In this post we are addressing the problem of how to craft a privacy policy for your email newsletter and what the key elements are that one must consider. We’d also like to show you how you can conveniently generate a privacy policy for your newsletter via iubenda

This is what you are going to learn in this guide:



When you maintain an email newsletter you are about to face the fact that you collect personal information about your recipient: you may have access to this recipient’s name, and certainly their email address. This usually happens via your website when you collect that email address to add it to your database.

Now, you are about to collect that visitor’s email address. What does this mean for your newsletter and how can you process that visitor’s email address in a way that respects regulations regarding the matter?

1) Do I have to include a privacy policy in my email newsletter?

From a legal perspective, once you collect personal data by visitors like their email, you need to inform them of various things (and this is a constant across most legislations and systems. More information about the international regulatory framework can be found here):

  • personal data must be processed fairly and lawfully. This includes, in particular, to tell
    the individuals concerned who you are and that they you plan to use these details for marketing purposes;
  • you need to tell people if you plan to pass those details on to third parties, including selling or
    sharing the data for marketing purposes, for which you are likely to need their consent to do so;
  • you collect personal data for specified purposes, and cannot later decide to use it for other other purposes unrelated to your email marketing purposes;
  • keep time in mind: a marketing list which is out of date, or which does not accurately record people’s marketing preferences, could breach privacy regulations.

Summarizing the above we get the following: you must inform your newsletter readers of these facts before you process their personal data. That is done via a privacy policy

Apart from privacy regulations requiring you to respect the user’s privacy, there is the email newsletter company policy side to it as well: Depending on which newsletter service provider you use, you might find that they require you to have and abide by a privacy policy in order to use them (2).

2) Am I required by my newsletter service provider to post a privacy policy?

Depending on which newsletter provider you use, you will find that you can’t use their service without including using a privacy policy. Lets take a look at some of the popular services out there:

Will clearly describe in writing how you plan to use any data collected, including for your use of MailChimp. You’ll get express consent to transfer data to MailChimp as part of this process, and you’ll otherwise comply with whatever privacy policy you have posted.

You will adopt and maintain a policy that complies with all applicable privacy laws and which is at least as stringent as our Privacy Policy (as modified by Campaign Monitor from time to time). You acknowledge that all personal information that you provide to us has been collected with the relevant individual’s consent, and that you have informed the individual of the purpose for which that information was collected, and that you may provide this information to us for the purposes of use in relation to the Services. You acknowledge that we may store the personal information that you provide to us on servers located in the United States of America, and you warrant that you have obtained the consent of the relevant individuals to the storage and transmission of their personal information in this manner.

Every email message sent in connection with the Products must contain an “unsubscribe” link that allows subscribers to remove themselves from your mailing list and a link to the then-current Customer Privacy Policy. Each such link must remain operational for at least 60 days after the date on which you send the message, and must be in form and substance satisfactory to us. You agree that you will not remove, disable or attempt to remove or disable either link

and among others

The Site and the Products shall only be used for lawful purposes and you shall use the Site and the Products only in compliance with this Agreement, the CAN-SPAM Act and regulations thereunder and all other applicable U.S., state, local and international laws in your jurisdiction, including but not limited to (a) Canada’s Anti-Spam Legislation and any other policies and laws related to unsolicited emails, spamming, privacy, obscenity, or defamation, copyright and trademark infringement and child protective email address registry laws (…)

You represent, covenant, and warrant that you will use the Services only in compliance with the Agreement and all applicable laws (including but not limited to policies and laws related to spamming, privacy, obscenity, or defamation).

and among others

You will adopt and maintain the Permissions and Privacy Policy, which may be modified by Mad Mimi from time to time.

Customer agrees that each email sent by Customer in connection with the Services shall contain a link to the then current Privacy Policy, unless Customer has obtained specific authorization from VerticalResponse to remove such link. Failure to comply with this requirement may result in a termination of Customer’s account by VerticalResponse


Customer represents, covenants, and warrants that Customer will use the Services only in compliance with VerticalResponse’s Privacy Policy and Anti-Spam Policy as published at www.verticalresponse.comor otherwise furnished to Customer and all applicable laws (including but not limited to policies and laws related to spamming, privacy, obscenity, or defamation and child protective email address registry laws).

Email Footer. Upon activation of Customer’s email account, ExactTarget adds a default footer to each email sent via
the Platform. The default footer includes: (a) Customer’s physical mailing address; (b) links to ExactTarget’s profile update and
unsubscribe centers; (c) a link to ExactTarget’s Privacy Policy (which may be viewed at; and (d) an
attribution that the email was powered by ExactTarget. Notwithstanding the foregoing, Customer may opt at any time to
remove one or more portions of the default footer from email messages sent via the Platform; provided, however, that should
Customer opt to remove (a), (b), and/or (c) above, it shall add within the body of such email messages (i) the identification of
the sender; (ii) instructions on how the recipient can opt-out of future commercial mailings; (iii) the sender’s valid physical
mailing address; and (iv) a link to Customer’s privacy policy, as applicable.

Tiny letter is a MailChimp company, the terms are therefore following their lead

You represent and warrant that your use of TinyLetter will comply with all applicable laws and regulations. You’re responsible for determining whether our Services are suitable for you to use in light of any regulations like HIPAA, GLB, EU Data Privacy Laws, or other laws.

If you’re located in the European Economic Area (EEA) or send to anyone in the EEA, you represent and warrant that in creating your Email distribution list, sending Emails via TinyLetter and collecting information from sending Emails, you:

therefore you

1) Will clearly describe in writing how you plan to use any data collected, including for your use of TinyLetter. You’ll get express consent to transfer data to TinyLetter as part of this process, and you’ll otherwise comply with whatever privacy policy you have posted.
2) Have complied, and will comply, with all regulations, as well as data protection, electronic communication, and privacy laws that apply to the countries where you’re sending any form of email through TinyLetter.

Failing to include in each Email a link to the then-current Privacy Policy applicable to that Email.

3) How do I properly add a privacy policy to my newsletter?

The usual position to properly place a privacy policy link is in the footer of a website, or in at the form in which you collect the user’s information. The link should point to your privacy policy and be clearly visible to the user (skip sketchy obfuscation methods).

You can also – but are not strictly required to – add the privacy policy inside the newsletter. Adding the link to your privacy policy in the newsletter makes sure that your users can find the relevant information right where it matters and don’t have to look for it somewhere they might not expect to find it.

This will be a slightly different process depending on how your email newsletter provider handles these templating/customization tasks. Usually your privacy policy is hosted on some website (yours?) and this is where you will link to. If this is not what you are looking for, iubenda offers to host your privacy policy when you generate one with us.

Is there anything else I have to think about?

Yes, you should take a look at anti-spam legislation like the US CAN-SPAM act (depending on where your recipients are based, you should take a look at local anti-spam requirements as well). These anti-spam rules usually make you

  • include an unsubscribe link
  • usually a physical company address

That’s also what Privacy and Electronic Communications Regulations in Europe requires:

  • a sender must not conceal his identity
  • and must include a valid address for opt-out requests
  • as well as information about the company

The opt-in/opt-out discussion:

The biggest difference in international law (and sometimes a little tricky to understand) is the opt-in/opt-out discussion. This discussion is about the proper process of collecting email addresses and what you’re allowed to do with them. This means you will need to get consent by people where you collect email addresses. Below is the British model:


Opt-in is where you don’t get marketing emails from an organisation unless you actively consent to receive them. This consent is usually given by actively ticking a box as an indication that you understand and want to be contacted by email for newsletters. The basic rule looks like this: organisations must collect your email address on an opt-in basis unless they can satisfy three exemption criteria.

Opt-in is usually the best method to make sure that your recipient has given you their address with prior consent (condition to legitimately send that newsletter).

The safest way to handle email address collection is a so called double opt-in method. The process involves a checkbox that tells you “yes I consent to receiving your email newsletter & and to your privacy policy” and subsequently the user gets a confirmation email in which he’ll have to repeat an action to confirm his/her intent to get emails from you. The reason for this is that anyone could enter their email into your form.


Opt-out is where you are told that you will get marketing emails unless you say you don’t want them. For this you need to have three exemption criteria:

  • your email address was collected in the course of a sale or negotiations for a sale
  • the sender only sends promotional messages relating to their similar products and services; and 

  • when your address was collected, you were given the opportunity to opt-out (free of charge except for the cost of transmission) which you didn’t take. The opportunity to opt-out must be given with every subsequent message.

4) An example privacy policy for a newsletter?

A lot of people ask for sample privacy policies for their newsletters. In reality those samples don’t do anyone much good because they’re far too generic. Let’s start with an enumeration of what needs to go into a privacy policy. Most countries’ privacy laws require you to include the following information:

– What kind of personal data is collected
– Describe how this information will be used by the company.
– Describe how this information will be transferred to third party companies.
– Provide instructions on how users can modify or delete their personal information.
– Provide instructions on how users can opt-out of future communications.
– Identify its effective date and outline how you notify people of material changes to your privacy policy.

Depending on who your newsletter provider is – you would include some information about them and what their privacy practices look like. Luckily iubenda offers exactly that.

What do I do now?

You can either hire a lawyer, write your own complete policy or use iubenda’s generator right away to make your policy for you.

Our Approach for Generating a Privacy Policy for Newsletters

So here’s where iubenda’s privacy policy generator will come in very handy:

1. Define the services and categories of data collection your site/app/newsletter is making use of.

2. Add the services (and categories of data collection like “Contact form“, “Mailing List or Newsletter“, “Mailchimp” & “Direct Email Marketing (DEM)“) you are using to your policy. iubenda will then generate your privacy policy for you.


3. Get the link to embed the policy into the footer of your newsletter (full disclosure the embedding link is a PRO feature).



Try Our Privacy Policy Generator

Read this guide also in German “Datenschutzerklärung für einen E-Mail-Newsletter

Adding Multiple Privacy Policies via iubendaPrivacy Policy for Campaign MonitorPrivacy Policy for MailChimp

About Us

iubenda is the easiest and most professional way to generate a privacy policy for your website, mobile app and facebook app

Generate a privacy policy now

Ready in a few steps and built to meet the needs of both website and mobile app owners

Generate your privacy policy now

Sometimes the best choice is to "just give it a try"

iubenda is the easiest and most professional way to generate a privacy policy for your website, mobile app and facebook app

Generate your privacy policy now