Email Compliance & GDPR Checklist

Under GDPR, you need a valid legal basis: consent, legitimate interest, or contractual necessity. Document which basis applies to each segment of your database.

Ensure all opt-in forms clearly state what contacts are signing up for. Pre-checked boxes are not valid consent under GDPR.

For each contact, record when consent was given, how it was given, and what was consented to. Store this data in your CRM or consent management platform.

If you use data from third-party providers, verify they collected data with proper consent or legitimate interest basis and have compliant privacy policies.

CAN-SPAM requires a valid physical postal address in every commercial email. GDPR requires clear sender identification.

Every email must include an easy, one-click unsubscribe option. Under CAN-SPAM, you have 10 business days to process requests (but aim for instant).

The 'From' name, email address, and subject line must not be deceptive or misleading about who is sending or the content of the email.

Commercial emails should be identifiable as advertising/promotional content. This doesn't mean you need a disclaimer, but the intent should be clear.

Have a process for responding to requests from individuals who want to see what data you hold about them. GDPR requires response within 30 days.

When someone requests their data be deleted, you must remove it from all systems — CRM, email platform, backups, and any third-party tools.

Define how long you keep contact data and delete it when no longer needed. Storing data indefinitely without purpose violates GDPR principles.

Any third-party tool that processes personal data on your behalf needs a Data Processing Agreement (DPA). Review and sign DPAs with all vendors.