Building an email list is one of the highest-leverage activities in email marketing. But a list built without GDPR compliance is a liability, not an asset — carrying the risk of regulatory action, suppression failures and damaged deliverability. The good news: doing it correctly from the start is straightforward, and the habits that make a list compliant also make it perform better.
1. Understand Which Lawful Basis You Are Using
GDPR requires a lawful basis for processing personal data. For most marketing email, the relevant bases are:
- Consent (Article 6(1)(a)): The contact has actively given permission to receive marketing from you. This is the cleanest and most defensible basis for cold contacts and new subscribers.
- Legitimate interests (Article 6(1)(f)): You have a genuine business interest in contacting the person, balanced against their rights. Typically used for existing customers or business contacts where a commercial relationship already exists. Requires a documented Legitimate Interests Assessment (LIA).
Choose your basis deliberately. Do not use legitimate interests as a workaround to avoid collecting consent. Document your decision — if you are ever asked by a supervisory authority, you will need to demonstrate which basis applied and why.
Legal note: This guide is for informational purposes only and does not constitute legal advice. Consult a qualified privacy practitioner for advice specific to your organisation and jurisdiction.
2. Capture Consent Correctly at the Point of Sign-Up
GDPR consent must be:
- Freely given: Not bundled with terms of service. Not required to access a service the contact is paying for.
- Specific: The contact knows what they are consenting to. "I agree to receive marketing emails from Acme Ltd about product updates and promotions" is specific. "I agree to all communications" is not.
- Informed: The contact knows who is collecting their data and how it will be used.
- Unambiguous: An active opt-in action — a tick box the contact checks themselves. Pre-ticked boxes do not satisfy GDPR consent.
Your sign-up form should include a clearly labelled, unticked checkbox with concise consent language. Example: "I agree to receive email updates from [Company]. You can unsubscribe at any time." Link to your privacy policy. Store the consent timestamp, IP address and form version — you will need this if consent is ever challenged.
3. Use Double Opt-In to Confirm Every Address
Double opt-in (also called confirmed opt-in) sends a confirmation email immediately after sign-up. The contact only joins your active list after clicking the confirmation link.
Why it matters beyond compliance:
- Filters out mistyped addresses before they become hard bounces
- Confirms the inbox is real and accessible
- Provides a stronger record of consent (the contact took two distinct actions)
- Dramatically improves list quality and engagement rates from day one
The deliverability benefit is significant: double opt-in lists consistently produce lower bounce rates and higher open rates than single opt-in lists. Inbox providers notice this.
4. Record and Store Consent Proof
For every contact on your list, you need to be able to answer: when did they consent, to what, via which form, from which IP? This is your consent record.
Minimum data to capture at sign-up:
- Timestamp of opt-in (and confirmation for double opt-in)
- IP address
- The exact consent language shown (form version)
- The URL of the page the form was on
NexusProMail records consent state at the contact level and stores this metadata with each import. If a contact disputes consent, you have the record to support your position.
5. Make Unsubscribing Effortless
GDPR requires that withdrawing consent is as easy as giving it. In practice: every marketing email must include a working unsubscribe link, and opt-out requests must be honoured promptly — the standard is within 30 days, though immediate processing is strongly recommended.
When a contact unsubscribes:
- Do not remove them from your database entirely — add them to a suppression list
- The suppression list prevents accidental re-sends if they are re-imported later
- Do not contact them again for marketing purposes unless they provide fresh consent
NexusProMail adds unsubscribes to suppression lists automatically. The system checks suppression before every send, so a suppressed contact cannot be emailed — even if they exist in a contact list.
6. Maintain List Hygiene Continuously
A compliant list is not built once — it is maintained ongoing. Regular hygiene practices:
- Remove hard bounces immediately: Hard bounces indicate invalid addresses. Sending to them repeatedly damages your sender reputation.
- Suppress complaints: Any address that marks your email as spam should be suppressed immediately. Google Postmaster Tools and Microsoft SNDS provide complaint data.
- Re-permission inactive contacts: Contacts who have not opened or clicked in 12+ months are at risk of being reclassified as inactive. Before suppressing them, send a single re-permission email asking if they still want to hear from you. Those who do not re-confirm should be suppressed.
- Audit imported lists: Any list imported from a third party, acquired through a merger or compiled before your current consent process should be audited before sending. If you cannot demonstrate valid consent, do not mail it.
7. Handle Legacy Contacts Carefully
If your business existed before GDPR (before May 2018) or you have contacts collected under older, looser standards, you have a decision to make:
- Option A — Re-permission campaign: Send a single email to legacy contacts asking them to confirm they still want to hear from you. Only send to those who respond affirmatively.
- Option B — Legitimate interests assessment: If the contacts have a recent and relevant commercial relationship with your business, document a Legitimate Interests Assessment and proceed — but be conservative.
- Option C — Suppress: If you cannot justify a lawful basis, suppress the contacts. A smaller, legitimate list always outperforms a large questionable one.
Do not simply keep sending to legacy contacts and hope for the best. The risk — both regulatory and deliverability — is not worth it.
8. Have a Data Processing Agreement with Your Email Platform
When you use an email marketing platform, that platform processes personal data on your behalf. Under Article 28 GDPR, you need a Data Processing Agreement (DPA) with them.
A DPA confirms:
- The processor will only use data as instructed by you
- They have appropriate security measures in place
- They will assist with DSARs (data subject access requests)
- They will notify you of any data breaches promptly
NexusProMail is operated by Infotech Pioneers Oy, a Finnish company subject to EU law. A DPA is available to all business customers on request. Contact support@nexuspromail.com to request it.
Quick Checklist: GDPR-Compliant Email List
- ☐ Lawful basis documented for every contact segment
- ☐ Opt-in forms use unticked checkboxes with specific consent language
- ☐ Double opt-in enabled for all web sign-up forms
- ☐ Consent records stored with timestamp, IP and form version
- ☐ Unsubscribe link in every marketing email
- ☐ Suppression list enforced before every send
- ☐ Hard bounces and complaints auto-suppressed
- ☐ Legacy contacts re-permissioned or suppressed
- ☐ DPA signed with your email platform
- ☐ Re-permission cadence scheduled for inactive contacts (12+ months)
A list built this way is not just compliant — it is your most valuable marketing asset. High-quality consent, double opt-in and continuous hygiene produce engagement rates that translate directly into inbox placement and campaign ROI.
NexusProMail includes consent tracking, suppression enforcement, DSAR tooling and double opt-in support in every plan. Read our full GDPR compliance overview or start a free account.