Email marketing 9 min read·

Newsletter and GDPR: How Not to Get Sanctioned

CNIL has sanctioned over 200 companies for non-compliant electronic prospecting since 2021. Newsletter, cold email, cart abandonment follow-up: every email sent without a solid legal basis is a violation. Here are the exact rules.

B2C vs B2B: Two Different Regimes

Email marketing is governed by two combined texts: GDPR for personal data protection and Article L34-5 of the French Postal and Electronic Communications Code (CPCE) which transposes the ePrivacy directive. The rule differs depending on whether you're addressing individuals (B2C) or professionals (B2B).

B2C — Particuliers
  • Prior consent required (opt-in)
  • Exception: existing customers for similar products
  • Legitimate interest insufficient for B2C
  • Double opt-in recommended (proof)
B2B — Professionnels
  • Legitimate interest possible if business relevance
  • Information obligation + right to object
  • Personal address (gmail) = B2C rule applies
  • contact@ / info@ = less risky

The 5 Minimum Requirements for Each Email

1
Clear sender identity

Name + company name in From and signature. Reply-to address must be functional and respond within 48h to unsubscribe requests.

2
Non-deceptive subject line

Subject must not simulate a reply (Re:), mislead about content, or mask commercial nature (Art. L34-5 CPCE).

3
Visible unsubscribe link

Required in every email. One click maximum to unsubscribe. Processing within 72 hours maximum. The 'unsubscribe' in the footer must actually work.

4
Mention of legal basis

In the privacy policy linked from the email: legal basis (consent or legitimate interest), purpose, retention period, data subject rights.

5
Traceability of consent

Subscription timestamp, IP address, source (form, import, event), form version. Keep at least 3 years. Essential in case of complaint.

Does your email marketing tool deposit cookies before consent?

Mailchimp, Klaviyo, Brevo... their tracking scripts often deposit cookies on page load. RGPDScan detects it in 60s.

Documented CNIL Sanctions in Email Marketing

Société de prospection commerciale — 200 000 € (2023)

CNIL deliberation SAN-2023-014: sending 4.8 million emails to individuals without valid consent, absence of functional unsubscribe link, refusal to process complaints. Sanction enhanced by the repeated nature.

Opérateur télécom — 300 000 € (2022)

CNIL deliberation SAN-2022-023: SMS prospecting without consent, non-respected unsubscription, email open tracking without prior information. Multiple cumulative sanctions.

The Most GDPR-Compliant Email Tools in 2026

ToolHostingDPF/SCCCompliance
Brevo (Sendinblue)France (FR)Excellent
MailjetFrance (FR)Excellent
MailchimpUSA (US)Conditional
KlaviyoUSA (US)Conditional

Going Further

Frequently Asked Questions

Is double opt-in mandatory under GDPR?
No, GDPR doesn't require double opt-in. But it requires 'free, specific, informed and unambiguous' consent (Art. 7). Double opt-in remains the best proof of this consent. In case of CNIL inspection, it's your main shield.
Can I send newsletters to B2B clients without consent?
Yes, under strict conditions (Art. L34-5 CPCE): the email must concern a product/service similar to what the client purchased, you must have informed them during collection, and offer them the ability to object in each email. Generic professional email addresses (contact@, info@) relate to the legal entity, not the individual — more flexible territory.
How long can I keep newsletter subscriber addresses?
As long as the person is subscribed and active. CNIL recommends purging inactives (no opens, no clicks) after 3 years. A reactivation email before purging is a documented best practice.
Can I import a purchased or scraped list?
No. A purchased or scraped list doesn't meet GDPR consent requirements. The person hasn't consented to receive your emails specifically. Using such lists exposes you to CNIL sanctions (fine + injunction) and deliverability problems (spam).
What must a double opt-in confirmation email contain?
The confirmation link, sender identity, purpose (newsletter + approximate frequency), mention that without clicking the address won't be used. Keep the timestamp and IP address of the confirmation for at least 3 years.
How to handle an immediate unsubscribe request?
Unsubscribe within 72 hours maximum (immediately in practice). Never re-add the address to another list. Keep a record of the unsubscription to prove absence of subsequent sending if disputed. The unsubscribe link must be visible in every email.

Is your email tool GDPR compliant?

Detect in 60s the email scripts that deposit cookies before consent on your site.