phpList and GDPR

I would like to ask if there is an possibility to send emails to all the subscribers to confirm the email subscribtion?
For example, the email is sent to everyone in the newsletter list, but only the confirmed ones stays there, the not confirm emails go to the blacklist…Is that possible?
Or any other possibilities to comply with the GDPR?

Thx for your help.

Kind Regards

I’ve just done this very exercise for one of the sites I manage.

I sent out a mailing to all subscribers and asked if they wanted to continue to receive the updates. As you can see from the image below, I asked that if they did not wish to continue, to click either Unsubscribe to unsubscribe themselves, or click Webmaster to ask me to do the task for them.

I had three people unsubscribe so they were removed from the mailing list, and thus blacklisted. As stated in the mailing, if they wished to continue to receive our news, to do nothing.

Oh, the buttons, which were hyperlinked to the Contact the Webmaster page and direct to the subscribers unsubscribe option in phplist, were created via Da Button Factory which provide free buttons for you to use.

Try the invite-plugin ( After an invitation mail, all subscribers will be blacklisted until they use the confirmation link.

thx for your help Dragonrider!

Yes this is the easiest way to send a ‘re-permission’ / re-opt-in campaign. For template text to use for such a campaign, see: That is merely for your convenience – you can write your own simple campaign text instead in the usual way (or customise the template, which uses placeholders).

There is a lot of confusion about what the GDPR requires – not surprising for something that is longer than some novels and has a calculated reading level of “college graduate or above!”

Before sending a re-permission campaign, you might want to consider what UK lawyer Gemma Gibbs has to say about that, in the podcast linked below.

The tl;dr version is: Don’t do it; it’s either unnecessary because you have what you need already… or, worse, unnecessary because you’re not complying with pre-GDPR law. (And in the latter case the only legal thing to do is delete the addresses for which you don’t already have consent.)

1 Like

@Crenel84 Great link, thanks for sharing

very helpfull thank you very much arada , Crenel84 and everyonel! I just installed the invite plugin and thats exactly what I need!

I am thinking now about it weather I should send the repermission (and blacklist everyone who doesnt confirm) or should I leave it the old way with the unsubscribe button (I have atm approx 3500 newsletter members, I assume if I do the repermission only 1000 or so would be left)…

As I read the law, we need to be able to show that a subscriber has positively confirmed that they agree to receive the emails. So saying that silence will be assumed to be assent isn’t good enough. Particularly that, at least on my systems, a lot of the emails don’t get read at all – look at the counts of Total sent and Unique views to see what I mean.

I have replicated each list, with the existing list called “Unconfirmed” and its twin called “Confirmed”. I then send an email to each user on the Unconfirmed list and when they click the link it runs some code that updates the listuser table to change the listid from that of the Unconfirmed list to that of the Confirmed list.

This is proving successful for those subscribers who open the email but it seems an awful lot are going to junk and never being read.

@Cornwell As mentioned in another thread, phpList does, by default, record both the subscription and confirmation details of all subscribers. If they sign themselves up then double opt-in will be used and their consent tracked. This data is available on the history of their subscription on the subscriber details page. You can use additional independent consent tracking if you wish, but it should not be necessary simply to evidence consent. Informed consent is another matter discussed elsewhere.

Every list will differ: quite a few of my clients are authors who put a sheet out at their events and people sign up. They then send me names and email addresses. I have added these directly, without seeking confirmation because we’ve got their signatures, right? Jump forward three years and nobody can put their hands on those sheets, so we need to re-confirm.

And the default text for confirming probably doesn’t meet the GDPR requirements for informed consent. As you say, this is discussed elsewhere.

1 Like

@Cornwell Thanks for illustrating the use-case; I’m confident that it’s a common one.