No results were found...

Blog

99 GDPR questions people are asking about email marketing

Marta Poliakova Marta Poliakova
· 37 min read · Email marketing · Aug 16, 2021

Are you still scratching your head sometimes when it comes to GDPR? Have no fear—our legal team is here to answer all your email marketing questions.

We constantly receive tons of insightful and unexpected questions about GDPR, so we curated the best questions (99, to be precise)! This Q&A is designed to help everyone make the most of their email marketing, whilst keeping everything GDPR-friendly.

99 questions might sound like a lot, so you can jump directly to the different categories below. And feel free to share this Q&A with your colleagues, so that you can all become GDPR-savvy together!

Disclaimer: Please note that we share our insights about GDPR, however, please do not consider it as legal advice. We strongly recommend consulting a lawyer to discuss the individual needs of your business.

Jump to:


1. Does the EU have jurisdiction in the U.S. to enforce GDPR?

A company is subject to the GDPR if it processes the personal data of an individual who is in the EU, regardless of whether the processing takes place in the EU or not.

2. Does GDPR apply to all EU citizens regardless of where they live?

The word "citizen" never appears in the GDPR. It's all about being "in the Union". Your nationality or permanent address does not matter. GDPR applies to people who are in the EU. If you are an EU citizen but live abroad, then GDPR doesn't apply to you. So the best tool for you is to sort your subscribers by location / IP address.

3. Does GDPR apply to me if all my clients are in the U.S.?

If you are based in the EU, then GDPR applies to you. You need to have proof of your subscriber consent. Article 3 says: "This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not."

4. Can I send the GDPR confirmation email to Non-EU countries such as the USA?

If you are based outside the EU, you do not need to worry about subscribers outside the EU, as the GDPR does not apply to this type of data processing.

5. Can I send a revalidation email after May 25th, 2018?

It is not clear what the Data Protection Authorities think about sending revalidation emails after the 25th of May, 2018. From our point of view, if you didn't get your subscribers' consent before that date, then you shouldn’t contact them. Remember, you only need to revalidate subscribers that have not given you permission.

6. Do I have to 'forget' my unsubscribed subscribers?

You don't need to "Forget" them if they didn't ask to be forgotten. GDPR gives new powers to users and one of them is the "Right to be forgotten". But the user has to contact you by email/phone and ask to be forgotten.

7. How can we give users access to their personal data when requested?

You need to show all of the user's information that you process. It can be via PDF file or another format file that they can read. The main point is to show that person all of their data.

8. How does Brexit affect UK companies?

On June 28, 2021, the EU adopted an adequacy decision for the UK, ensuring the free flow of personal data between the two blocs for a four-year period (until June 2025). Please find more information for UK businesses here.

9. What are the rules for personal data transferring outside of the EU?

The European Commission has presented Standard contractual clauses for international transfers. You can find more information about this here.

10. How are small businesses affected by this? Also, I am not an EU or US citizen. How can anything be enforced against me anyway?

A company is subject to the GDPR if it processes the personal data of an individual who is in the EU, no matter the size, industry or country of origin of the business. If you do marketing for EU subscribers, GDPR applies to you as well. Enforcement will be done with the aid of international law enforcement.

11. Do individuals (not associated with a company) need to follow GDPR?

GDPR applies to you if you process personal information as part of an enterprise. Article 4(18) defines an enterprise as ‘a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity’.

12. Can businesses store prospect data? For example, I research and find the contact emails of my potential customers to send them sales emails.

GDPR is about protecting a person's data. If you would like to store local businesses' contact information, in this case, GDPR wouldn't apply to you because that contact information represents a legal entity.

13. I transferred emails from another service. Do I need to do anything to those emails (no IP addresses or other info was transferred) to be GDPR compliant?

According to GDPR, you have to be able to demonstrate that the person gave his/her consent. Try to contact your previous email provider and ask them to provide that information. If you gained your users' consent legally, you don't need to do so again. That said, you still need to prove it.

14. What are the consequences of a GDPR violation? Will there be a warning?

It depends. The Data Protection Authorities say they will address potential violations on a case-by-case basis. There could be fines or other non-financial reprimands like a temporary or permanent ban on data processing or a suspension of data flows to a third-party country. Warnings are possible too.

15. Is there a possibility of attorneys using GDPR to collect settlements or are violations handled solely through the Data Protection Authority?

You can make a complaint directly to your national data protection authority or you can also choose to file a case directly in court against a company. So attorneys most likely can collect settlements on behalf of their clients.

16. How much can an organization be fined for a GDPR violation?

The GDPR allows issuing fines for up to 20 million euros or 4% of annual global turnover— whichever is higher.

17. If there is a data breach or my website is hacked, who exactly do we report this to and how?

GDPR says (Article 33): 'In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.'

18. What is the difference between GDPR and CCPA?

CCPA is similar to GDPR, except that it only applies to businesses that collect personal information from California residents. If you would like to know more about the CCPA, you can read the full article about it here.

19. If recipients are based in Norway, does the GDPR apply?

Norway is not an EU Member State, but it is a part of the European Economic Area (EEA). The GDPR had to be incorporated into the EEA Agreement before it could be implemented into national law. So the answer is yes, GDPR applies to this type of data processing.

20. If I have consent, do I still need to include an unsubscribe link on every marketing email?

GDPR states that all email marketing messages must clearly communicate how a recipient can remove their data from your list. An unsubscribe link is a best practice to achieve this.

21. What is the biggest difference between GDPR and the old rules?

There needs to be much more detail in your opt-in forms with explanations of why the data is being collected, what it’s going to be used for and who might have access to it. Consent now needs to be explicit and unambiguous. No implied opt-ins or pre-ticked consent boxes.

22. Do we need to appoint a Data Protection Officer for our company?

Under the GDPR, you must appoint a Data Protection Officer if:

- Your core activities require large-scale, regular and systematic monitoring of individuals (for example, online behavior tracking); or

- Your core activities consist of large-scale processing of special categories of data or data relating to criminal convictions and offenses.

23. Can I put automation triggers on my blog and website that send my subscribers emails?

Yes, as long as those people on your list have given consent to receive emails from you. Once you have consent, you can use all of your email marketing best practices.

24. Do I need to implement double opt-in for GDPR compliance?

No, the GDPR doesn’t make it mandatory, however, as the regulation has such high standards for consent, it is a good option to ensure you are compliant.

25. Can I still personalize my email marketing with the subscriber’s real name and other personal info?

If you have proof of consent for emails, you are still allowed to send personalized emails.


26. What does the proof of consent need to include?

While there is a lot of vagueness regarding specific proof of consent, GDPR says that the burden of proof is on you to provide documentation proving that a subscriber agreed to share their data. That said, it doesn't specify any particular points. From our point of view, you should have:

- A timestamp of subscriber consent (time, date, location)

- The source of the opt-in (website, social media, etc.)

- A screenshot of the opt-in form used to obtain consent.

When you use MailerLite signup forms to acquire subscribers, we capture IP address, location, date, time, and the source of the consent form. This information will solidify your documentation of where, when and at what time your subscribers consented.

27. Is consent the only legal ground for GDPR?

You must have legal grounds to send emails to your subscribers, but that can be through consent, contract, legal obligation, vital interests, public task, or legitimate interests. For email marketing, consent is the most common legal ground, but not the only one. However, please keep in mind that MailerLite is a permission-based platform and in order to use our services, you must have your subscribers’ consent.

28. What exactly is ‘legitimate interests’?

Consent isn’t your only legal ground. Legitimate interests could be a good option. It basically means that you have a right to carry out commercial activities such as direct marketing. The requirements of using this legal basis are that you have a relationship with the consumer and that they would reasonably expect you to carry out the specific kinds of data processing you are employing.

29. I have opt-in dates for all my subscribers, but not IP addresses and certainly not screenshots of the opt-in form. Can you clarify if these are legally required by GDPR?

There are no clear legal requirements for proof of consent. The only thing GDPR says is "The burden of proof is on you to provide the documentation proving that a subscriber agreed to share their data". From what we see in the market and based on what is technically possible, we recommend having a timestamp, IP, source, and a screenshot of the form.

30. I am a magazine publisher who sends a monthly newsletter to subscribers. I have been advised that for GDPR consent, we merely need to advise subscribers that we have updated our Privacy Policy. If they want, they can unsubscribe. Is this true?

You have to be able to demonstrate that each person gave their consent. If you have proof of consent, then you do not need to revalidate. But there is another legal ground. If subscribers are considered your clients, then you don't need to ask for consent. You may process your subscribers’ data on the legal basis of legitimate interest.

31. Is a written consent on a piece of paper a valid proof of consent?

Yes, signing a consent statement on paper is a valid proof of consent.

32. What if I received verbal consent to add a name to my list. How do I deal with this?

In this case, you probably won't have proof of consent.

33. What if someone signs up at a trade show on a newsletter and marketing campaign list?

Signing a consent statement on a paper form or an iPad is valid proof of consent. You don't need to ask for it again. According to GDPR, you have to be able to demonstrate that the person gave his or her consent.

34. Can I send out an email asking people to unsubscribe instead of asking them to consent? If they don’t unsubscribe, then they are consenting.

Under GDPR, you have to get active consent. This approach is not appropriate.

35. How does MailerLite help to strengthen proof of consent?

When you use MailerLite signup forms to acquire subscribers, we capture the IP address, location, date, time, and the source of the consent form. This information will solidify your documentation of where, when and at what time your subscribers consented. MailerLite displays this information in your subscriber profiles.

36. How does MailerLite identify EU users?

If subscribers sign up with a MailerLite form, our location tracking capabilities can determine if the person is signing up from an EU country. We can then segment them into a special GDPR group. It’s important to note that there is a chance an EU citizen is living abroad in a non-EU country. In these cases, it is impossible to identify them as EU users. But GDPR states that you only need to make a reasonable effort to determine a person’s status.

37. How do I find out where my subscribers are from if I imported my list from a different provider? I don’t want to unsubscribe a whole bunch of people if they’re not in the EU.

GDPR says that you need to have proof of your subscriber’s consent. If you don't have it, you can't contact them. Try to contact your previous company and ask them to provide the information that wasn't transferred.

38. Does subscriber consent have an expiration?

No. There is no official timeframe within which consent will expire. As long as you have a clear way for users to unsubscribe, consent is indefinite until the subscriber requests otherwise.


39. Do I actually need a privacy policy?

According to privacy laws, you have to clearly describe how you plan to use your subscribers’ data, including for your use of third parties like MailerLite. We recommend stating each data processor separately and clearly explain how and why they are using the data.

40. Can you offer any guidance on writing a privacy policy?

You will be able to find more information in this blog post. In general, most privacy policy laws require you to inform users of:

- Your name (or business name), location, and contact information;

- What information you’re collecting from them (including names, email addresses, IP addresses, and any other information);

- How you’re collecting their information, and what you’re going to use it for;

- How you’re keeping their information safe;

- Whether or not it’s optional for them to share that information, how they can opt-out and the consequences of doing so;

- Any third-party services you’re using to collect, process, or store that information (such as an email newsletter service, or advertising network).

41. Where can I find MailerLite’s third-party text to add to my own privacy policy?

You can find it in our Data Processing Addendum here (Annex 1 Article 8).

42. Do I need to include a checkbox for my updated privacy policy, or is a link sufficient?

You can use a link.

43. Does our privacy policy need to be stated in every newsletter?

That would be ideal. Just provide a link to your privacy policy at the bottom of every newsletter to be safe.

44. Do I need to inform my subscribers about our new privacy policy? And do they need to confirm acceptance?

It depends on the changes you make. If your updated privacy policy sets new rules on how you process personal data and it may impact your subscribers, then you should definitely inform them about it. We believe that it is not necessary to get subscriber confirmation.


45. Do all of my subscription forms need to be compliant with GDPR requirements?

Yes, if GDPR applies to you.

46. Do I need to use checkboxes if my newsletters sometimes contain advertising messages or promotions?

No. If you are only sending newsletters and they include special offers, it is still considered a newsletter. You can’t use your subscribers' data for other purposes, such as targeted advertising, SMS, Facebook ads, etc.

47. Do we need to have a checkbox to get permission for Facebook ads?

Yes, according to GDPR you have to give the individual the option to tell you that they are happy to receive marketing from specific channels like Facebook.

48. I have a couple of opt-in forms on my blog. I only collect the first name and email address. Do I have to include the marketing permissions on the confirmation subscription page?

You don't need those additional marketing permissions if you only collect subscriber data for one purpose, such as sending them email campaigns. Make sure your subscribe form clearly states what they will be getting with consent.

49. Do we need to add a checkbox "I am 16 years or older" on all forms? If not, on which occasions do we have to add it?

If companies market to minors, then we think they should consider adding age verification or parental consent options to their forms.

50. When I request emails via iPad, the IP address is not from my customers. Is it still compliant?

It is not necessary to ask your customers to provide their information from their own IP address. If you use the MailerLite iPad subscriber app, their information is automatically uploaded to your MailerLite account.

51. Is there an advantage of having double opt-ins?

While it’s up to you, there are advantages to using double opt-in for your email lists. Double opt-in gives you a stronger paper trail of proof of consent.

52. If someone doesn’t tick the checkbox for ‘marketing permissions’, does that mean I can’t offer a lead magnet? But I can’t email them to promote?

It depends on the wording. If you offer a lead magnet in exchange for their email, add a checkbox underneath asking people to consent to receive emails. They won’t get the lead magnet without consenting. Or you can explicitly state, "To receive this (lead magnet), please subscribe to my newsletter". In this case, there's no need to add a checkbox because you make explicitly clear that the lead magnet is being offered in return for joining the email list.

53. Will the GDPR checkboxes in my MailerLite opt-in form be visible only to EU visitors or to everyone?

Checkboxes will be shown to all visitors.

54. I collect email addresses to send people updates about my blog posts and shop. Do I still need to have the checkbox in my signup forms?

No, you don’t need the additional checkbox.

55. So users can subscribe just by entering an email without a checkbox, and that's OK with GDPR?

Yes. As long as you are asking them to consent to one thing, such as receiving your newsletter.

56. I have consent for email, but in the future I plan to extend my marketing channels. Can I email my subscribers to ask them for permission for other marketing channels, such as advertising or social media?

Yes, that is the proper way to do it. It is important to understand that you need specific consent for processing user’s data for other purposes.

57. Regarding cookies, do we need to give people the option to opt-out or will the "accept" button work?

Both options are appropriate. Consent must be given through a clear affirmative action. Simply visiting a site doesn’t count as consent. Keep in mind that after getting valid consent, websites must always provide people the option to change their minds.


58. Do I have to comply with GDPR if CCPA applies to me?

Yes, if you are based in the EU or process the personal data of EU citizens. These laws are similar, but they protect different individuals’ rights.

59. We don’t have proof of consent for many subscribers, but they open more than 70% of our emails. Do we still need to have their consent?

According to GDPR, you need to be able to provide proof of consent. Open rate is not sufficient proof of explicit and active consent.

60. In order to receive our free downloads, the interested party must submit their email address. They then receive an email where they can sign up for our newsletter and consent to our privacy policy. Is that an appropriate approach?

That's a great way to get all the needed permissions. We don't know for sure what the Data Protection Authorities would say, but we think that you could use links to the privacy policies instead of checkboxes.

61. We have email addresses from people who contacted us asking for product information. We want to send them our newsletters. Do we need any consent from them?

If your newsletter provides product information then we believe you can rely on legitimate interest as legal ground. The individuals reasonably expect you to use their data in that way so you don't need to get additional consent.

62. How should I proceed in a data breach situation?

According to Article 33 of GDPR, in the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.

63. I send emails to people who bought something from my store. In every email, I state, ‘You receive this message because you have registered on our website or made purchases from us.’ Am I allowed to continue sending them emails?

Under GDPR, you need to have at least one legal ground for that. GDPR provides 6 possible grounds: consent, contract, legal obligation, vital interests, public task, legitimate interests.

If your subscribers are your clients, then you don't need consent. You can rely on legitimate interests. The individual should reasonably expect you to use their data in that way. According to the information you provided, we think that you are safe.

64. We collect emails from journalists and other industry contacts. This data is openly available (newspaper websites, organization websites, company websites). Are we allowed to have these emails or do we need to ask permission to have them?

From our point of view, you don't need their consent if you are processing their personal data for purposes that are directly connected to why the data was made public.

65. If someone opts in to get a lead magnet and I plan to send them emails promoting other products in the future, can I simply state it on the opt-in form?

It is not enough just to state it. You have to get consent for every extra data processing purpose.

66. Can I send newsletters to all my customers who bought something in my webshop?

If your subscribers are your clients, you may rely on legitimate interests. But the individual should reasonably expect you to use their data in that way.

67. Can I send cold emails to people at companies under GDPR?

Please keep in mind that GDPR protects the personal information of natural persons and not companies’ details. However, the answer to this question is yes, you can send cold emails to people at companies. They need to be B2B emails that meet requirements establishing a legal basis. You should have a strong reason to claim that the company the person works at will benefit from your offer. That said, unrequested marketing materials cannot just be sent out to random email addresses. There needs to be a logical connection.

68. Do I need to include something in my Terms and Conditions if I plan to use my customers’ email addresses to send them newsletters?

According to GDPR, you need to have a legal basis for personal data processing. In your case, if your customers made a purchase from you then you can rely on legitimate interests. You are allowed to send them direct marketing emails. But keep in mind, this rule applies only in case data subjects bought something from you. It doesn't apply to passive users. In your Terms and Conditions, you could indicate that if a customer makes a purchase then they will receive direct marketing emails. You should also state that the person is able to unsubscribe from your emails at any time.

69. If an EU citizen unsubscribes from a mailing list, am I allowed to send an unsubscribe confirmation email at the point of unsubscribing?

Well, it’s tricky. When a person unsubscribes, they are confirming that they don’t want to receive any emails. But on the other hand, an unsubscribe email is confirmation. A safe option is to not send emails. It would be better to lead the person to a landing page that confirms their action.


70. What are we supposed to do with the Data Processing Addendum? Do I have to sign it?

You don’t need to sign it. Data Processing Addendum supplements the Terms of Use and applies to all our clients. You can find our addendum here: MailerLite Data Processing Addendum.

71. Do we have to send back the signed Agreement? If so, should we send it by mail or email or fax?

No, you don't need to sign or send it back to us. The Data Processing Addendum is effective from the date our Customer agrees with the Terms of Use.

72. When we receive consent from users on our website, should we inform MailerLite?

You don't need to inform us. The burden of proof is on you, because according to the GDPR wording, you are a Data Controller, while MailerLite is a Data Processor. If you use MailerLite opt-in forms, you will be able to secure more proof, such as location data.

73. Is there a way to discover the location, based solely on an email address?

Typically, an email address is not enough information to discover a location. If a user subscribes with a MailerLite form, their location is automatically tracked. This is not the case if you import your own list.

74. How can MailerLite establish whether subscribers are EU citizens or not?

GDPR is not about EU citizens. It’s about people in the EU. If subscribers sign up with a MailerLite form, our location tracking capabilities can determine if the person is signing up from an EU country. We can then segment them into a special GDPR group.

75. I transferred all my emails to MailerLite and do not have location data. Do I need to revalidate my list because I don’t know who is in the EU?

First, you must have proof of consent from those subscribers. From our point of view, it is safest to treat all of those subscribers as if they were in the EU. For future subscribers, you can use MailerLite opt-in forms to get location data.

76. Does MailerLite have a Privacy Shield Certification?

EU-U.S. Privacy Shield (“Privacy Shield”) was created in order to set a mechanism for companies to comply with data protection requirements set by GDPR when transferring personal data from the EU to the United States.

However, on July 16, 2020, the Court of Justice of the European Union (“ECJ”) issued a judgment that declared that Privacy Shield is invalid. Another GDPR compliant mechanism that replaced Privacy Shield is Standard Contractual Clauses (“SCCs”).

After the annulment of Privacy Shield, we follow the GDPR requirements and make sure that SCCs are included in the data processing agreements related to them. We analyze other DPAs' clauses, as well as evaluate what security measures are used by our sub-processors to protect personal data transferred, such as access control, data security and encryption.

After much analysis and evaluation, it was decided to work with these service providers included in our list of sub-processors. SCCs are included in all the DPAs concluded between us and sub-processors.

77. Where are MailerLite´s servers situated?

Our servers are based in the EU (Germany), so you can rest assured that your data is not being transferred outside of the EU.

78. When tracking MailerLite campaigns with Google Analytics, do you anonymize the IP addresses?

No, we don't anonymize anything. When a subscriber clicks any link in the campaign, MailerLite redirects the subscriber to the link destination. Services like Google Analytics collect the data from the subscriber's browser.

79. What’s the max data retention for customers in an email list?

All data is saved until it's deleted. In other words, we don't delete any data unless it's requested.


80. Does the MailerLite GDPR form automatically create a new list?

Yes, you should have a new "GDPR compliance" segment in your mailing list.

81. I would like the option to remove multiple subscribers at once. Will this feature come soon?

If you are working from the subscriber list, you can choose to bulk delete. If you are working from a group, you can bulk remove or delete subscribers too. Just tick some emails and press the action button to see how it works.

82. Can you segment those people who check the different options on that form?

Yes, you can segment using our subscriber management tool. Create a segment using a condition like “Custom field marketing permissions contains [your options].” You can find more details about segmentation here.

83. What should I do if I have received a request to delete all subscriber’s information?

The Data Protection Authorities have not been clear, but Google and Facebook both received violations on the first day after the deadline. From our point of view, you are no longer allowed to contact your subscribers without proof of consent.

If someone makes a request to be forgotten, you can’t simply unsubscribe them or delete them from your list. Even when you remove a subscriber from your list, the system keeps a history of the user. You must delete all their data permanently. This means that you need an easy way to delete EVERYTHING about the subscriber.

When you use the Delete function in your MailerLite account in the subscriber section of MailerLite, the information is not entirely removed. The reason for this is simple. If that person later resubscribes, his or her history is still there so you don’t have to rebuild their profile. MailerLite has a feature called Forget that completely wipes a person’s data from our system. This function was built specifically for GDPR compliance for the right to be forgotten.

84. What should I do if someone makes a ‘right of portability’ request?

MailerLite allows customers to download user data. In the subscriber’s profile, you can export and save subscriber data to a PDF (Print) or a JSON file (the most popular format to transfer data).

85. What is the difference between Delete and Forget?

When you use the Delete function in the subscriber section, the information is not entirely removed. If that person later subscribes again, their history is still there so you don’t have to rebuild their profile. The Forget option completely wipes a person’s data from our system in order to comply with GDPR’s right to be forgotten.

86. Can the Forget feature be automated the same way Unsubscribe is through a link in an email?

No, it's only manual. We also include a second confirmation to avoid mistakes. The Forget option completely wipes user data forever. You should only use the Forget feature when a subscriber asks to be forgotten.

87. How do I find an IP address and location information on existing subscribers?

MailerLite displays this information in your subscriber profiles. It is important to note that you can only get this data from people who subscribe through MailerLite forms. The good news is that this data is available for both your new and old subscribers.

88. How confident is MailerLite that the subscriber location details are correct?

We get location data from the subscriber IP address when subscribers opt-in through our form or confirm through a double opt-in email. The location data is a highly probable prediction. There is always a chance that a subscriber is using a VPN that shows a different country than it is.

89. How do we unsubscribe hundreds of subscribers at a time?

You can use our filters to change the status of subscribers.


90. I'd like to change from single opt-in to double opt-in. How can I do that?

It depends on where you want to change it. For the forms created in MailerLite, there is a button for it in the form. If you use forms through integrations, then you need to select your profile icon and check subscriber settings.

91. How do you add an opt-in checkbox to landing pages?

Checkboxes are available in newly created landing pages only and can be added when editing “Signup Form” or “Pop-up Form” blocks.

92. Can we translate the MailerLite compliance text in the opt-in forms?

The easiest way to do this is to delete the English text and add the translated version.

93. We use a Privy pop-up to get new subscribers, which is automatically integrated to MailerLite. But I only see the date of subscription and how the person subscribed. What about location?

We only capture the IP address, location, date, time, and the source of the consent form ONLY when you use MailerLite signup forms to acquire subscribers.

94. If I have a subscribe button on my website that links to MailerLite, does MailerLite still gather the location info? Should I add a place on my website for subscribers to enter their location?

If you use a MailerLite signup form to acquire subscribers, we capture the IP address, location, date, time, and the source of the consent form. In this case, you don’t have to ask for location info. We recommend just asking for a name and an email address to avoid form fatigue.

95. Do I need to use the MailerLite signup form on my website? Where do I find the right form on MailerLite?

You are not required to use MailerLite forms, but our forms give you the added proof points of consent like location, time and source of consent. You can find the GDPR options in our form settings.

96. Is the GDPR option with checkboxes mandatory for pop-ups and landing pages?

It depends on the situation. If you are asking someone to give consent to one thing, you can use a few sentences instead of checkboxes. Checkboxes are required when you are offering more than one thing. For example, if you ask the user to receive your newsletter and also use their data for targeted advertising, you need two clear options for consent. In this case, checkboxes should be used.

97. I just added the GDPR options to my forms. Will there be something recorded in MailerLite to prove that the new subscribers have opted in?

When you use MailerLite signup forms to acquire subscribers, we capture the IP address, location, date, time, and the source of the consent form. This information will solidify your documentation of where, when and at what time your subscribers consented. MailerLite displays this information in your subscriber profiles. Keep in mind that you can only get this valuable proof from users who subscribe through MailerLite forms.

98. How can I automatically segment my GDPR subscribers in MailerLite?

It depends on the situation. If you are using MailerLite subscribe forms, you can segment them by location to get EU subscribers. If you are using different forms, you can add subscribers to different groups or use custom fields (including the Hidden field) to segment them.

99. Is there a way to set up different opt-in forms for people in the EU vs. outside of the EU?

The short answer is no. We can help you create opt-in forms for your website, blog or social media pages, but we can’t create forms that dynamically change based on where the visitors are coming from.


Congratulations on reaching the end! We covered those 99 GDPR questions at lightning speed—but if you still have something you aren’t sure about, don’t hesitate to reach out to our friendly support team, and they’ll be more than happy to help. 


Editor's note: This article was originally published in June 2018. It has been updated with new GDPR insights to help you keep your campaigns compliant.

Marta Poliakova
Marta Poliakova
Hi, my name is Marta, legal counsel at MailerLite. As a legal professional, it’s my job to ensure we’re always following the rules, especially regarding GDPR compliance. To blow off steam, I enjoy kickboxing. I call my punching bag “Mr. GDPR,” and boy do I get a good workout.