How to Build a GDPR-Compliant Email List for Your UK E-Commerce Store

Building an email list for your UK e-commerce store is not complicated — but building one that is genuinely compliant with UK GDPR and PECR requires more care than most brands invest. The consequences of getting it wrong range from an unengaged list that hurts your deliverability to an ICO investigation that can result in significant financial and reputational damage.

This guide covers the practical mechanics of building a GDPR-compliant email list for UK e-commerce — from consent language and popup design through to ongoing list hygiene and data subject rights management.

Two pieces of legislation govern email list building and email marketing in the UK:

UK GDPR (retained in UK law via the Data Protection Act 2018) governs the collection, storage, and processing of personal data, including email addresses. Any UK brand collecting email addresses is a data controller under UK GDPR.

PECR (Privacy and Electronic Communications Regulations 2003, as amended) specifically governs electronic marketing communications — including email. PECR requires that you either have explicit consent from the recipient or can rely on the soft opt-in rule for existing customers.

For practical purposes: you need a lawful basis under UK GDPR to process the data, AND you need either consent or the soft opt-in under PECR to send the marketing email. Both requirements apply simultaneously.

Under UK GDPR, valid consent for email marketing must be:

Freely given. The subscriber must have a genuine choice. If you bundle marketing consent with your terms and conditions or make it a requirement to complete a purchase, that is not freely given consent.

Specific. The consent must be clearly for marketing emails specifically. A general “I agree to your terms” is not specific enough. The consent must relate to email marketing in particular.

Informed. The subscriber must know whose list they’re joining and what kind of emails they’ll receive. “Sign up to receive news and exclusive offers from [Brand Name]” meets the standard. “Subscribe” alone does not.

Unambiguous. Consent must be given through a clear affirmative action. Pre-ticked boxes, assumed consent through passive behaviour (scrolling, visiting a page), or implied consent are not valid under UK GDPR. The subscriber must actively opt in.

Documented. You must be able to demonstrate that consent was given. This means recording the timestamp, source, IP address (optional but best practice), and exact consent wording at the time of sign-up.

Here is how to design a GDPR-compliant email sign-up form for a UK e-commerce store:

Your popup must include:

A clear value proposition (“Get 10% off your first order”)
An email input field
An unambiguous opt-in action — either a tick box that the user must actively tick, or a clearly labelled submit button where the consent purpose is stated directly above it
The brand name (so the subscriber knows who is collecting their data)
A link to your Privacy Policy
Explicit statement of what they’re signing up for

Compliant example:

Get 10% off your first order

[Email address field]

☐ Yes, I’d like to receive exclusive offers, new product news and updates from [Brand Name]. I can unsubscribe at any time.

[Continue button] | Privacy Policy

Non-compliant example:

Join our community! Enter your email to get started.

[Email address field]

[Sign Up button] — By signing up, you agree to our terms and privacy policy.

The second example fails because: the consent purpose is vague, the tick box is absent, and bundling consent with “terms” is not specific consent to marketing.

The Checkout Opt-In

Many UK Shopify brands capture email addresses at checkout, which is legitimate for transactional purposes (order confirmation, shipping updates). However, you cannot then send marketing emails to those addresses without a separate, explicit marketing opt-in.

A compliant checkout opt-in looks like this:

☐ I’d like to receive news, promotions and exclusive offers from [Brand Name] by email.

This tick box must be:

Unticked by default
Actively labelled as marketing opt-in
Separate from the tick box accepting terms and conditions

Any Shopify store using Klaviyo, Omnisend, Dotdigital, or ActiveCampaign can configure this correctly within their ESP’s Shopify integration. The consent flag is passed alongside the email address at checkout.

List Building Tactics: Compliant Approaches

Here are the most effective GDPR-compliant list-building tactics for UK e-commerce brands, with notes on specific compliance considerations for each.

Exit-Intent Popups

Triggered when a visitor moves their cursor towards the browser close button or navigates away. The timing means the subscriber is on the verge of leaving, making the offer more persuasive.

Compliance note: Same consent requirements as any popup. Timing doesn’t affect the legal standard. Ensure your exit-intent popup includes clear consent language.

Performance: 1–3% conversion rate on non-subscriber site visitors. One of the highest-performing list-building tactics available to UK e-commerce brands.

A popup triggered immediately on page load or after a set time (e.g., after 10 seconds on the page). More intrusive than exit-intent but often higher volume.

Compliance note: GDPR does not prohibit popup timing. Consent language requirements are the same regardless of when the popup appears.

Performance: 0.5–2% conversion rate. Lower than exit-intent because the visitor hasn’t had time to demonstrate interest.

Dedicated Landing Pages for Sales Events

A standalone landing page for specific events — Black Friday early access, January sales VIP list, new collection launch notifications — captures subscribers who are already engaged with a specific value proposition.

Compliance note: The consent wording should reflect the specific purpose. “Sign up for Black Friday early access” is specific and compliant. Ensure your marketing emails post-sign-up are consistent with what the subscriber was told at sign-up.

Performance: 15–35% conversion rate for paid social traffic. One of the most efficient ways to grow an intentional, high-quality list.

Referral and Loyalty Programmes

Existing customers refer friends in exchange for loyalty points or discounts. The referred friend enters the list via the referral link.

Compliance note: The referred friend must still provide active, informed consent to join your marketing list. You cannot add them to your list without their explicit opt-in. The referral mechanism just drives them to the sign-up — it doesn’t replace the consent requirement.

Competitions and Giveaways

Running a competition where entry requires an email address is a common list-building tactic. Compliance requires that:

Marketing email opt-in is not a condition of entry (under UK GDPR, consent must be freely given — bundling it with competition entry is suspect)
The consent checkbox for marketing emails is separate from entering the competition
The competition terms make clear how the data will be used

Best practice: allow competition entry without marketing opt-in, but offer an optional tick box for email marketing consent. This lowers your opt-in rate but ensures those who do opt in are genuinely interested.

Performance: highly variable depending on prize relevance. A prize with no connection to your brand (iPad, cash) will generate a low-quality list. A prize consisting of your own products generates subscribers who are genuinely interested in what you sell.

Content and Lead Magnets

Offering a guide, checklist, recipe book, or other content piece in exchange for an email address. Common in fashion (“Style Guide PDF”), health (“Supplement Guide”), and food & beverage (“Recipe Collection”).

Compliance note: The consent wording must make clear that by downloading the content, the subscriber is also opting in to email marketing. The content is the value exchange, not a separate process. “Download your free guide and receive email updates from [Brand Name]” is acceptable wording.

Performance: 3–8% conversion rate from relevant landing page traffic. Lead magnets tend to attract engaged subscribers with a specific content interest aligned to your products.

Post-Purchase Upsell to Subscriber

A subscriber prompt on the order confirmation page or in the transactional order confirmation email. Since the customer has just purchased, you know they’re engaged with your brand.

Compliance note: The order confirmation email is transactional. You can include a marketing opt-in prompt within it, but the opt-in itself must be active and explicit — a pre-ticked box is still non-compliant even in a transactional email.

Performance: 5–12% opt-in rate on order confirmation pages. These subscribers are high quality — they’ve already purchased.

Double Opt-In: UK Requirements

UK GDPR does not legally mandate double opt-in (sending a confirmation email asking the subscriber to verify their address). However, it is strongly recommended because:

It provides an additional layer of consent documentation
It prevents fake or mistyped email addresses entering your list
It reduces spam complaints (bots and fake sign-ups don’t confirm)
It maintains stronger deliverability by keeping list quality high

Most UK brands see a 20–30% drop in confirmed subscribers when switching from single to double opt-in. This is the cost of cleaner consent. The brands who make this switch consistently see better deliverability and higher engagement rates — which translates to better commercial performance per email sent.

Configuration for double opt-in is available on all major ESPs: Klaviyo, Omnisend, ActiveCampaign, Dotdigital, Mailchimp, HubSpot, and Brevo.

List Hygiene: The Ongoing Compliance Requirement

GDPR requires that personal data is not retained for longer than necessary for the purpose for which it was collected. For email lists, this means you must have a process for removing or suppressing subscribers who are no longer relevant.

From a compliance perspective, a subscriber who consented 18 months ago and has not opened or clicked any email in the last 12 months poses a question: does your original consent still reflect their current wishes? The ICO’s guidance on this is cautious — stale consent is a legitimate area of concern.

From a commercial perspective, the answer is clear: non-engaging subscribers harm your deliverability, skew your analytics, and contribute nothing to revenue.

Recommended UK list hygiene cadence:

Monthly: Automatically suppress hard bounces and spam complaints
Quarterly: Run a re-engagement campaign to subscribers who haven’t opened or clicked in 90 days. Suppress non-responders.
Bi-annually: Audit the full list for subscribers with no engagement in 180 days. Either run a final re-consent campaign or suppress.
Annually: Consider whether subscribers with no engagement in 12+ months should be deleted entirely to maintain GDPR compliance

The re-consent campaign mechanic: email lapsed subscribers with the subject “Is this still a good email address for you?” Include a large, unmistakable “Yes, keep me subscribed” button. For subscribers who don’t click, suppress them. This is a form of active consent renewal.

Data Storage and Processing Compliance

Beyond the email addresses themselves, the following data considerations apply to your list-building:

Consent records must be stored. You must be able to demonstrate consent for any subscriber on your list. This means storing the timestamp, source, and consent wording. Most ESPs store this automatically if configured correctly.

Subject access requests. If a subscriber requests to know what data you hold on them, you must be able to provide a complete profile including their email history, consent record, and any behavioural data (opens, clicks, purchases). Your ESP must be able to generate this report.

Right to erasure. If a subscriber requests deletion of their data, you must delete their record from your ESP. This is different from suppression (adding to a suppression list) — full deletion means removing all personally identifiable information. Note: you must retain the suppression record (typically just an email hash) so that they don’t inadvertently re-enter your list.

Data processing agreements. All major ESPs are data processors under UK GDPR. You must have a data processing agreement (DPA) in place with your ESP. Klaviyo, Dotdigital, Omnisend, HubSpot, ActiveCampaign, Mailchimp, and Brevo all offer standard DPAs, but you must actively accept them.

Common UK List Building Compliance Mistakes

Pre-ticked opt-in boxes. Still common on UK e-commerce checkout pages. Not valid under UK GDPR. Will not pass an ICO audit.

Consent bundled with T&Cs. “By creating an account, you agree to receive marketing emails” is not valid consent. Marketing opt-in must be separate.

No consent record. Having a list of email addresses with no record of when, how, or for what purpose consent was given is a UK GDPR compliance failure.

Inaccurate consent language. Telling subscribers they’re signing up for “news and updates” and then sending heavy promotional content. The consent language should accurately reflect what the subscriber will receive.

Forgetting PECR. PECR applies even where GDPR is satisfied. The soft opt-in rule under PECR has specific requirements. Ensure your legal basis for each marketing send is clearly documented.

Conclusion

A GDPR-compliant email list is not a smaller, less useful version of a non-compliant list. It is a better asset: cleaner, more engaged, legally defensible, and commercially superior. The work required to build it correctly is front-loaded — the ongoing maintenance is manageable.

UK brands who invest in compliant list-building processes from the start avoid the painful and expensive process of retrospective compliance work, list purges, and ICO investigations. They also build subscriber relationships on a foundation of trust — which translates directly into engagement and revenue.

Get a free email audit from Excelohunt →