I added email subscriptions to my blog1 and, in the process, signed up for four different email providers to test them out. A week later, I noticed I was getting marketing emails from all of them. I thought this was weird – I’m based in the European Union, and thought that the GDPR forbade companies from emailing me without asking. I’m also usually careful about “sign me up for email marketing” checkboxes, so I thought it was weird that I’d missed… all four of them?

Time to investigate.

The products I’ll discuss today are:

Signing up

The methodology:


Here’s a completed sign-up form for Mailchimp. Note the sneaky “reverse consent checkbox” - “I don’t want to receive emails about new Mailchimp products, best practices, or special offers”.

Mailchimp’s signup form. SNEAKY.

Mailchimp’s signup form. SNEAKY.

I hate sneaky reverse consent checkboxes. I missed this one the first time I signed up.

Later on, you’re presented with another email sign up form. This, in contrast, is the best kind of sign up form – explicitly-labelled optional signups. Nothing sneaky going on here. 🎉

Choose your News ✨

Choose your News ✨


There’s no newsletter checkbox on the sign up form…

Mailjet's signup form

… because it’s in the second step of the onboarding. It’s an opt-in checkbox; I haven’t checked it. Good.

Extremely tiny signup checkbox! I don’t know why it’s so small, considering it’s an opt-in 🤷🏻‍♂️

Extremely tiny signup checkbox! I don’t know why it’s so small, considering it’s an opt-in 🤷🏻‍♂️


No checkboxes! Just a signup flow.

Screenshot of CampaignMonitor's sign-up screen


Also no email subscription checkboxes!

Screenshot of ConvertKit's sign-up screen

Emails, a week later

Here’s the emails I received from each of these services after waiting a week.


I got exactly one email from Mailchimp. It’s an automated report about my subscriber count! I didn’t sign up for this explicitly, but I’m ok with it, because it feels account related.

Screenshot of Inbox showing 1 email from Mailchimp

There was one signup; It was me. 🙃


Three emails!

Screenshot of Inbox showing 3 emails from Mailjet

Recall that I carefully avoided opting-in to emails when I signed up. You are apparently subscribed to these ones by default, regardless of your choices.


Screenshot of Inbox showing one emails from CampaignMonitor

One email! It’s a sign-up / welcome email.


Six. Six emails.

Screenshot of Inbox showing six emails from ConvertKit

Wait. Hang on:

Screenshot of Spam Folder showing 2 additional emails from ConvertKit

Eight emails.


Here’s a neat summary table. I made it with emoji ✨:

ProviderReceived emails in a week

What are the actual rules again?

I felt like some of these email practices might have been a violation of the GDPR when I first noticed. Indeed, the first draft of this blog post was called “It’s 2020, and these email marketing companies are still doing the GDPR wrong”.3

But before making claims about companies being non-compliant, I thought it might be prudent to… y’know, actually read the GDPR.

What legislation is involved?

I’ve been talking about this as if email marketing is the domain of the GDPR, but actually, it’s the domain of both the GDPR and the ePrivacy Directive. The ePrivacy Directive was written in 2002, and the GDPR refers to it, and explicitly does not replace it. It turns out that a lot of the legislation related to electronic direct marketing is grounded in the ePrivacy Directive.

It’s worth noting that Regulation and Directive are technical terms – Regulations are binding law, which apply to all countries in the EU. Directives, are more like ‘statements of goals’, which member states must implement in their own national laws. Note that the GDPR is a Regulation, but the ePrivacy Directive is just a directive, and so implementation of the ePrivacy Directive varies between EU countries.

What are the rules on direct marketing?

Here’s my current understanding of when you’re allowed to send direct marketing emails to EU-based users4:

So… why am I getting all these emails?

I still can’t say with certainty, but let’s step through the reasons described above.

I personally don’t think signing up for a “free forever” account constitutes entering into a sales negotiation, and either way, I didn’t get a chance to explicitly opt-out of email marketing when my email address was collected (except from Mailchimp!).

I’m also not a business, and I haven’t signed up using a business email address, though maybe the email providers who are emailing me have clearly made that assumption7. From the stuff I read, this seems like a bad assumption to make.

I suspect that Mailchimp is relying upon the “sale or negotiation” reason, judging by the fact that:

I’m less clear regarding Mailjet and ConvertKit. My hypothesis is that they have both decided that they have a “legitimate interest” in sending me emails, and they’ve probably justified it by the fact that a lot of what they’re sending me is tutorial / onboarding stuff. Maybe my interest in receiving tutorial information is implied by the fact that I signed up for the product8. Maybe they somehow don’t consider this as marketing.

Having said all of that, even if “legitimate interest” is legally justifiable, that doesn’t mean it’s classy.

I’d like stricter, more consistent standards for this.

I thought the GDPR prevented companies from sending me marketing emails without asking first, but I was wrong. Through this investigation, I’ve become more sure that requiring explicit, affirmative consent is a good thing. We shouldn’t make people figure out if they need to tick a checkbox to opt-in, or uncheck a tickbox to opt-out, or unbox a tickcheck to opt-it-all-about.

Don’t do this. This is terrible. (Codepen)

I’m also extremely unconvinced by the “legitimate interest” defence of direct marketing. I really can’t imagine a situation in which the expected return generates enough value to justify the annoyance. Won’t customers explicitly sign up if they actually care? I suspect that part of the problem here is that we’re still in the habit of asking people to subscribe at signup, rather than solving the design problem of asking for email consent once we’ve demonstrated that we’ll communicate valuably.9

If you’re building a product, have enough faith in your actual product to believe that your users will stay engaged without regular email reminders that you exist.

That’s it!

I learned a lot from researching this! But there’s a pretty high chance I’ve misunderstood a nuance somewhere – law is really complicated and it is not my job. If I’ve said something egregiously imprecise or you want to commiserate, you have my freely-given, specific, informed consent to send me an email

Resources / Further Reading

  1. Update Jun 2022: When I wrote this, I was using CampaignMonitor because I wanted a fancy post-to-automatically-email pipeline, but then (1) it didn’t work so well, (2) I was paying €9 a month (3) I’ve only got 15 subscribers and they’re all my friends 🤷‍♀️

    Now instead, I’m just doing this out of a Gmail account, inspired by a friend writing on chronicpizza.net. Sign up here↩︎

  2. I got sign-up confirmations from three providers, and counted them as transactional, even though some are extremely marketing-ish. Sign up emails are useful because if you forget what the service is called or which address you signed up with, it’s easy to track that info down again! ↩︎

  3. Actually, this is kinda fun and spicy and maybe partially true? Maybe I should’ve gone for it. ↩︎

  4. It could be wrong in places! IANAL, and if I’ve said something egregiously wrong here please tell me↩︎

  5. ‘Shady’ isn’t a legal term, this is opinion, not fact, etc etc ↩︎

  6. The EU directives have both Articles (the actual law bit) and recitals, which are designed to communicate intent and use less legalese than the articles. ↩︎

  7. Mailchimp, Campaign Monitor, and Mailjet ask for ‘Business / Company / Organisation Name’ in the signup process, and ConvertKit starts their signup process with the question “Do you currently use an email marketing tool in your business?” ↩︎

  8. This is a bad defence, apparently! As per the UK Information Commissioner’s Office:

    [the suggestion] that marketing is in the interests of individuals…is unlikely however to add much weight to [a marketer’s] balancing test".

  9. A lot of things also don’t have to be emails! For example, you can put new feature notifications in your app (Slack does this!), and have tips and news in loading interstitials / on dashboard screens. ↩︎