Newsletter and GDPR: How Not to Get Sanctioned
CNIL has sanctioned over 200 companies for non-compliant electronic prospecting since 2021. Newsletter, cold email, cart abandonment follow-up: every email sent without a solid legal basis is a violation. Here are the exact rules.
B2C vs B2B: Two Different Regimes
Email marketing is governed by two combined texts: GDPR for personal data protection and Article L34-5 of the French Postal and Electronic Communications Code (CPCE) which transposes the ePrivacy directive. The rule differs depending on whether you're addressing individuals (B2C) or professionals (B2B).
- Prior consent required (opt-in)
- Exception: existing customers for similar products
- Legitimate interest insufficient for B2C
- Double opt-in recommended (proof)
- Legitimate interest possible if business relevance
- Information obligation + right to object
- Personal address (gmail) = B2C rule applies
- contact@ / info@ = less risky
The 5 Minimum Requirements for Each Email
Name + company name in From and signature. Reply-to address must be functional and respond within 48h to unsubscribe requests.
Subject must not simulate a reply (Re:), mislead about content, or mask commercial nature (Art. L34-5 CPCE).
Required in every email. One click maximum to unsubscribe. Processing within 72 hours maximum. The 'unsubscribe' in the footer must actually work.
In the privacy policy linked from the email: legal basis (consent or legitimate interest), purpose, retention period, data subject rights.
Subscription timestamp, IP address, source (form, import, event), form version. Keep at least 3 years. Essential in case of complaint.
Does your email marketing tool deposit cookies before consent?
Mailchimp, Klaviyo, Brevo... their tracking scripts often deposit cookies on page load. RGPDScan detects it in 60s.
Documented CNIL Sanctions in Email Marketing
CNIL deliberation SAN-2023-014: sending 4.8 million emails to individuals without valid consent, absence of functional unsubscribe link, refusal to process complaints. Sanction enhanced by the repeated nature.
CNIL deliberation SAN-2022-023: SMS prospecting without consent, non-respected unsubscription, email open tracking without prior information. Multiple cumulative sanctions.
The Most GDPR-Compliant Email Tools in 2026
| Tool | Hosting | DPF/SCC | Compliance |
|---|---|---|---|
| Brevo (Sendinblue) | France (FR) | Excellent | |
| Mailjet | France (FR) | Excellent | |
| Mailchimp | USA (US) | Conditional | |
| Klaviyo | USA (US) | Conditional |
Going Further
- Mailchimp and GDPR: complete analysis
- Brevo: the French Mailchimp alternative
- Cookie banner: the 7 mistakes to avoid
- Complete GDPR checklist 2026