Do I need a privacy policy for my email newsletter?

Yes. If you collect email addresses for a newsletter, you are collecting personal data and must have a privacy policy. CAN-SPAM requires a physical mailing address and opt-out mechanism in every email, while GDPR requires explicit consent before adding EU subscribers and a privacy policy explaining how their data is used and stored.

Do I have to disclose email open tracking in my privacy policy?

Yes. Email tracking pixels collect data about when, where, and on what device a subscriber opens your email. Under GDPR, this is considered personal data processing and must be disclosed. Your privacy policy should explain that you use tracking pixels, what data they collect (open rates, IP address, device type), and how subscribers can opt out.

What is the difference between CAN-SPAM and GDPR for email marketing?

CAN-SPAM (US) allows sending marketing emails without prior consent as long as you include an unsubscribe link and honor opt-outs within 10 business days. GDPR (EU) requires explicit opt-in consent before sending any marketing email. GDPR consent must be freely given, specific, informed, and unambiguous — pre-checked boxes do not qualify.

Does sharing subscriber data with Mailchimp require a privacy policy disclosure?

Yes. When you use Mailchimp, ConvertKit, or any email service provider, subscriber data (emails, names, engagement data) is processed on their servers. Your privacy policy must name these third-party processors, explain what data is shared, and link to their privacy policies. Under GDPR, you also need a Data Processing Agreement with your email provider.

Privacy Policy for Email Marketing & Newsletters

If you send marketing emails or run a newsletter, your privacy policy must disclose how you collect email addresses, what tracking technologies you use, and which third-party platforms process subscriber data. This is not optional. CAN-SPAM, which governs commercial email in the United States, requires every marketing email to include your physical mailing address and a working unsubscribe mechanism. GDPR, which applies if any of your subscribers are in the EU, requires explicit opt-in consent before you send the first email and a privacy policy that explains what data you collect, why, and who you share it with. Most email platforms like Mailchimp, ConvertKit, and Klaviyo embed tracking pixels in every email by default, collecting open rates, click data, IP addresses, and device information. Your privacy policy must disclose this tracking. It must also name the email service provider as a third-party data processor and explain subscriber rights including how to unsubscribe and request data deletion.

CAN-SPAM Requirements for Email Marketing

The CAN-SPAM Act of 2003 applies to all commercial email messages sent to recipients in the United States. Unlike GDPR, CAN-SPAM does not require prior consent to send marketing emails — but it does impose strict rules on every message you send. Each email must include your valid physical postal address, a clear and conspicuous unsubscribe mechanism, and accurate header information (the "From" and "Subject" lines cannot be deceptive).

When someone unsubscribes, you must honor the request within 10 business days. You cannot charge a fee, require the subscriber to log in, or make them jump through hoops to opt out. Violations carry penalties of up to $51,744 per email. While CAN-SPAM does not explicitly mandate a privacy policy, it does require transparency about your identity and practices — and having a privacy policy linked in your emails helps demonstrate compliance. If you use an affiliate or third party to send emails on your behalf, you are still legally responsible for compliance.

GDPR Consent Requirements for EU Subscribers

If any of your subscribers are located in the European Union, GDPR applies regardless of where your business is based. GDPR's consent standard for email marketing is significantly stricter than CAN-SPAM. Consent must be freely given, specific, informed, and unambiguous — meaning you need an unchecked opt-in checkbox (pre-checked boxes are explicitly prohibited under GDPR Recital 32) with clear language explaining what the subscriber is signing up for.

You must keep a record of when and how each subscriber gave consent, including the exact text they agreed to. If you plan to use subscriber data for purposes beyond the newsletter itself — such as targeted advertising, audience segmentation, or sharing with sponsors — each purpose requires separate consent. Bundling consent ("sign up for our newsletter and agree to receive partner offers") is not valid under GDPR. Your privacy policy must explain the lawful basis for processing (consent, in most email marketing cases), the specific data collected, retention periods, and subscriber rights including the right to withdraw consent at any time.

Email Tracking Pixels and What to Disclose

Nearly every email marketing platform embeds invisible tracking pixels — tiny 1x1 images — in outgoing emails. When a subscriber opens your email, the pixel loads from the provider's server, recording the open event along with the subscriber's IP address, approximate location, email client, device type, and operating system. Click tracking works similarly: every link in your email is redirected through the platform's servers before reaching the destination, logging which links each subscriber clicks.

Under GDPR, this tracking constitutes personal data processing and must be disclosed in your privacy policy. Specifically, you should explain that emails contain tracking technologies, list the data points collected (open time, IP address, device info, click behavior), state the purpose (measuring engagement, improving content, segmenting audiences), and explain how subscribers can limit tracking — for example, by disabling image loading in their email client. The ePrivacy Directive adds further requirements in the EU, treating tracking pixels similarly to cookies. Some businesses now offer a "plain text" newsletter option without tracking as a privacy-friendly alternative.

Disclosing Data Sharing with Email Platforms

When you use Mailchimp, ConvertKit, Klaviyo, Constant Contact, or any email service provider (ESP), you are sharing subscriber personal data with a third party. Your privacy policy must disclose this relationship. At minimum, name the ESP, describe the data shared (email addresses, names, engagement metrics, any custom fields), and link to the ESP's own privacy policy.

Under GDPR, your ESP is a "data processor" acting on your behalf, and you need a Data Processing Agreement (DPA) in place. Most major ESPs provide a standard DPA that you can accept through their platform settings. If your ESP is based in the United States and you have EU subscribers, you also need to address the international data transfer — most ESPs rely on Standard Contractual Clauses or the EU-US Data Privacy Framework. Beyond the ESP itself, consider whether you use integrations that share subscriber data with additional services: CRM systems, analytics platforms, advertising networks, or e-commerce platforms. Each integration that receives subscriber data should be disclosed.

Building a Compliant Email Signup Flow

Your privacy policy is only one piece of the compliance puzzle. The signup flow itself matters. For GDPR compliance, use a double opt-in process: after a subscriber enters their email, send a confirmation email requiring them to click a link to verify. This creates a clear consent record. Place a link to your privacy policy directly next to the signup form — not just in the website footer — with language like "By subscribing, you agree to our Privacy Policy."

Do not add subscribers automatically from other interactions (purchases, account creation, contact form submissions) unless you obtained explicit email marketing consent during that interaction. If you run contests or giveaways that collect emails, the contest entry and the newsletter subscription must be separate consent actions. Finally, audit your signup forms regularly to make sure the consent language accurately reflects your current data practices. If you add a new ESP integration or start using subscriber data for a new purpose, update both your privacy policy and your signup form language.

Ready to Create Your Privacy Policy?

Generate a professional, legally compliant privacy policy in minutes. No account required.

Generate Your Policy Now