Artifact GuideEU

EU ePrivacy Directive soft opt-in marketing

Decide when customer email marketing can rely on the Article 13 soft opt-in exception instead of fresh prior consent.

Use this checklist to test the existing customer relationship, similar-product limit, opt-out mechanics, sender identity, suppression evidence, GDPR overlap, and Member State implementation caveats.

Back to main artifactReview sources
Author
Sorena AI
Published
May 9, 2026
Updated
May 9, 2026
Sections
5

Structured answer sets in this page tree.

Primary sources
9

Cited legal and guidance references.

Publication metadata
Sorena AI
Published May 9, 2026
Updated May 9, 2026
Overview

Article 13 of the ePrivacy Directive starts from prior consent for automated calls, fax, and electronic mail direct marketing. The soft opt-in exception is narrower: the same sender may use customer electronic contact details collected during a sale of a product or service to market its own similar products or services, but only if the customer had a clear, distinct, free, and easy chance to object when the details were collected and in every later message.

Section 1

Soft opt-in gate

Approve a campaign only when every condition is true. Treat one failed condition as a move back to the Article 13(1) prior-consent rule or to the applicable national rule for that channel.

The exception is tied to electronic contact details obtained from customers in the context of a sale. It should not be used for purchased lists, scraped contacts, prospect leads with no qualifying sale context, partner lists, or contacts collected by a different legal person.

  • Existing customer relationship: the contact details came from the sender's customer in the context of a product or service sale.
  • Same sender: the legal or natural person sending the marketing is the same person that obtained the contact details.
  • Own similar products or services: the campaign is for the sender's own offering and the similarity rationale is recorded before launch.
  • Collection opt-out: the customer was clearly and distinctly told about direct-marketing use and could object free of charge and easily when the details were collected.
  • Message opt-out: every message repeats a free and easy objection route unless the customer already refused the use.
  • Sender identity: the email does not disguise or conceal the identity of the sender on whose behalf it is made.
  • Valid stop address: the message includes a valid address or mechanism for the recipient to request that the communications cease.
Sources for this answer
Directive 2002/58/EC, Article 13 on unsolicited communications
Article 13(1) sets the prior-consent baseline; Article 13(2) states the customer-sale, same-sender, similar-product, and opt-out conditions for soft opt-in email marketing.
Directive 2009/136/EC amendments to Article 13
Shows the amended Article 13 wording, including subscribers or users, objection at collection and each message, and the sender-identity prohibition.
Section 2

Opt-out design

Soft opt-in is not a one-time list label. It is a continuing control: the collection notice, CRM consent or preference state, email template, unsubscribe endpoint, suppression process, and campaign selection rules must all match the Article 13 conditions.

The objection path should be visible in the collection journey and in each email. Do not require login, payment, a sales call, or a complex preference flow before stopping the marketing use covered by the objection.

  • At collection, show direct-marketing use next to the email capture field or checkout/account flow where the address is obtained.
  • Use plain wording that lets the customer refuse marketing use without losing the product or service they are buying.
  • In each email, include an unsubscribe link or valid reply/stop address that works for the recipient without extra friction.
  • Apply the objection to all systems that can send the same campaign type, including CRM, lifecycle messaging, sales automation, and data warehouse audience exports.
  • Test unsubscribe latency before launch and after template, ESP, CRM, or identity-system changes.
Sources for this answer
Directive 2002/58/EC, Article 13(2) and 13(4)
Supports the free and easy objection requirement at collection and each message, and the ban on email marketing without a valid address for stop requests.
EDPB Guidelines 05/2020 on consent under GDPR
Used for consent and withdrawal quality where consent is needed instead of soft opt-in, including the need for easy withdrawal and demonstrable consent.
Section 3

Evidence record

Keep campaign evidence at the audience-rule level, not only at the template level. A compliant template does not prove that each recipient met the customer-sale and similar-product conditions.

Suppression records should prove both sides of the control: who was eligible for soft opt-in and who was removed because they objected, unsubscribed, bounced into a suppression rule, or was excluded by a country-specific rule.

  • Source of contact: checkout, renewal, account, quote-to-order, or other sale-context event that produced the electronic contact detail.
  • Legal-entity match: the sender or brand on whose behalf the email is sent matches the person that obtained the address, or the mismatch is escalated and excluded.
  • Similarity rationale: a short explanation of why the promoted product or service is similar to the sold product or service.
  • Collection notice snapshot: wording, placement, timestamp or release version, and whether the customer objected at collection.
  • Message evidence: rendered email, sender identity, valid stop address or unsubscribe link, and suppression test result.
  • Suppression log: objection source, received time, applied systems, campaign exclusions, and evidence that later audience builds respected the stop flag.
  • Country check: Member State implementation or local counsel note for campaigns where national law changes the route, scope, or permissible channel.
Sources for this answer
Directive 2002/58/EC, Article 13
Supports the specific facts that must be evidenced before relying on the soft opt-in exception: customer sale context, same sender, similar products or services, and objection opportunities.
EDPB Guidelines 05/2020 on consent under GDPR
Supports keeping enough records to demonstrate valid consent when consent is the applicable basis, without collecting unnecessary proof data.
Section 4

GDPR and national-law caveats

Soft opt-in under ePrivacy does not answer every GDPR question. The ePrivacy Directive particularises and complements GDPR for electronic communications, and EDPB guidance recognises that some processing can fall within both instruments. Teams still need a GDPR lawful basis, transparency, data minimisation, retention, and rights handling for the personal-data processing around the campaign.

Article 13 leaves several points to Member State implementation, including the approach for direct-marketing cases outside Article 13(1) and 13(2), and protection of subscribers other than natural persons. Record the country rule check instead of assuming that one EU-wide marketing playbook covers every recipient or channel.

  • Do not use soft opt-in for non-similar offers, third-party offers, affiliate promotions, or unrelated newsletters unless a separate source-linked route applies.
  • Do not treat a GDPR legitimate-interest assessment as a substitute for Article 13 email-marketing conditions.
  • Check national implementation before sending to business contacts, legal persons, local branches, or mixed B2B/B2C lists.
  • Escalate campaigns involving automated calls, fax, SMS, messenger channels, or voice calls because Article 13 and national law may treat the channel differently.
  • Keep the GDPR record beside the ePrivacy record: purpose, lawful basis, transparency text, data categories, retention, processor/ESP details, transfer checks, and rights workflow.
Sources for this answer
EDPB Opinion 5/2019 on ePrivacy Directive and GDPR interplay
Supports the relationship between ePrivacy and GDPR, including that Article 13 can have an extended material scope and that GDPR may still apply to processing not covered by a specific ePrivacy rule.
European Commission proposal for an ePrivacy Regulation
Commission material confirms direct-marketing rules remained relevant in the ePrivacy review and describes the similar-products customer-relationship concept in proposed Article 16.
Directive 2002/58/EC, Article 13(3) and 13(5)
Supports the national-law caveat for other direct-marketing cases and protection of subscribers other than natural persons.
Section 5

Pre-send checklist

Use this final check before enabling an audience, lifecycle automation, newsletter segment, win-back campaign, or sales-assisted email sequence that relies on soft opt-in.

If the answer is uncertain, pause the send for the affected segment rather than diluting the rule across the full list.

Can a team use soft opt-in for prospects who downloaded a white paper?

Not from Article 13(2) alone. The exception is tied to customer electronic contact details obtained in the context of the sale of a product or service, so prospect lead capture needs another source-linked route before marketing email is sent.

Does every soft opt-in email need an unsubscribe link?

Every message must give the customer a clear, distinct, free, and easy opportunity to object if the customer has not already refused the use. A working unsubscribe link is the usual way to evidence that requirement for email.

Can a group company market its products to another group company's customers?

Do not assume so. Article 13(2) refers to the same natural or legal person using the contact details it obtained, so group-company, reseller, affiliate, and partner campaigns need separate legal review and should not be marked soft opt-in by default.

  • Each recipient is a customer whose electronic contact details were obtained in a sale context.
  • The sender is the same person that obtained the contact details.
  • The promoted offering is the sender's own similar product or service, with the similarity rationale saved.
  • Collection-time opt-out wording and evidence are available for the recipient source.
  • Each message identifies the sender and includes a valid, working stop route.
  • Suppression flags are applied before send and retested after any ESP, CRM, or data pipeline change.
  • National-law caveats are checked for the recipient countries and channels.
  • A fallback route is defined for excluded recipients: prior consent, non-marketing service communication, or no send.
Sources for this answer
Directive 2002/58/EC, Article 13(2)
Primary rule for the pre-send checks: customer sale context, same sender, own similar products or services, and opt-out at collection and each message.
Directive 2009/136/EC amendments to Article 13
Confirms the amended Article 13 text that added the current user/subscriber wording and reinforced each-message objection and sender-identity controls.
Recommended next step

Review email marketing eligibility before launch

Sorena can help convert the Article 13 conditions on this page into audience rules, collection notices, unsubscribe tests, suppression evidence, and country-check records for EU campaigns.

Research workflow
Open Research Copilot for EU ePrivacy Directive

Ask source-linked questions about Article 13, soft opt-in eligibility, opt-outs, sender identity, and evidence records using the cited sources on this page.

Explore next step
Talk to Sorena
Talk through implementation

Review your customer email marketing workflow, suppression records, source gaps, and national-law caveats with Sorena.

Explore next step
Primary sources

References and citations

Directive 2002/58/EC, Article 13
eur-lex.europa.eu
Referenced sections
  • Supports the specific facts that must be evidenced before relying on the soft opt-in exception: customer sale context, same sender, similar products or services, and objection opportunities.
"when they are collected"
Directive 2002/58/EC, Article 13(2)
eur-lex.europa.eu
Referenced sections
  • Primary rule for the pre-send checks: customer sale context, same sender, own similar products or services, and opt-out at collection and each message.
"the same natural or legal person"
Directive 2002/58/EC, Article 13(2) and 13(4)
eur-lex.europa.eu
Referenced sections
  • Supports the free and easy objection requirement at collection and each message, and the ban on email marketing without a valid address for stop requests.
"free of charge and in an easy manner"
Directive 2002/58/EC, Article 13(3) and 13(5)
eur-lex.europa.eu
Referenced sections
  • Supports the national-law caveat for other direct-marketing cases and protection of subscribers other than natural persons.
"choice between these options"
Directive 2009/136/EC amendments to Article 13
eur-lex.europa.eu
Referenced sections
  • Confirms the amended Article 13 text that added the current user/subscriber wording and reinforced each-message objection and sender-identity controls.
"subscribers or users"
EDPB Guidelines 05/2020 on consent under GDPR
edpb.europa.eu
Referenced sections
  • Supports keeping enough records to demonstrate valid consent when consent is the applicable basis, without collecting unnecessary proof data.
"demonstrate that valid consent was obtained"
EDPB Opinion 5/2019 on ePrivacy Directive and GDPR interplay
edpb.europa.eu
Referenced sections
  • Supports the relationship between ePrivacy and GDPR, including that Article 13 can have an extended material scope and that GDPR may still apply to processing not covered by a specific ePrivacy rule.
"particularise and complement"
European Commission proposal for an ePrivacy Regulation
eur-lex.europa.eu
Referenced sections
  • Commission material confirms direct-marketing rules remained relevant in the ePrivacy review and describes the similar-products customer-relationship concept in proposed Article 16.
"existing customer relationship"
Related guides

Explore more topics

Are cookie walls allowed under the EU ePrivacy Directive?
FAQ answer on cookie walls under the EU ePrivacy Directive, covering freely given consent, refusal and withdrawal paths, banner evidence, and national-law caveats.
Do Analytics Cookies Require Consent under the EU ePrivacy Directive?
FAQ answer on analytics cookies under Article 5(3) ePrivacy, limited analytics exemptions, configuration evidence, consent logs, and national-law caveats.
ePrivacy cookie consent vs DSA ads obligations: source-limited comparison
Compare ePrivacy cookie and tracking-consent duties with DSA ads workstreams without merging consent, transparency, and evidence obligations.
ePrivacy Directive vs GDPR: cookies, communications, consent, and evidence
Compare the EU ePrivacy Directive and GDPR across subject matter, lex specialis overlap, terminal equipment, communications confidentiality, marketing, consent, enforcement, and evidence.
EU cookie banner requirements under the ePrivacy Directive
EU ePrivacy cookie banner requirements for non-exempt cookies and trackers: prior consent, reject choices, no pre-ticked boxes, withdrawal, analytics limits, cookie walls, and evidence logs.
EU ePrivacy analytics cookies: consent, exemption, and evidence guide
source-linked guide to analytics cookies under EU ePrivacy: Article 5(3) scope, when consent is usually needed, limited analytics exemptions, consent records, and evidence gaps.
EU ePrivacy Applicability Test for Cookies, SDKs, Pixels, Communications, and Marketing
A concrete EU ePrivacy Directive applicability test for electronic communications services, terminal-equipment storage or access, cookies, SDKs, pixels, local storage, direct marketing, GDPR overlap, and evidence.
EU ePrivacy Article 5(3) terminal equipment test
A source-linked Article 5(3) test for cookies, pixels, local identifiers, device APIs, strictly necessary exceptions, and consent evidence.
EU ePrivacy Confidentiality of Communications: Article 5 controls
Article 5 confidentiality guide for EU ePrivacy communications, traffic data, metadata, terminal-equipment access, consent limits, and GDPR interplay.
EU ePrivacy consent-log evidence workflow for cookies and trackers
Build an ePrivacy consent-log workflow that records cookie and tracker decisions, banner versions, consent signals, withdrawals, vendor evidence, and audit-ready outputs.
EU ePrivacy cookie banner UX test cases
source-linked cookie banner UX tests for Article 5(3) ePrivacy consent: reject all, pre-ticked boxes, withdrawal, cookie walls, analytics toggles, and consent evidence.
EU ePrivacy Cookie Scope Classifier Workflow
Classify cookies, pixels, SDKs, local storage, device identifiers, and analytics tracers under Article 5(3) ePrivacy rules, with consent and exemption evidence outputs.
EU ePrivacy direct-marketing consent checklist
Checklist for ePrivacy Directive direct-marketing messages: consent, soft opt-in, sender identity, opt-out handling, proof records, suppression, and national-law caveats.
EU ePrivacy Directive compliance calendar for cookies, consent, and marketing
source-linked ePrivacy calendar covering Directive milestones, Article 5(3) cookie reviews, consent evidence, direct marketing checks, and national-law follow-up.
EU ePrivacy Directive Compliance Checklist
A concrete ePrivacy checklist for terminal equipment access, cookie consent, exemptions, banner UX, direct marketing, confidentiality, GDPR interplay, and evidence records.
EU ePrivacy Directive Compliance Guide for Cookies, Marketing, and Communications
Practical ePrivacy Directive compliance checks for terminal equipment, communications confidentiality, cookie consent, exemptions, direct marketing, evidence, and national-law caveats.
EU ePrivacy Directive Cookies and Consent: Article 5(3), exemptions, and banner evidence
Cookie consent guide for the EU ePrivacy Directive: Article 5(3) scope, strictly necessary and transmission exemptions, consent UX, withdrawal, logs, analytics caveats, and GDPR interplay.
EU ePrivacy Directive direct marketing rules for electronic mail
source-linked guide to Article 13 ePrivacy Directive rules for electronic mail marketing, prior consent, customer soft opt-in, opt-out handling, sender identity, and Member State caveats.
EU ePrivacy Directive Enforcement and Fines
Source-grounded guide to ePrivacy Directive enforcement, national penalties, competent authorities, GDPR interplay, cookie-banner risk, and evidence limits.
EU ePrivacy Directive FAQ: cookies, consent, marketing, GDPR interplay
Answers to recurring EU ePrivacy Directive questions on Article 5(3), terminal-equipment access, cookie consent, exemptions, analytics, direct marketing, GDPR interplay, national enforcement, and evidence.
EU ePrivacy Directive Member State Cookie Rules
How to evidence EU ePrivacy cookie compliance when Article 5(3) is implemented through Member State law and national authority practice.
EU ePrivacy Directive Metadata and Location Data Guide
source-linked guide to EU ePrivacy Directive rules for traffic data, location data, anonymisation, consent, value-added services, Article 5(3) overlap, and national-law limits.
EU ePrivacy Directive penalties and fines: national enforcement caveats
source-linked guide to ePrivacy Directive penalty exposure, national transposition caveats, cookie enforcement evidence, consent defects, and GDPR overlap limits.
EU ePrivacy Directive Requirements: cookies, communications and marketing
source-linked map of EU ePrivacy Directive requirements for communications confidentiality, terminal-equipment access, consent, traffic and location data, and direct marketing.
EU ePrivacy Directive vs GDPR: cookies, communications, marketing, and evidence
Compare the EU ePrivacy Directive and GDPR by trigger, consent standard, lex specialis overlap, enforcement caveats, and evidence outputs for cookies, device access, communications, and marketing.
EU ePrivacy Directive vs UK PECR: source-limited cookie and marketing comparison
Compare EU ePrivacy Directive rules with a source-limited UK PECR workstream for cookies, terminal equipment, direct marketing, consent, soft opt-in, and evidence.
EU ePrivacy soft opt-in FAQ for email marketing
When Article 13(2) soft opt-in can support EU customer email marketing, including existing-customer, similar-offer, opt-out, sender-identity, suppression-list, and national-law checks.
EU ePrivacy soft opt-in marketing review workflow
Review whether an EU electronic-mail marketing send can rely on the ePrivacy soft opt-in, with checks for customer relationship evidence, similar products, opt-out, sender identity, suppression records, and national-law caveats.
EU ePrivacy Strictly Necessary Cookie Exemptions
source-linked guide to the Article 5(3) ePrivacy exemptions for transmission cookies, requested-service cookies, analytics caveats, evidence, and national-law checks.
Is a reject-all button required for EU ePrivacy cookie consent?
Standalone FAQ answer on EU ePrivacy reject-all and refuse options for cookie banners, including equal prominence, deceptive UX, consent evidence, withdrawal, and national-law caveats.
Strictly Necessary Cookies under the EU ePrivacy Directive
FAQ answer on when EU ePrivacy Article 5(3) allows cookies without consent, with grounded examples, analytics caveats, evidence records, and national-law cautions.
What should CMP consent logs retain under the EU ePrivacy Directive?
FAQ answer on CMP consent logs for EU ePrivacy cookie consent: retained fields, consent validity signals, banner versioning, refusal and withdrawal events, proof limits, and national-law caveats.