Newsletter compliance is where indie founders and creators most often get in trouble. Iubenda's guide is thorough but heavy. This article condenses it to a 7-item checklist that covers the regulatory floor without hiring an agency.
The 7-item checklist
1. Double opt-in
User signs up. You send a confirmation email. They click. Now they are subscribed. Single opt-in fails most EU audits. Cost: 5 minutes in your ESP settings.
2. Specific consent purpose
"Subscribe to our newsletter" passes. "Stay informed" does not. "Receive marketing emails about [topic]" passes too. Vague consent fails.
3. No pre-ticked boxes
Active opt-in only. Pre-checked checkboxes have been illegal under GDPR since the 2019 Planet49 ruling.
4. One-click unsubscribe
In every email, footer link to unsubscribe. Single click should do it. No login required. Effective in under 24 hours.
5. Identity of sender visible
Your legal name (or business name), physical address, and contact email in every email footer. CAN-SPAM in the US, GDPR Article 13 in the EU.
6. Data retention policy for unsubscribed users
When someone unsubscribes, what do you do with their data? Standard practice: keep email on a suppression list (to honor the unsubscribe), delete all other data within 30 days.
7. Privacy policy linked at signup
Below the signup form, link to your privacy policy. Reference it in the consent text.
| Item | Setup time | Common failure |
|---|---|---|
| Double opt-in | 5 min | Single opt-in by default in some ESPs |
| Specific consent | 10 min | Vague "subscribe" language |
| No pre-tick | 2 min | Old form designs still pre-tick |
| One-click unsubscribe | 5 min | Login-required unsubscribe |
| Sender identity | 5 min | Missing physical address |
| Data retention | 30 min | No documented policy |
| Privacy policy link | 5 min | Privacy policy not linked at form |
The most common newsletter complaint to AEPD in 2025: pre-ticked boxes and missing unsubscribe paths. Both are 10-minute fixes. Both repeatedly fail audits because nobody re-checks the signup form.
Conclusion
Newsletter compliance is the simplest GDPR area and the most frequently failed. The 7-item checklist covers the floor in one afternoon. For SaaS with a serious list, also document a quarterly review.
To generate a privacy policy with the newsletter section already aligned with GDPR Article 13/14, try Termerly free.


