EU ePrivacy Directive direct marketing rules

Treat electronic mail direct marketing as opt-in by default. Article 13 allows automated calling systems, fax, or electronic mail for direct marketing only for subscribers or users who have given prior consent, unless the existing-customer exception in Article 13(2) applies.

Because the ePrivacy Directive now points consent references through the GDPR framework, consent records should show a freely given, specific, informed, and unambiguous choice, plus the information presented at the time and a way to withdraw as easily as consent was given.

Article 13(2) creates a narrow exception for electronic contact details collected from customers in the context of selling a product or service. The same natural or legal person may use those details for direct marketing of its own similar products or services only if the customer had a clear, distinct, free, and easy opportunity to object when the details were collected and in every later message.

Do not expand this exception to purchased lists, third-party promotions, unrelated product lines, or contacts collected outside a sale unless national implementation and a fresh source-linked review support that route. The artifact should state why the product or service is similar and why the sender is the same person or entity that collected the details.

Soft opt-in campaigns require an opportunity to object at two points: when the electronic contact details are collected and on the occasion of each message. Consent-based campaigns also need an easy withdrawal route under GDPR consent standards. In both cases, the marketing system needs a suppression control that prevents future sends after an objection or withdrawal.

A suppression list should be limited to what is needed to honor the cease request, but it must be operationally effective. Keep enough information to match future campaign audiences against opted-out recipients, including the channel, brand or sender scope, date, source of opt-out, and any country or entity scope applied under national implementation.

Article 13 separately prohibits direct-marketing electronic mail that disguises or conceals the sender identity or lacks a valid address for cease requests. This is not optional formatting; it is a pre-send compliance gate.

Run this check on the final rendered message, not only the campaign brief. The sender name, reply handling, unsubscribe address, landing-page URL, and on-page commercial information should all align with the entity on whose behalf the communication is made.

The ePrivacy Directive particularises and complements GDPR. Where Article 13 sets a special rule for sending unsolicited communications, do not skip that rule because personal-data processing also has a GDPR lawful-basis analysis. GDPR still matters for consent quality, transparency, records, downstream processing, rights handling, and data minimisation around contact data and suppression lists.

Article 13 also leaves implementation choices to Member States for cases outside the prior-consent and customer-soft-opt-in provisions, and it requires protection for subscribers other than natural persons under Community law and applicable national law. Use this page for the EU baseline, then check the national law for the recipient market before relying on a call, fax, B2B, corporate-subscriber, enforcement, or penalty conclusion.

Use this checklist before a direct-marketing email, SMS, or similar electronic mail send reaches production. It is designed to catch the legal questions that Article 13 makes material, not to replace national-law review where the Directive leaves choices to Member States.

The campaign record should let a reviewer reconstruct why every recipient was eligible, how each recipient can stop future messages, and which source supported the chosen route.