The Short Answer: Yes, You Do
An email address is personal data. The moment someone types their email into your signup form, you're collecting personally identifiable information (PII). It doesn't matter that you're not asking for their name, phone number, or credit card; an email address alone is enough to identify a person.
Under the GDPR, CCPA, CalOPPA, CAN-SPAM, and nearly every other privacy law worldwide, collecting an email address triggers a legal obligation to tell the person:
- What you're collecting (their email address)
- Why you're collecting it (newsletter, updates, marketing)
- Who else gets access to it (your email service provider)
- How long you keep it (until they unsubscribe? Indefinitely?)
- How they can delete it or opt out
The rule is simple
If you collect any personal data from any person, you need a privacy policy. An email address is personal data. There is no minimum threshold; even one email address triggers the requirement.
Which Laws Require a Privacy Policy for Email Collection
Multiple laws apply, and they're based on where your subscribers are located, not where you are. If your site is publicly accessible, your subscribers could be anywhere.
GDPR (EU / UK)
The strictest law. Requires explicit consent before collecting emails from EU/UK residents. You must state the purpose of collection, name your email service provider, explain the legal basis for processing, and provide a way to withdraw consent. Fines for non-compliance reach 4% of annual revenue or €20 million. Read our GDPR privacy policy guide
CAN-SPAM Act (United States)
Requires that commercial emails include your physical address, a clear unsubscribe mechanism, and honest subject lines. While CAN-SPAM itself doesn't mandate a privacy policy, the FTC interprets email collection as requiring privacy disclosure. Violating CAN-SPAM carries penalties up to $51,744 per email.
CCPA / CPRA (California)
If you collect emails from California residents, they have the right to know what data you collect, request deletion, and opt out of the sale of their information. Your privacy policy must disclose these rights. Applies even if your business isn't in California. Read our CCPA privacy policy guide
CalOPPA (California)
Any website that collects personal information from California residents must post a privacy policy. Since you can't control who visits your site, this effectively applies to every website with an email form. No revenue threshold; even personal blogs need to comply.
CASL (Canada)
Canada's Anti-Spam Legislation requires express consent before sending commercial emails to Canadian residents. You must identify yourself, provide contact information, and include an unsubscribe mechanism. Penalties reach $10 million for businesses.
Common Scenarios That Require a Privacy Policy
You might think “I'm just collecting emails” but there are many ways this happens, and each one triggers privacy obligations.
Newsletter signup form
The most obvious case. A popup, embedded form, or sidebar widget where visitors enter their email to receive updates. The email goes to your email service (Mailchimp, ConvertKit, Beehiiv, etc.), which is a third-party processor you must disclose.
Contact form
Even a simple "Get in touch" form that asks for a name and email. The data goes to your inbox or a form service like Formspree, Typeform, or Google Forms, all third parties processing personal data.
Lead magnets and freebies
"Enter your email to download this free PDF" is data collection. You're collecting an email address in exchange for content. If you also add them to a marketing list, you need consent for that separately under GDPR.
Waitlist or early access signups
Launching a product and collecting emails for a waitlist? That's personal data collection with implied future marketing, which requires clear disclosure of intent.
E-commerce checkout
When customers enter their email during checkout for order confirmations, you're collecting personal data tied to purchase history. This has additional requirements if you later use those emails for marketing.
Comment systems
Blog comment forms that ask for an email address (even if it's not displayed publicly) are collecting personal data. WordPress, Disqus, and similar systems all store this information.
Account registration
If users create accounts with their email address (for a membership site, course platform, or community), you're collecting and storing personal data that requires privacy disclosure.
What Your Privacy Policy Needs to Say About Email Collection
Even if email is the only data you collect, your privacy policy still needs to cover these areas. Most of these are required by law, not optional best practices.
What you collect
State explicitly that you collect email addresses. If your form also asks for a first name, that's additional personal data. Be specific: don't say "we may collect personal information" when you can say "we collect your email address."
How you collect it
Name the collection method: newsletter signup form, contact form, checkout process, popup, etc. If you use embedded forms from third-party tools, mention that the form is provided by that service.
Why you collect it
State the purpose clearly: to send weekly newsletters, to respond to inquiries, to send order confirmations, to provide product updates. Under GDPR, each purpose needs its own legal basis (usually consent for marketing).
Your email service provider
If you use Mailchimp, ConvertKit, Beehiiv, Kit, SendGrid, or any other email tool, you must disclose that their email address is shared with this third-party service. Include a link to the provider's privacy policy.
Data retention
How long do you keep their email? Until they unsubscribe? For a specific period after their last interaction? Indefinitely? State it clearly. Under GDPR, you cannot keep data longer than necessary for its stated purpose.
How to unsubscribe
Explain how someone can remove their email from your list, typically an unsubscribe link in every email, plus a direct request option via email or contact form. Under GDPR, this must be as easy as subscribing.
Data security
Briefly describe how you protect stored email addresses. Your email service provider handles most of this (encryption, secure servers), but acknowledge that you take reasonable measures to protect subscriber data.
Subscriber rights
Under GDPR: right to access, rectify, erase, restrict processing, data portability, and object. Under CCPA: right to know, delete, and opt out. List the rights that apply and explain how subscribers can exercise them.
Email Marketing Tools You Need to Disclose
When someone enters their email on your site, it typically goes to a third-party email service and not just your inbox. These services store, process, and use subscriber data on your behalf. Your privacy policy must disclose this.
| Tool | What It Collects | Disclose in Policy |
|---|---|---|
| Mailchimp | Email, name, IP address, open/click tracking | Third-party processor, analytics cookies |
| ConvertKit / Kit | Email, name, tags, open/click data | Third-party processor, behavioral tracking |
| Beehiiv | Email, engagement data, referral tracking | Third-party processor, analytics |
| SendGrid | Email, delivery logs, engagement metrics | Third-party processor, transactional data |
| Substack | Email, payment info (for paid), reading data | Third-party platform, financial data |
Most email tools also set cookies for tracking opens and clicks. If your email service embeds tracking pixels or uses cookies, your privacy policy (and cookie policy) needs to cover this too.
If you also use Google Analytics on your site, that's an additional third-party service collecting visitor data through cookies, even from people who never enter their email. This requires separate disclosure.
Mistakes to Avoid When Collecting Emails
These mistakes can result in fines, subscriber complaints, and deliverability problems with email services.
No privacy policy link near the signup form
Under GDPR, you need to link to your privacy policy at the point of data collection, right next to the email form. A footer link on another page isn't enough. Add a small “We respect your privacy. Read our privacy policy” link below every signup form.
Pre-checked consent boxes
Under GDPR, consent must be freely given. A pre-checked “Subscribe to our newsletter” checkbox during checkout is not valid consent. The user must actively opt in.
Sending marketing emails without clear consent
Someone filling out a contact form to ask a question has not consented to receiving your newsletter. Adding them to your marketing list without separate, explicit consent violates GDPR and CAN-SPAM.
No unsubscribe option
Every marketing email must include an unsubscribe link. CAN-SPAM requires it. GDPR requires it. Your email service provider likely includes it automatically, but check. Also: unsubscribe requests must be processed within 10 business days under CAN-SPAM.
Using a ChatGPT-generated policy
AI-generated privacy policies often produce vague, generic text that doesn't name your specific email service provider, doesn't cover the right laws for your audience, and goes out of date as regulations change.
Generate Your Privacy Policy
Answer a few questions about how you collect and use email addresses, and get a privacy policy that covers your data practices, plus a Cookie Policy and Terms of Service.
Structured around widely accepted GDPR and CCPA requirements. Not legal advice.
Frequently Asked Questions
I only have a small blog with 50 subscribers. Do I still need a privacy policy?
Yes. There is no minimum subscriber count that exempts you from privacy laws. CalOPPA and GDPR apply regardless of how many people you collect data from. One subscriber is enough to trigger the requirement.
What if I use Mailchimp's built-in privacy features?
Mailchimp (and similar services) provide GDPR-friendly signup forms and unsubscribe handling, but they don't generate a privacy policy for your website. You still need your own privacy policy that discloses Mailchimp as a third-party processor and explains your data practices.
Can I just add a line saying “we won't share your email” instead of a full policy?
No. A one-line promise doesn't satisfy GDPR, CCPA, or CalOPPA requirements. These laws require specific disclosures about data types, purposes, third-party sharing, retention periods, and user rights. A proper privacy policy covers all of these. Plus, if you use Mailchimp, ConvertKit, or any email tool, you are sharing their email with a third party.
Does a privacy policy need to be a separate page?
Yes. Best practice (and CalOPPA requirement) is a dedicated, publicly accessible page, typically at yoursite.com/privacy-policy, linked from your website footer. Don't bury it inside another page, put it behind a login, or host it as a PDF.
What's the penalty for collecting emails without a privacy policy?
Penalties vary by jurisdiction. GDPR fines reach up to 4% of annual revenue or €20 million. CAN-SPAM penalties reach $51,744 per violating email. CCPA fines are $2,500 per unintentional violation and $7,500 per intentional one. Beyond fines, email platforms like Mailchimp may suspend your account for non-compliance. Learn more about the consequences of not having a privacy policy.
Related Resources
Privacy Policy for Websites
Complete website privacy policy guide
GDPR Privacy Policy Template
EU compliance requirements
CCPA Privacy Policy Example
California compliance guide
Cookie Policy for Websites
Cookie tracking and consent
Risks Without a Privacy Policy
Legal and financial consequences
ChatGPT Privacy Policy Risks
Why AI-generated policies fail