Newsletter compliance is where indie founders and creators most often get in trouble. Iubenda's guide is thorough but heavy. This article condenses it to a 7-item checklist that covers the regulatory floor without hiring an agency.

The 7-item checklist

1. Double opt-in

User signs up. You send a confirmation email. They click. Now they are subscribed. Single opt-in fails most EU audits. Cost: 5 minutes in your ESP settings.

"Subscribe to our newsletter" passes. "Stay informed" does not. "Receive marketing emails about [topic]" passes too. Vague consent fails.

3. No pre-ticked boxes

Active opt-in only. Pre-checked checkboxes have been illegal under GDPR since the 2019 Planet49 ruling.

4. One-click unsubscribe

In every email, footer link to unsubscribe. Single click should do it. No login required. Effective in under 24 hours.

5. Identity of sender visible

Your legal name (or business name), physical address, and contact email in every email footer. CAN-SPAM in the US, GDPR Article 13 in the EU.

6. Data retention policy for unsubscribed users

When someone unsubscribes, what do you do with their data? Standard practice: keep email on a suppression list (to honor the unsubscribe), delete all other data within 30 days.

7. Privacy policy linked at signup

Below the signup form, link to your privacy policy. Reference it in the consent text.

ItemSetup timeCommon failure
Double opt-in5 minSingle opt-in by default in some ESPs
Specific consent10 minVague "subscribe" language
No pre-tick2 minOld form designs still pre-tick
One-click unsubscribe5 minLogin-required unsubscribe
Sender identity5 minMissing physical address
Data retention30 minNo documented policy
Privacy policy link5 minPrivacy policy not linked at form

The most common newsletter complaint to AEPD in 2025: pre-ticked boxes and missing unsubscribe paths. Both are 10-minute fixes. Both repeatedly fail audits because nobody re-checks the signup form.

Conclusion

Newsletter compliance is the simplest GDPR area and the most frequently failed. The 7-item checklist covers the floor in one afternoon. For SaaS with a serious list, also document a quarterly review.

To generate a privacy policy with the newsletter section already aligned with GDPR Article 13/14, try Termerly free.