Google’s ReCAPTCHA v3: What you need to know to be GDPR compliant
Home Resources Articles How to create a GDPR-compliant newsletter in 3 simple steps

How to create a GDPR-compliant newsletter in 3 simple steps

by Usercentrics
Dec 1, 2020
Google’s ReCAPTCHA v3: What you need to know to be GDPR compliant
Table of contents
Show more Show less
Book a demo
Learn how our consent management solution can improve privacy and user experience for your users.
Get your free data privacy audit now!

Download a whitepaper for free but only if you sign up for the newsletter – many websites offer this or similar deals. But is this move really GDPR-compliant? In this article we explain everything you need to know in order to circumvent pitfalls in the GDPR coupling ban.

In this article you will learn:

  • How to configure consent for the newsletter sign-up clearly and unambiguously.
  • Why it is so important to transparently communicate to the user what he or she is consenting to and how they may revoke this consent.
  • How you can ensure consistent GDPR-compliant data processing.

When do I have to observe the GDPR coupling ban?

Providers all over the internet are constantly wooing for the user’s attention. Whether it’s whitepapers, ebook downloads or participation in a prize draw – the ultimate goal is to gain more newsletter subscribers. And it is also obvious that the conversion rate can be boosted considerably by using a “goodie”.

Since not all means are legal (incentives such as vouchers with inordinately high values are prohibited), you should certainly get to grips with the coupling ban in the General Data Protection Regulation (GDPR) first.

The GDPR strengthens the rights of users and provides them more autonomy over their data. 

Only when users have provided explicit permission for the processing of their data, website operators may use it at all. 

More regarding this topic can be found in our article  “7 Criteria for GDPR-Compliant Consent”.

Consent in accordance with Art. 6 Paragraph 1 lit. a) GDPR to receiving the newsletter must be provided through an unambiguous, confirming action, with which the user communicates that he or she consents to the processing of the applicable personal data in a voluntary, informed manner and for the specific case indicated (Recital 32)

The website operator may neither coerce the user to provide consent (e.g. by blocking access to content when the user has refused consent for his/her personal data usage) nor “sneak” a newsletter upon them, otherwise the requirement for the voluntary and informed nature will have been violated (Art. 7 GDPR).

Why legit newsletter marketing is so important

The goal of every newsletter marketing campaign is clear: to generate as many new subscriptions for the newsletter as possible. The subscription is coupled to, for example, a free whitepaper download. 

But it is also obvious that creating a whitepaper costs money – and this investment must ultimately produce a return.

Typical case: let’s assume that creating the whitepaper PDF costs 1,500 Euros. If 1,500 new subscriptions to the newsletter are acquired, then mathematically each new subscriber costs 1 Euro each. It must therefore not be left to chance whether users interested in the white paper also subscribe to the newsletter. The solution: only when the user provides consent to subscribing to the newsletter he will receive a download link for the whitepaper – and the subscriptions then ideally result in qualified leads and finally to confirmed sales/contracts or similar.

Checklist: How to create a GDPR-compliant newsletter in 3 steps

Firstly, we should point out that anyone wishing to do legally compliant newsletter marketing should offer the users as much transparency as possible and, in every case, obtain consent to process their personal data. 

By following these data protection rules you will err on the side of legal caution:

It must be clear to the user that downloading the white paper will automatically result in subscribing to the newsletter. That to which the user is consenting must be clearly recognizable. This means: The user can only be made aware of the purpose of the white paper download and coupling it to a newsletter subscription if consent has been obtained in accordance with data protection law.

A negative example: you go to a restaurant and leave your data due to coronavirus tracking and tracing. A few days later you get mail from that restaurant. However, you didn’t consent to receiving marketing or advertising. Feels weird, right? Compliance with purpose limitation (Art. 5 GDPR) in terms of the GDPR definitely does not apply here.

How do I ensure that the user interested in the white paper has explicitly consented to the newsletter subscription?

Unambiguous consent: Use a separate control field so that the user can provide explicit consent to signing up for a newsletter. The control box may not be pre-activated – it must be actively and manually ticked. This ensures that it’s abundantly clear to the user for what purpose (here: newsletter) he or she is giving consent.

Shoring up consent via a double opt-in: We also recommend solidifying the newsletter sign-up via a so-called double opt-in (“double agreement”). Large mailing providers offer this option as a standard. Here the user receives an email after registration (first opt-in) at the email address provided in which he or she confirms registration via a link (second opt-in).

The advantage for you as a provider: You know directly whether the address provided is correct and can also ensure that users also check their spam folders if required.

Step 2: Ensure “clean” data processing

Once users have explicitly consented to having their data processed, this must now be done in accordance with the GDPR. Processing can generally be divided up into two areas:

Upon collection:

Process data sparingly: Follow the principal of sparing data use and only collect data which is absolutely necessary for the marketing campaign. 

Ensure encrypted transfer: Data transfer must always occur in encrypted form. This is the only way of ensuring that data does not fall into the hands of third parties without permission. Websites use a so-called SSL certificate for this purpose which is recognizable through a URL beginning with “https://” and a padlock symbol in the address bar. 

Don’t forget to name and indicate third-party services: Bot queries can be countered by using registration forms with protection systems such as Google’s reCAPTCHA. Here you should make it absolutely clear to your users about the use of third-party services because these also collect data. 

After collection:

Save data securely: Once the data has been gathered it must be saved in a safe place and protected from outside attacks (Art. 32 GDPR). The scope of the measures to be taken depends on several factors (identified as “appropriate protection level” in the regulation). 

Make revocation easy: Users must be able revoke their consent without great effort to ensure GDPR-compliance. Users must be made aware of this fact before they sign up to the newsletter. To enable a straightforward opt-out, a link should be embedded in every mailing whose activation not only stops the newsletter being sent but also the complete deletion of user data.

Step 3: Establish full transparency

Users have the right to know exactly what happens with their data. 

Integrate data protection provisions: Link the data protection provisions for the newsletter during the opt-in. Make clear to your users which data is being collected and for which purpose, how the data is processed and how they can opt out. 

Openly communicate info regarding CRM/mailing providers: A CRM solution is often used, especially with large marketing projects in the B2B and B2C space, to save data sets from the newsletter subscribers in one central location. The users must be made aware that their data is forwarded to third parties. Similar applies for large mailing providers which offer website operators management of addresses via their platform. Users must likewise be informed about the contract data processing.

Our tip: Pay close attention when selecting a mailing/CRM provider to which data protection measures they have adopted and to how subsequent data processing is configured. If in any doubt, decide on the most transparent solution which uses the very least amount of data possible.

Is the coupling ban no longer an issue?

Assuming I observe all rules of the GDPR I should then legally be on the safe side with my newsletter marketing, right?

The answer: Yes and no.

Whether or not the coupling ban is cleared up in this case is something even experts can’t agree on.

On the one hand transparency ensures that the user can make an informed decision, i.e. that he or she does not sign up for the newsletter by coincidence without realizing it. On the other hand, there is the question of how one interprets the mechanisms of the coupling ban: That is, from the user’s or provider’s point of view.

There is discussion on both sides as to how website operators may justify coupling the download of a whitepaper to signing up for a newsletter. In doing so you could, for example, refer to the fact that making an elaborate whitepaper available is only economically viable because it is coupled to another service (in this case a newsletter).

The “legitimate interest” in this case: Without the link to
the newsletter subscription the provider would be unable to make the
free white paper download available.

The deciding fact is that the user is always informed about this exchange, i.e. that he is willing to pay for receiving the white paper for a type of “nominal fee” (consent to signing up for a newsletter).


Consciously setting up GDPR-compliant newsletter marketing is not rocket science, but it does require investing some time. A project like this is worth planning in a certain time schedule – and the matter should certainly not be left to the last minute.

GDPR-compliant newsletter marketing lives and dies with transparency – and of course the voluntary, explicit consent of the subscribers. Most importantly, clearly and unambiguously design the consent for newsletter marketing, ensure data security during the processing of data and communicate transparently with the users.  

Those familiar with the rules of the coupling ban and who proceed accordingly will benefit from a boost in new newsletter subscriptions – and will remain on the right side of the law. Every minute invested prior to beginning will pay off in the end, including the stress you won’t need to experience!


Stay up to date – if there are new rulings and interpretations you learn about them in our Knowledge Hub.

Not yet running a Consent Management Platform (CMP) 
to obtain consent from your users?

Get in touch with us! We will be pleased to assist.




The decision to implement a data protection-compliant CMP is ultimately at the discretion of the data protection officer and/or the legal department. These statements do not constitute legal advice. They merely serve to support and inform you about the current legal situation with respect to the implementation of a CMP solution. Please consult a qualified lawyer should you have any legal questions.

Related Articles


Digital Markets Act (DMA) for startups: benefits and challenges

With the Digital Markets Act (DMA) in effect, what challenges and benefits can start-ups and SMEs that rely on...


Understanding the Washington My Health My Data Act: a comprehensive guide

The Washington My Health My Data Act is a state-level data privacy law that focuses solely on consumer health...