Blog
Newsletter creators usually think they are too small for privacy compliance to matter. They are not. GDPR applies to anyone processing EU resident data, regardless of business size. CCPA has revenue and volume thresholds that exempt most small operators, but the EU has no such carve-out — even a 50-subscriber hobby newsletter is technically subject to GDPR if any of those subscribers are in the EU.
The good news: compliance is mostly a one-time setup. Generate the policy, link it in your signup form and email footers, and you are done.
Most of this happens automatically through your email platform's tracking. You may not have set it up explicitly, but you are still legally responsible for disclosing it.
Get your newsletter privacy policy in 2 minutes.
Open Privacy Policy Generator →| Platform | Where to add policy | Effort |
|---|---|---|
| Substack | Settings > General > Privacy Policy URL field | Easy - native field |
| Beehiiv | Settings > Customize > Footer or custom page | Easy |
| ConvertKit | Settings > Email Templates > Footer | Add link to all emails |
| Mailchimp | Audience > Settings > Footer | Required field for compliance |
| Buttondown | Settings > Email Preferences > Footer | Easy |
| Custom newsletter | Add /privacy page on your domain | Standard |
Open and click tracking disclosure. "When you receive our newsletter, we may track which emails you open and which links you click. We use this data to understand which content resonates and to send more relevant follow-ups. You can disable image loading in your email client to prevent open tracking."
Subscription source tracking. "When you subscribe, we record which signup form or referrer you came from. This helps us understand which marketing efforts are working but is not shared with third parties."
Email platform disclosure. "We use [Substack/Beehiiv/ConvertKit] as our email service provider. Your email address and engagement data are stored on their servers in accordance with their privacy policy. You can review their privacy practices at [link]."
Paid subscription handling (if applicable). "Paid subscriptions are processed by Stripe. We never see or store your full credit card number. We retain billing records for tax and accounting purposes."
If your newsletter has any kind of website or landing page (even a simple Substack about page), and you serve EU traffic, you need a cookie consent banner. Substack and Beehiiv handle this automatically for the platform itself, but if you have a separate site (Carrd, Webflow, custom), you need your own banner.
Substack provides a privacy policy URL field in Settings > General. You can either:
Option 2 is better. Create a free Substack post titled "Privacy Policy," paste your generated policy text, mark it as a page rather than a regular post, and use that URL.
The most common GDPR violation among newsletter creators: importing email lists from other places (your contacts, a previous newsletter platform, friends who said it was fine) without explicit consent.
GDPR requires explicit, informed, freely given consent. Importing emails from your old Mailchimp list to your new ConvertKit list is fine because consent transfers. Importing emails from your phone contacts because "they would probably want it" is not.
Best practice for any imported list: send a re-confirmation email. "I am moving my newsletter to a new platform. Click here to confirm you want to keep receiving it." Subscribers who don't click are removed. Annoying but legally clean.
If you have a paid tier, your privacy policy must additionally cover:
Subscribers can request deletion of their data at any time. Set up a process:
Most email platforms have built-in unsubscribe and delete features that handle this in 2 clicks.
Generate your newsletter privacy policy now.
Open Privacy Policy Generator →