risk because everything is documented
Get it right from the start. It’s easier than cleaning up afterward.