ChecklistEU

EU ePrivacy Directive direct-marketing consent checklist

Check each campaign against Article 13 before sending automated calls, fax, email, SMS, stored messages, or similar electronic direct-marketing communications.

Use the checklist to record channel scope, sender identity, consent proof, existing-customer soft opt-in logic, opt-out handling, suppression records, and Member State caveats.

Back to main artifactReview sources
Author
Sorena AI
Published
May 9, 2026
Updated
May 26, 2026
Sections
4

Structured answer sets in this page tree.

Primary sources
9

Cited legal and guidance references.

Publication metadata
Sorena AI
Published May 9, 2026
Updated May 26, 2026
Overview

Article 13 of the ePrivacy Directive is the starting point for EU electronic direct-marketing checks. Treat each campaign as a channel-specific decision: identify the communication method, confirm whether prior consent or a narrow existing-customer email exception is available, make the sender clear, provide an easy free opt-out, and keep proof that the chosen route was available before the message was sent.

Section 1

1. Classify the channel and message scope

Start by deciding whether the campaign uses automated calling systems without human intervention, fax, electronic mail, or another unsolicited direct-marketing channel. The Directive defines electronic mail broadly enough to cover text, voice, sound, or image messages sent over a public communications network and stored until collection.

Record the product, service, audience, country coverage, sender entity, sending platform, and whether the journey also stores or accesses information on the recipient's device, such as tracking pixels, link identifiers, cookies, or app identifiers.

  • Channel: automated call, fax, email, SMS, in-app stored message, or another national-law direct-marketing channel.
  • Purpose: direct marketing only, service notice only, or mixed service-and-marketing content.
  • Recipient type: subscriber, user, existing customer, prospect, business contact, or unclear.
  • Technical access: whether the message or landing journey stores or accesses terminal-equipment information.
  • Country caveat: do not assume one EU-wide rule for channels outside Article 13(1) and 13(2); Member State law determines the consent-or-opt-out choice for other cases.
Sources for this answer
Directive 2002/58/EC Article 13 - unsolicited communications
Article 13 supplies the channel-specific direct-marketing rule, including prior consent for automated calling systems, fax, and electronic mail.
Directive 2002/58/EC definition of electronic mail
Article 2(h) supports treating stored text, voice, sound, or image messages over public communications networks as electronic mail.
EDPB Guidelines 2/2023 on Article 5(3) ePrivacy Directive
Use this source when the marketing message or landing page includes pixels, cookies, local storage, SDKs, or other terminal-equipment access.
Section 2

2. Choose the lawful send route before launch

For automated calling systems without human intervention, fax, and electronic mail used for direct marketing, the default Article 13 route is prior consent. Do not treat a generic privacy-policy acknowledgement, passive account creation, or pre-ticked preference as enough consent evidence.

For electronic mail sent to existing customers, Article 13(2) supports a narrower route when the same sender collected the contact details in the context of a sale, markets its own similar products or services, and gave a clear, distinct, free, easy chance to object both when details were collected and in each later message.

  • Prior consent route: keep the consent text, channel, purpose, sender identity, timestamp, source form or preference center, country, and version shown to the recipient.
  • Existing-customer soft opt-in route: confirm there was a sale of a product or service, the same legal person collected the electronic contact details, and the campaign covers that sender's own similar products or services.
  • No route: suppress the recipient when consent proof is missing, the soft opt-in facts are incomplete, the products are not similar, the sender changed, or the contact previously objected.
  • GDPR consent quality: consent used for ePrivacy must remain freely given, specific, informed, unambiguous, and demonstrable.
Sources for this answer
Directive 2002/58/EC Article 13 - prior consent and soft opt-in
Article 13(1) sets the prior-consent rule; Article 13(2) supports the existing-customer electronic-mail exception for own similar products or services.
Directive 2009/136/EC amendments to Article 13
The 2009 amendment text confirms the updated Article 13 wording on users, prior consent, existing-customer email marketing, and opt-out opportunities.
EDPB Guidelines 05/2020 on consent
EDPB consent guidance supports the consent-quality and proof checks where Article 13 relies on consent.
Section 3

3. Make opt-out and sender identity non-negotiable

Every electronic-mail marketing message relying on the existing-customer route needs a free and easy objection path in the message. The same opt-out control should also be checked for consent-based campaigns because withdrawal must be easy and the sender needs reliable suppression evidence.

Article 13 separately prohibits direct-marketing electronic mail that disguises or conceals the sender identity, lacks a valid address for stop requests, or sends recipients to websites that contravene the e-commerce information rule referenced in the Directive.

  • Sender identity: show the legal or trading sender on whose behalf the communication is made; do not hide behind the platform, agency, or group brand.
  • Stop address: include a valid address or working unsubscribe mechanism that receives requests to stop communications.
  • Opt-out cost: make refusal free of charge apart from ordinary transmission costs and easy enough for the recipient to use without account login friction.
  • Per-message check: include the opt-out opportunity on each message when the customer has not already refused.
  • Suppression action: move opt-outs, withdrawals, bounces that indicate stop requests, and manual complaints into the suppression process before the next send.
Sources for this answer
Directive 2002/58/EC Article 13 - opt-out and sender identity
Article 13(2) supports the free and easy objection check; Article 13(4) supports the identity and valid-address checks.
Directive 2009/136/EC amendments to Article 13
The amendment text adds the prohibition on messages that encourage visits to websites contravening the referenced e-commerce information rule.
EDPB Guidelines 05/2020 on consent
Use this source to test whether withdrawal from consent-based marketing is available and operational.
Section 4

4. Keep proof, suppression, and national-law notes

Close the checklist only when the campaign record proves the selected route for each recipient segment. The record should let a reviewer see why a send happened, why a recipient was suppressed, and which jurisdiction-specific caveat still needs local validation.

The ePrivacy Directive particularises and complements the GDPR, and Member States implement and enforce national ePrivacy rules through national law. Avoid adding country-specific rules, penalties, authority names, or limitation periods unless those facts are separately grounded for the country.

  • Consent proof fields: consent statement, purpose, channel, sender, capture method, timestamp, source URL or form, locale, policy version, and withdrawal path shown.
  • Soft opt-in proof fields: sale record, collecting legal person, collection notice, initial refusal option, product-similarity rationale, and per-message objection mechanism.
  • Suppression fields: recipient identifier, reason, date received, source system, campaign affected, operator if manual, and downstream systems updated.
  • Review triggers: new sender entity, new product category, new country, new channel, new tracking technology, changed unsubscribe flow, list import, or acquisition of another customer base.
  • Blocked facts: leave penalties and country-by-country marketing rules out unless supported by jurisdiction-specific source material.
Sources for this answer
Directive 2002/58/EC Article 13 - national-law caveat
Article 13(3) leaves the consent-or-opt-out choice for other direct-marketing cases to national legislation.
EDPB Guidelines 05/2020 on consent
EDPB consent guidance supports keeping records that demonstrate valid consent and operational withdrawal.
European Commission ePrivacy framework overview
Commission material supports treating ePrivacy as the EU privacy framework for electronic communications alongside GDPR modernization work.
Recommended next step

Use this EU ePrivacy checklist before marketing sends

Sorena can help convert campaign facts into a cited Article 13 send record, consent-proof gap list, opt-out control check, and country-law validation queue.

Research workflow
Open Research Copilot for EU ePrivacy

Ask source-linked questions about direct-marketing consent, Article 13 scope, soft opt-in facts, and evidence records using the cited sources on this page.

Explore next step
Talk to Sorena
Review an EU direct-marketing campaign

Check sender identity, consent proof, suppression handling, and national-law caveats before a marketing send.

Explore next step
Primary sources

References and citations

Directive 2009/136/EC amendments to Article 13
eur-lex.europa.eu
Referenced sections
  • The amendment text adds the prohibition on messages that encourage visits to websites contravening the referenced e-commerce information rule.
"valid address"
EDPB Guidelines 05/2020 on consent
edpb.europa.eu
Referenced sections
  • EDPB consent guidance supports keeping records that demonstrate valid consent and operational withdrawal.
"demonstrate that consent was obtained"
European Commission ePrivacy framework overview
digital-strategy.ec.europa.eu
Referenced sections
  • Commission material supports treating ePrivacy as the EU privacy framework for electronic communications alongside GDPR modernization work.
"future-proof legal framework"
Related guides

Explore more topics

Are cookie walls allowed under the EU ePrivacy Directive?
FAQ answer on cookie walls under the EU ePrivacy Directive, covering freely given consent, refusal and withdrawal paths, banner evidence, and national-law caveats.
Do Analytics Cookies Require Consent under the EU ePrivacy Directive?
FAQ answer on analytics cookies under Article 5(3) ePrivacy, limited analytics exemptions, configuration evidence, consent logs, and national-law caveats.
ePrivacy cookie consent vs DSA ads obligations: source-limited comparison
Compare ePrivacy cookie and tracking-consent duties with DSA ads workstreams without merging consent, transparency, and evidence obligations.
ePrivacy Directive vs GDPR: cookies, communications, consent, and evidence
Compare the EU ePrivacy Directive and GDPR across subject matter, lex specialis overlap, terminal equipment, communications confidentiality, marketing, consent, enforcement, and evidence.
EU cookie banner requirements under the ePrivacy Directive
EU ePrivacy cookie banner requirements for non-exempt cookies and trackers: prior consent, reject choices, no pre-ticked boxes, withdrawal, analytics limits, cookie walls, and evidence logs.
EU ePrivacy analytics cookies: consent, exemption, and evidence guide
source-linked guide to analytics cookies under EU ePrivacy: Article 5(3) scope, when consent is usually needed, limited analytics exemptions, consent records, and evidence gaps.
EU ePrivacy Applicability Test for Cookies, SDKs, Pixels, Communications, and Marketing
A concrete EU ePrivacy Directive applicability test for electronic communications services, terminal-equipment storage or access, cookies, SDKs, pixels, local storage, direct marketing, GDPR overlap, and evidence.
EU ePrivacy Article 5(3) terminal equipment test
A source-linked Article 5(3) test for cookies, pixels, local identifiers, device APIs, strictly necessary exceptions, and consent evidence.
EU ePrivacy Confidentiality of Communications: Article 5 controls
Article 5 confidentiality guide for EU ePrivacy communications, traffic data, metadata, terminal-equipment access, consent limits, and GDPR interplay.
EU ePrivacy consent-log evidence workflow for cookies and trackers
Build an ePrivacy consent-log workflow that records cookie and tracker decisions, banner versions, consent signals, withdrawals, vendor evidence, and audit-ready outputs.
EU ePrivacy cookie banner UX test cases
source-linked cookie banner UX tests for Article 5(3) ePrivacy consent: reject all, pre-ticked boxes, withdrawal, cookie walls, analytics toggles, and consent evidence.
EU ePrivacy Cookie Scope Classifier Workflow
Classify cookies, pixels, SDKs, local storage, device identifiers, and analytics tracers under Article 5(3) ePrivacy rules, with consent and exemption evidence outputs.
EU ePrivacy Directive compliance calendar for cookies, consent, and marketing
source-linked ePrivacy calendar covering Directive milestones, Article 5(3) cookie reviews, consent evidence, direct marketing checks, and national-law follow-up.
EU ePrivacy Directive Compliance Checklist
A concrete ePrivacy checklist for terminal equipment access, cookie consent, exemptions, banner UX, direct marketing, confidentiality, GDPR interplay, and evidence records.
EU ePrivacy Directive Compliance Guide for Cookies, Marketing, and Communications
Practical ePrivacy Directive compliance checks for terminal equipment, communications confidentiality, cookie consent, exemptions, direct marketing, evidence, and national-law caveats.
EU ePrivacy Directive Cookies and Consent: Article 5(3), exemptions, and banner evidence
Cookie consent guide for the EU ePrivacy Directive: Article 5(3) scope, strictly necessary and transmission exemptions, consent UX, withdrawal, logs, analytics caveats, and GDPR interplay.
EU ePrivacy Directive direct marketing rules for electronic mail
source-linked guide to Article 13 ePrivacy Directive rules for electronic mail marketing, prior consent, customer soft opt-in, opt-out handling, sender identity, and Member State caveats.
EU ePrivacy Directive Enforcement and Fines
Source-grounded guide to ePrivacy Directive enforcement, national penalties, competent authorities, GDPR interplay, cookie-banner risk, and evidence limits.
EU ePrivacy Directive FAQ: cookies, consent, marketing, GDPR interplay
Answers to recurring EU ePrivacy Directive questions on Article 5(3), terminal-equipment access, cookie consent, exemptions, analytics, direct marketing, GDPR interplay, national enforcement, and evidence.
EU ePrivacy Directive Member State Cookie Rules
How to evidence EU ePrivacy cookie compliance when Article 5(3) is implemented through Member State law and national authority practice.
EU ePrivacy Directive Metadata and Location Data Guide
source-linked guide to EU ePrivacy Directive rules for traffic data, location data, anonymisation, consent, value-added services, Article 5(3) overlap, and national-law limits.
EU ePrivacy Directive penalties and fines: national enforcement caveats
source-linked guide to ePrivacy Directive penalty exposure, national transposition caveats, cookie enforcement evidence, consent defects, and GDPR overlap limits.
EU ePrivacy Directive Requirements: cookies, communications and marketing
source-linked map of EU ePrivacy Directive requirements for communications confidentiality, terminal-equipment access, consent, traffic and location data, and direct marketing.
EU ePrivacy Directive vs GDPR: cookies, communications, marketing, and evidence
Compare the EU ePrivacy Directive and GDPR by trigger, consent standard, lex specialis overlap, enforcement caveats, and evidence outputs for cookies, device access, communications, and marketing.
EU ePrivacy Directive vs UK PECR: source-limited cookie and marketing comparison
Compare EU ePrivacy Directive rules with a source-limited UK PECR workstream for cookies, terminal equipment, direct marketing, consent, soft opt-in, and evidence.
EU ePrivacy soft opt-in FAQ for email marketing
When Article 13(2) soft opt-in can support EU customer email marketing, including existing-customer, similar-offer, opt-out, sender-identity, suppression-list, and national-law checks.
EU ePrivacy soft opt-in marketing checklist
source-linked checklist for using the EU ePrivacy Directive soft opt-in exception for customer email marketing, opt-outs, sender identity, suppression records, and national-law caveats.
EU ePrivacy soft opt-in marketing review workflow
Review whether an EU electronic-mail marketing send can rely on the ePrivacy soft opt-in, with checks for customer relationship evidence, similar products, opt-out, sender identity, suppression records, and national-law caveats.
EU ePrivacy Strictly Necessary Cookie Exemptions
source-linked guide to the Article 5(3) ePrivacy exemptions for transmission cookies, requested-service cookies, analytics caveats, evidence, and national-law checks.
Is a reject-all button required for EU ePrivacy cookie consent?
Standalone FAQ answer on EU ePrivacy reject-all and refuse options for cookie banners, including equal prominence, deceptive UX, consent evidence, withdrawal, and national-law caveats.
Strictly Necessary Cookies under the EU ePrivacy Directive
FAQ answer on when EU ePrivacy Article 5(3) allows cookies without consent, with grounded examples, analytics caveats, evidence records, and national-law cautions.
What should CMP consent logs retain under the EU ePrivacy Directive?
FAQ answer on CMP consent logs for EU ePrivacy cookie consent: retained fields, consent validity signals, banner versioning, refusal and withdrawal events, proof limits, and national-law caveats.