--- title: "EU ePrivacy soft opt-in FAQ for email marketing" canonical_url: "https://www.sorena.io/artifacts/eu/eprivacy-directive/faq/soft-opt-in" source_url: "https://www.sorena.io/artifacts/eu/eprivacy-directive/faq/soft-opt-in" author: "Sorena AI" description: "When Article 13(2) soft opt-in can support EU customer email marketing, including existing-customer, similar-offer, opt-out, sender-identity, suppression-list, and national-law checks." published_at: "2026-05-09" updated_at: "2026-05-09" keywords: - "EU ePrivacy Directive" - "ePrivacy soft opt-in" - "Article 13(2)" - "email marketing" - "direct marketing opt-out" - "suppression list" - "ePrivacy" - "soft opt-in" - "direct marketing" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # EU ePrivacy soft opt-in FAQ for email marketing When Article 13(2) soft opt-in can support EU customer email marketing, including existing-customer, similar-offer, opt-out, sender-identity, suppression-list, and national-law checks. *FAQ* *EU ePrivacy* ## Can EU email marketing use soft opt-in? Article 13(2) can support customer email marketing only when the contact details came from a sale, the sender is the same legal or natural person, the offer is for that sender's own similar products or services, and the customer had a free, easy opt-out at collection and in every message. Use this as a campaign gate for privacy, lifecycle marketing, CRM operations, and legal review before relying on soft opt-in instead of consent. EU ePrivacy soft opt-in is not a general permission to email prospects. It is a narrow Article 13(2) route for reusing electronic mail contact details collected from a customer during a product or service sale, subject to same-sender, similar-offer, clear opt-out, sender-identity, and national transposition checks. ## When does the ePrivacy soft opt-in apply? Treat soft opt-in as available only when every Article 13(2) condition is documented before launch. The contact must be a customer contact collected in the context of a sale of a product or service. The sender must be the same natural or legal person that obtained the electronic contact details. The campaign must market that sender's own similar products or services, not unrelated offers, third-party offers, affiliate campaigns, or group-company lists. The customer also needs a clear and distinct chance to object, free of charge and in an easy manner, when the details are collected and again in every marketing message if the customer did not initially refuse. If the acquisition screen, checkout, order flow, CRM record, or message template cannot prove those facts, route the campaign to consent review instead of soft opt-in. - Confirm the contact is an existing customer from a sale, not a bought-in lead, scraped address, event badge scan, newsletter-only signup, trial list, or abandoned form. - Confirm the sending entity is the same legal or natural person that collected the electronic mail details. - Map the promoted offer to the product or service originally sold and explain why it is similar. - Show the opt-out text or control used at collection and the unsubscribe or objection route in each message. - Block the send where the customer has objected, unsubscribed, or appears on a suppression list. Sources for this answer: - [Directive 2002/58/EC, Article 13](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32002L0058&ref=sorena.io) - Article 13(2) supplies the EU-level soft opt-in conditions for customer electronic mail direct marketing. - [Directive 2009/136/EC amendments to Directive 2002/58/EC](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02009L0136-20201221&ref=sorena.io) - The 2009 amendment source is the grounded consolidated amendment material for the current ePrivacy Article 13 framework. ## What campaign evidence should teams keep? Keep evidence that proves the exact soft opt-in path, not a generic marketing approval. The file should connect the customer record, sale context, sender identity, product-similarity assessment, opt-out presentation, message template, and suppression-list enforcement. Suppression evidence matters because Article 13(2) depends on the customer not having initially refused and on the customer receiving a continuing objection opportunity. A working suppression list should record collection-stage refusals, later unsubscribe requests, bounced or invalid stop addresses, and downstream systems where the block must be honored before the next send. - Customer-source evidence: order, subscription, or service record showing the email address was obtained in the context of a sale. - Sender evidence: legal-entity name, brand presentation, reply domain, and sender authentication that match the entity relying on Article 13(2). - Similarity evidence: short mapping from the purchased product or service to the promoted offer. - Collection opt-out evidence: checkout, account, or order-flow copy showing the clear and distinct objection opportunity. - Each-message opt-out evidence: final email template with unsubscribe link, preference-center path, or valid reply address. - Suppression evidence: timestamped objection records and pre-send exclusion checks across CRM, ESP, CDP, and regional campaign tools. Sources for this answer: - [Directive 2002/58/EC, Article 13](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32002L0058&ref=sorena.io) - Article 13(2) and 13(4) support the evidence checklist for opt-out timing, sender identity, and a valid stop route. - [EDPB Guidelines 05/2020 on consent](https://www.edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_202005_consent_en.pdf?ref=sorena.io) - The consent guidance supports fallback analysis where a campaign does not fit the Article 13(2) soft opt-in route and needs valid opt-in consent. ## When should teams escalate instead of sending? Escalate when any condition depends on interpretation: whether a free trial is a sale, whether a service renewal is similar enough to a new product, whether a group affiliate is the same sender, whether the collection notice was clear, or whether national law adds stricter rules for a channel, recipient type, or local implementation. The ePrivacy Directive is implemented through national law. Article 13(3) leaves Member States a choice for other direct-marketing cases, and Article 13(5) requires protection for subscribers that are not natural persons under Union and applicable national law. The Commission has also described the proposed ePrivacy Regulation as a way to replace the current Directive with one directly applicable set of rules instead of national variations. Do not add country-specific rules, penalties, or exemptions unless they are separately grounded for the relevant country. - Use consent review for prospects, purchased lists, partner lists, affiliate sends, group-company sends, or unrelated offers. - Escalate where the message disguises or conceals the sender identity, uses a misleading sender name, or lacks a valid address or route for stopping further messages. - Check local implementation before relying on soft opt-in for B2B recipients, legal-person subscribers, mixed channels, SMS, automated calls, or voice calls. - Recheck the GDPR layer for any personal-data processing that sits outside the ePrivacy special rule, such as profiling, segmentation, analytics, or enrichment. Sources for this answer: - [Directive 2002/58/EC, Article 13](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32002L0058&ref=sorena.io) - Article 13(3), 13(4), and 13(5) ground the escalation points for national-law choices, sender identity, valid stop addresses, and legal-person protections. - [Commission factsheet on stronger privacy rules for electronic communications](https://ec.europa.eu/digital-single-market/en/news/eurobarometer-eprivacy?ref=sorena.io) - The Commission material explains the policy reason for replacing national ePrivacy Directive implementations with a directly applicable Regulation. ## Primary sources - [Directive 2002/58/EC, Article 13](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32002L0058&ref=sorena.io) - Primary source for the EU-level soft opt-in conditions, sender-identity rule, valid stop-address rule, and national-law caveats for unsolicited direct marketing. - Quote: "direct marketing of its own similar products or services" - [Directive 2009/136/EC amendments to Directive 2002/58/EC](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02009L0136-20201221&ref=sorena.io) - Grounding source for the 2009 amendments to the ePrivacy Directive framework that includes the current Article 13 direct-marketing structure. - Quote: "amending Directive 2002/58/EC" - [EDPB Guidelines 05/2020 on consent](https://www.edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_202005_consent_en.pdf?ref=sorena.io) - Supports fallback opt-in analysis when a campaign cannot satisfy every Article 13(2) soft opt-in condition. - Quote: "free, specific, informed and unambiguous" - [Commission factsheet on stronger privacy rules for electronic communications](https://ec.europa.eu/digital-single-market/en/news/eurobarometer-eprivacy?ref=sorena.io) - Supports the caveat that Directive implementation has national variation and that the proposed Regulation was intended to create one directly applicable rule set. - Quote: "one single set of rules instead of 28 different ones" ## Topic Guides - [Are cookie walls allowed under the EU ePrivacy Directive?](/artifacts/eu/eprivacy-directive/faq/cookie-walls.md): FAQ answer on cookie walls under the EU ePrivacy Directive, covering freely given consent, refusal and withdrawal paths, banner evidence, and national-law caveats. - [Do Analytics Cookies Require Consent under the EU ePrivacy Directive?](/artifacts/eu/eprivacy-directive/faq/analytics-cookies.md): FAQ answer on analytics cookies under Article 5(3) ePrivacy, limited analytics exemptions, configuration evidence, consent logs, and national-law caveats. - [ePrivacy cookie consent vs DSA ads obligations: source-limited comparison](/artifacts/eu/eprivacy-directive/eprivacy-vs-dsa-ads.md): Compare ePrivacy cookie and tracking-consent duties with DSA ads workstreams without merging consent, transparency, and evidence obligations. - [ePrivacy Directive vs GDPR: cookies, communications, consent, and evidence](/artifacts/eu/eprivacy-directive/eprivacy-directive-vs-gdpr.md): Compare the EU ePrivacy Directive and GDPR across subject matter, lex specialis overlap, terminal equipment, communications confidentiality, marketing, consent, enforcement, and evidence. - [EU cookie banner requirements under the ePrivacy Directive](/artifacts/eu/eprivacy-directive/eu-cookie-banner-requirements.md): EU ePrivacy cookie banner requirements for non-exempt cookies and trackers: prior consent, reject choices, no pre-ticked boxes, withdrawal, analytics limits, cookie walls, and evidence logs. - [EU ePrivacy analytics cookies: consent, exemption, and evidence guide](/artifacts/eu/eprivacy-directive/analytics-cookies.md): source-linked guide to analytics cookies under EU ePrivacy: Article 5(3) scope, when consent is usually needed, limited analytics exemptions, consent records, and evidence gaps. - [EU ePrivacy Applicability Test for Cookies, SDKs, Pixels, Communications, and Marketing](/artifacts/eu/eprivacy-directive/applicability-test.md): A concrete EU ePrivacy Directive applicability test for electronic communications services, terminal-equipment storage or access, cookies, SDKs, pixels, local storage, direct marketing, GDPR overlap, and evidence. - [EU ePrivacy Article 5(3) terminal equipment test](/artifacts/eu/eprivacy-directive/article-5-3-terminal-equipment-test.md): A source-linked Article 5(3) test for cookies, pixels, local identifiers, device APIs, strictly necessary exceptions, and consent evidence. - [EU ePrivacy Confidentiality of Communications: Article 5 controls](/artifacts/eu/eprivacy-directive/confidentiality-of-communications.md): Article 5 confidentiality guide for EU ePrivacy communications, traffic data, metadata, terminal-equipment access, consent limits, and GDPR interplay. - [EU ePrivacy consent-log evidence workflow for cookies and trackers](/artifacts/eu/eprivacy-directive/consent-log-evidence-workflow.md): Build an ePrivacy consent-log workflow that records cookie and tracker decisions, banner versions, consent signals, withdrawals, vendor evidence, and audit-ready outputs. - [EU ePrivacy cookie banner UX test cases](/artifacts/eu/eprivacy-directive/banner-ux-test-cases.md): source-linked cookie banner UX tests for Article 5(3) ePrivacy consent: reject all, pre-ticked boxes, withdrawal, cookie walls, analytics toggles, and consent evidence. - [EU ePrivacy Cookie Scope Classifier Workflow](/artifacts/eu/eprivacy-directive/cookie-scope-classifier-workflow.md): Classify cookies, pixels, SDKs, local storage, device identifiers, and analytics tracers under Article 5(3) ePrivacy rules, with consent and exemption evidence outputs. - [EU ePrivacy direct-marketing consent checklist](/artifacts/eu/eprivacy-directive/direct-marketing-consent-checklist.md): Checklist for ePrivacy Directive direct-marketing messages: consent, soft opt-in, sender identity, opt-out handling, proof records, suppression, and national-law caveats. - [EU ePrivacy Directive compliance calendar for cookies, consent, and marketing](/artifacts/eu/eprivacy-directive/deadlines-and-compliance-calendar.md): source-linked ePrivacy calendar covering Directive milestones, Article 5(3) cookie reviews, consent evidence, direct marketing checks, and national-law follow-up. - [EU ePrivacy Directive Compliance Checklist](/artifacts/eu/eprivacy-directive/checklist.md): A concrete ePrivacy checklist for terminal equipment access, cookie consent, exemptions, banner UX, direct marketing, confidentiality, GDPR interplay, and evidence records. - [EU ePrivacy Directive Compliance Guide for Cookies, Marketing, and Communications](/artifacts/eu/eprivacy-directive/compliance.md): Practical ePrivacy Directive compliance checks for terminal equipment, communications confidentiality, cookie consent, exemptions, direct marketing, evidence, and national-law caveats. - [EU ePrivacy Directive Cookies and Consent: Article 5(3), exemptions, and banner evidence](/artifacts/eu/eprivacy-directive/cookies-and-consent.md): Cookie consent guide for the EU ePrivacy Directive: Article 5(3) scope, strictly necessary and transmission exemptions, consent UX, withdrawal, logs, analytics caveats, and GDPR interplay. - [EU ePrivacy Directive direct marketing rules for electronic mail](/artifacts/eu/eprivacy-directive/direct-marketing-rules.md): source-linked guide to Article 13 ePrivacy Directive rules for electronic mail marketing, prior consent, customer soft opt-in, opt-out handling, sender identity, and Member State caveats. - [EU ePrivacy Directive Enforcement and Fines](/artifacts/eu/eprivacy-directive/enforcement-and-fines.md): Source-grounded guide to ePrivacy Directive enforcement, national penalties, competent authorities, GDPR interplay, cookie-banner risk, and evidence limits. - [EU ePrivacy Directive FAQ: cookies, consent, marketing, GDPR interplay](/artifacts/eu/eprivacy-directive/faq.md): Answers to recurring EU ePrivacy Directive questions on Article 5(3), terminal-equipment access, cookie consent, exemptions, analytics, direct marketing, GDPR interplay, national enforcement, and evidence. - [EU ePrivacy Directive Member State Cookie Rules](/artifacts/eu/eprivacy-directive/member-state-cookie-rules.md): How to evidence EU ePrivacy cookie compliance when Article 5(3) is implemented through Member State law and national authority practice. - [EU ePrivacy Directive Metadata and Location Data Guide](/artifacts/eu/eprivacy-directive/metadata-and-location-data.md): source-linked guide to EU ePrivacy Directive rules for traffic data, location data, anonymisation, consent, value-added services, Article 5(3) overlap, and national-law limits. - [EU ePrivacy Directive penalties and fines: national enforcement caveats](/artifacts/eu/eprivacy-directive/penalties-and-fines.md): source-linked guide to ePrivacy Directive penalty exposure, national transposition caveats, cookie enforcement evidence, consent defects, and GDPR overlap limits. - [EU ePrivacy Directive Requirements: cookies, communications and marketing](/artifacts/eu/eprivacy-directive/requirements.md): source-linked map of EU ePrivacy Directive requirements for communications confidentiality, terminal-equipment access, consent, traffic and location data, and direct marketing. - [EU ePrivacy Directive vs GDPR: cookies, communications, marketing, and evidence](/artifacts/eu/eprivacy-directive/eprivacy-vs-gdpr.md): Compare the EU ePrivacy Directive and GDPR by trigger, consent standard, lex specialis overlap, enforcement caveats, and evidence outputs for cookies, device access, communications, and marketing. - [EU ePrivacy Directive vs UK PECR: source-limited cookie and marketing comparison](/artifacts/eu/eprivacy-directive/eprivacy-vs-uk-pecr.md): Compare EU ePrivacy Directive rules with a source-limited UK PECR workstream for cookies, terminal equipment, direct marketing, consent, soft opt-in, and evidence. - [EU ePrivacy soft opt-in marketing checklist](/artifacts/eu/eprivacy-directive/soft-opt-in-marketing.md): source-linked checklist for using the EU ePrivacy Directive soft opt-in exception for customer email marketing, opt-outs, sender identity, suppression records, and national-law caveats. - [EU ePrivacy soft opt-in marketing review workflow](/artifacts/eu/eprivacy-directive/soft-opt-in-marketing-review-workflow.md): Review whether an EU electronic-mail marketing send can rely on the ePrivacy soft opt-in, with checks for customer relationship evidence, similar products, opt-out, sender identity, suppression records, and national-law caveats. - [EU ePrivacy Strictly Necessary Cookie Exemptions](/artifacts/eu/eprivacy-directive/strictly-necessary-exemptions.md): source-linked guide to the Article 5(3) ePrivacy exemptions for transmission cookies, requested-service cookies, analytics caveats, evidence, and national-law checks. - [Is a reject-all button required for EU ePrivacy cookie consent?](/artifacts/eu/eprivacy-directive/faq/reject-all-button.md): Standalone FAQ answer on EU ePrivacy reject-all and refuse options for cookie banners, including equal prominence, deceptive UX, consent evidence, withdrawal, and national-law caveats. - [Strictly Necessary Cookies under the EU ePrivacy Directive](/artifacts/eu/eprivacy-directive/faq/strictly-necessary-cookies.md): FAQ answer on when EU ePrivacy Article 5(3) allows cookies without consent, with grounded examples, analytics caveats, evidence records, and national-law cautions. - [What should CMP consent logs retain under the EU ePrivacy Directive?](/artifacts/eu/eprivacy-directive/faq/cmp-consent-logs.md): FAQ answer on CMP consent logs for EU ePrivacy cookie consent: retained fields, consent validity signals, banner versioning, refusal and withdrawal events, proof limits, and national-law caveats. *Recommended next step* *Placement: before sources* ## Use this FAQ as a pre-send review for customer email marketing Sorena can turn the Article 13(2) conditions into source-linked campaign checks, suppression-list evidence, and review records for EU ePrivacy work. - [Open Research Copilot for EU ePrivacy](/solutions/research-copilot.md): Ask source-linked questions about soft opt-in, direct marketing, consent fallback, and evidence using the cited sources on this page. - [Talk through implementation](/contact.md): Review your soft opt-in campaign gate, suppression evidence, and national-law source gaps with Sorena. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/eu/eprivacy-directive/faq/soft-opt-in