WorkflowEU

EU ePrivacy Directive soft opt-in marketing review workflow

Use this workflow before sending electronic-mail direct marketing without fresh consent under the Article 13 soft opt-in.

The review focuses on proof of an existing customer relationship, own similar products or services, collection-time and message-level opt-out, sender identity, suppression records, approval gates, and national transposition caveats.

Back to main artifactReview sources
Author
Sorena AI
Published
May 9, 2026
Updated
May 9, 2026
Sections
4

Structured answer sets in this page tree.

Primary sources
5

Cited legal and guidance references.

Publication metadata
Sorena AI
Published May 9, 2026
Updated May 9, 2026
Overview

Article 13 of the ePrivacy Directive starts from prior consent for electronic-mail direct marketing, then allows a narrow existing-customer exception for a sender's own similar products or services when the customer received a clear, free, easy opportunity to object at collection and with each later message. This workflow turns that exception into an approval record for marketing, product, privacy, CRM, and regional operations teams.

Section 1

Gate 1: confirm the customer relationship and collection context

Start with the contact-detail event, not the campaign brief. The soft opt-in is tied to electronic contact details obtained from customers in the context of a product or service sale, with the later 2009 amendment text referring to the same customer relationship logic for Article 13.

Approve this gate only when the CRM record can show what was sold or negotiated, when the address was collected, which legal entity collected it, the privacy notice or checkout screen shown at collection, and whether the person objected at that moment.

  • Evidence to collect: order, subscription, trial, renewal, quote, or negotiation record; contact-detail source; collection timestamp; country or regional store; collecting legal entity; and screenshot or versioned copy of the opt-out language shown at collection.
  • Reject or escalate: purchased lists, scraped addresses, event badge scans without a sale or negotiation record, contacts imported from another group company, or addresses collected by a partner that is not the sending entity.
  • Approval gate: CRM owner certifies the source record, privacy/legal confirms the Article 13 basis is available for the contact source, and marketing operations locks the approved segment before creative review.
  • Record format: one campaign-level decision plus a sampled contact-evidence pack, with a link to the suppression query used to exclude objectors.
Sources for this answer
Directive 2002/58/EC, Article 13
Supports the baseline Article 13 rule that prior consent is required for electronic-mail direct marketing, with a limited customer-relationship exception.
Directive 2009/136/EC amendments to Directive 2002/58/EC
Shows the amended Article 13 wording used to review the soft opt-in conditions after the 2009 changes.
EDPB Guidelines 05/2020 on consent under GDPR
Used for the fallback path where the Article 13 soft opt-in is unavailable and the sender must rely on valid consent instead.
Section 2

Gate 2: test own similar products or services

The campaign must market the same sender's own similar products or services. Treat this as a product-scope review, not a copywriting preference: the product owner must explain why the offer is adjacent to what the customer bought or negotiated for, and why the sending entity is the same natural or legal person that obtained the address.

Use a short similarity matrix before audience upload. Compare the original purchase category, intended customer use, pricing model, delivery channel, brand or legal entity, and whether a reasonable customer would recognize the new message as related to the earlier relationship.

  • Approve: replenishment, renewal, compatible add-ons, upgrades, service extensions, or closely related replacements from the same sender when the relationship evidence and opt-out gates also pass.
  • Escalate: unrelated product lines, third-party offers, affiliate campaigns, cross-sell by a different legal entity, or campaigns where similarity depends only on broad customer-interest profiling.
  • Document: product owner rationale, legal/entity check, campaign objective, audience source, creative summary, and the reason each borderline product category is included or excluded.
  • Control: block campaign cloning into new countries, brands, or entities until the similarity and national-law checks are repeated.
Sources for this answer
Directive 2002/58/EC, Article 13
Provides the Article 13 condition that the contact details may be used only for direct marketing of the sender's own similar products or services.
Commission ePrivacy future-proof framework overview
Commission material frames ePrivacy as the sector-specific privacy framework for electronic communications, supporting a channel-specific review rather than a generic GDPR-only check.
Section 3

Gate 3: verify opt-out, sender identity, and suppression controls

The opt-out must exist twice: at collection and on each marketing message if the customer did not initially refuse. The send must also avoid disguised or concealed sender identity and provide a valid address or mechanism for requests to stop further communications.

Marketing operations should test the unsubscribe path before approval, then prove suppression after the test. The record should show that an objection entered through the campaign link, reply route, preference center, or support channel reaches the same suppression store used by the sending platform.

  • Collection-time check: clear and distinct objection wording, no charge for refusal, easy action, and stored evidence of whether the customer refused.
  • Message-level check: visible marketing identity, sender identity on whose behalf the message is sent, valid stop-contact address or link, and no creative or routing pattern that hides the sender.
  • Suppression check: global and campaign-level suppression lists applied before send, unsubscribe test completed, bounced or manual opt-out channels mapped, and objectors excluded from retargeting uploads based on the same campaign.
  • Closeout check: export campaign audience count, suppression count, test unsubscribe evidence, final creative, approval log, and the query or segment version used for the live send.
Sources for this answer
Directive 2002/58/EC, Article 13
Supports the collection-time and each-message opportunity to object, plus the prohibition on concealed sender identity or missing stop-contact address.
Directive 2009/136/EC amendments to Directive 2002/58/EC
Confirms the post-amendment Article 13 wording for clear, free, easy objection and sender-identity controls.
EDPB Guidelines 05/2020 on consent under GDPR
Used for the consent fallback: if soft opt-in fails and consent is used instead, the consent mechanism must be free, specific, informed, unambiguous, and withdrawable.
Section 4

Gate 4: national-law caveat and final approval

Do not convert this EU-level workflow into a country-rule database. Article 13 is implemented through national provisions, and the ePrivacy/GDPR relationship can affect enforcement and documentation. Before launch, the regional owner should confirm whether the target country implementation changes the practical result for the channel, audience type, timing, or objection mechanism.

If a national-law answer is missing, record the issue as blocked for that country instead of guessing. The campaign can proceed only for countries whose legal, product-similarity, opt-out, sender-identity, and suppression gates are approved.

  • Country caveat checklist: target country or countries, B2C or legal-person audience classification if relevant to the local implementation, channel type, opt-out wording language, timing since sale if the local review requires it, and whether a local reviewer approved or blocked the send.
  • Approval order: CRM source owner, product owner, privacy/legal owner, marketing operations owner, regional owner, then final campaign approver.
  • Reopen triggers: new product category, new sending entity, imported audience, changed unsubscribe flow, preference-center migration, expansion to another country, complaint spike, or a material change to national transposition guidance.
  • Blocked outcome: use fresh consent or suppress the audience until the missing customer-relationship, similarity, opt-out, sender-identity, suppression, or national-law evidence is complete.
Sources for this answer
Commission ePrivacy future-proof framework overview
Supports treating ePrivacy as a continuing EU privacy framework for electronic communications rather than a one-time marketing-policy note.
Directive 2002/58/EC, Article 15a
Supports the national-law caveat because Member States lay down rules and penalties for national provisions adopted under the Directive.
Recommended next step

Review the send before the audience leaves CRM

Sorena can help convert the Article 13 checks on this page into campaign approval gates, segment evidence, suppression tests, and reusable regional review records.

Research workflow
Open Research Copilot for EU ePrivacy

Ask cited questions about customer relationship evidence, similar products, opt-out controls, sender identity, and soft opt-in campaign approval.

Explore next step
Talk to Sorena
Talk through implementation

Review a proposed electronic-mail marketing send, source gaps, and national-law caveats before launch.

Explore next step
Primary sources

References and citations

Directive 2002/58/EC, Article 13
eur-lex.europa.eu
Referenced sections
  • Supports the collection-time and each-message opportunity to object, plus the prohibition on concealed sender identity or missing stop-contact address.
"on the occasion of each message"
Directive 2002/58/EC, Article 15a
eur-lex.europa.eu
Referenced sections
  • Supports the national-law caveat because Member States lay down rules and penalties for national provisions adopted under the Directive.
"Member States shall lay down the rules on penalties"
EDPB Guidelines 05/2020 on consent under GDPR
edpb.europa.eu
Referenced sections
  • Used for the consent fallback: if soft opt-in fails and consent is used instead, the consent mechanism must be free, specific, informed, unambiguous, and withdrawable.
"freely given, specific, informed and unambiguous"
Related guides

Explore more topics

Are cookie walls allowed under the EU ePrivacy Directive?
FAQ answer on cookie walls under the EU ePrivacy Directive, covering freely given consent, refusal and withdrawal paths, banner evidence, and national-law caveats.
Do Analytics Cookies Require Consent under the EU ePrivacy Directive?
FAQ answer on analytics cookies under Article 5(3) ePrivacy, limited analytics exemptions, configuration evidence, consent logs, and national-law caveats.
ePrivacy cookie consent vs DSA ads obligations: source-limited comparison
Compare ePrivacy cookie and tracking-consent duties with DSA ads workstreams without merging consent, transparency, and evidence obligations.
ePrivacy Directive vs GDPR: cookies, communications, consent, and evidence
Compare the EU ePrivacy Directive and GDPR across subject matter, lex specialis overlap, terminal equipment, communications confidentiality, marketing, consent, enforcement, and evidence.
EU cookie banner requirements under the ePrivacy Directive
EU ePrivacy cookie banner requirements for non-exempt cookies and trackers: prior consent, reject choices, no pre-ticked boxes, withdrawal, analytics limits, cookie walls, and evidence logs.
EU ePrivacy analytics cookies: consent, exemption, and evidence guide
source-linked guide to analytics cookies under EU ePrivacy: Article 5(3) scope, when consent is usually needed, limited analytics exemptions, consent records, and evidence gaps.
EU ePrivacy Applicability Test for Cookies, SDKs, Pixels, Communications, and Marketing
A concrete EU ePrivacy Directive applicability test for electronic communications services, terminal-equipment storage or access, cookies, SDKs, pixels, local storage, direct marketing, GDPR overlap, and evidence.
EU ePrivacy Article 5(3) terminal equipment test
A source-linked Article 5(3) test for cookies, pixels, local identifiers, device APIs, strictly necessary exceptions, and consent evidence.
EU ePrivacy Confidentiality of Communications: Article 5 controls
Article 5 confidentiality guide for EU ePrivacy communications, traffic data, metadata, terminal-equipment access, consent limits, and GDPR interplay.
EU ePrivacy consent-log evidence workflow for cookies and trackers
Build an ePrivacy consent-log workflow that records cookie and tracker decisions, banner versions, consent signals, withdrawals, vendor evidence, and audit-ready outputs.
EU ePrivacy cookie banner UX test cases
source-linked cookie banner UX tests for Article 5(3) ePrivacy consent: reject all, pre-ticked boxes, withdrawal, cookie walls, analytics toggles, and consent evidence.
EU ePrivacy Cookie Scope Classifier Workflow
Classify cookies, pixels, SDKs, local storage, device identifiers, and analytics tracers under Article 5(3) ePrivacy rules, with consent and exemption evidence outputs.
EU ePrivacy direct-marketing consent checklist
Checklist for ePrivacy Directive direct-marketing messages: consent, soft opt-in, sender identity, opt-out handling, proof records, suppression, and national-law caveats.
EU ePrivacy Directive compliance calendar for cookies, consent, and marketing
source-linked ePrivacy calendar covering Directive milestones, Article 5(3) cookie reviews, consent evidence, direct marketing checks, and national-law follow-up.
EU ePrivacy Directive Compliance Checklist
A concrete ePrivacy checklist for terminal equipment access, cookie consent, exemptions, banner UX, direct marketing, confidentiality, GDPR interplay, and evidence records.
EU ePrivacy Directive Compliance Guide for Cookies, Marketing, and Communications
Practical ePrivacy Directive compliance checks for terminal equipment, communications confidentiality, cookie consent, exemptions, direct marketing, evidence, and national-law caveats.
EU ePrivacy Directive Cookies and Consent: Article 5(3), exemptions, and banner evidence
Cookie consent guide for the EU ePrivacy Directive: Article 5(3) scope, strictly necessary and transmission exemptions, consent UX, withdrawal, logs, analytics caveats, and GDPR interplay.
EU ePrivacy Directive direct marketing rules for electronic mail
source-linked guide to Article 13 ePrivacy Directive rules for electronic mail marketing, prior consent, customer soft opt-in, opt-out handling, sender identity, and Member State caveats.
EU ePrivacy Directive Enforcement and Fines
Source-grounded guide to ePrivacy Directive enforcement, national penalties, competent authorities, GDPR interplay, cookie-banner risk, and evidence limits.
EU ePrivacy Directive FAQ: cookies, consent, marketing, GDPR interplay
Answers to recurring EU ePrivacy Directive questions on Article 5(3), terminal-equipment access, cookie consent, exemptions, analytics, direct marketing, GDPR interplay, national enforcement, and evidence.
EU ePrivacy Directive Member State Cookie Rules
How to evidence EU ePrivacy cookie compliance when Article 5(3) is implemented through Member State law and national authority practice.
EU ePrivacy Directive Metadata and Location Data Guide
source-linked guide to EU ePrivacy Directive rules for traffic data, location data, anonymisation, consent, value-added services, Article 5(3) overlap, and national-law limits.
EU ePrivacy Directive penalties and fines: national enforcement caveats
source-linked guide to ePrivacy Directive penalty exposure, national transposition caveats, cookie enforcement evidence, consent defects, and GDPR overlap limits.
EU ePrivacy Directive Requirements: cookies, communications and marketing
source-linked map of EU ePrivacy Directive requirements for communications confidentiality, terminal-equipment access, consent, traffic and location data, and direct marketing.
EU ePrivacy Directive vs GDPR: cookies, communications, marketing, and evidence
Compare the EU ePrivacy Directive and GDPR by trigger, consent standard, lex specialis overlap, enforcement caveats, and evidence outputs for cookies, device access, communications, and marketing.
EU ePrivacy Directive vs UK PECR: source-limited cookie and marketing comparison
Compare EU ePrivacy Directive rules with a source-limited UK PECR workstream for cookies, terminal equipment, direct marketing, consent, soft opt-in, and evidence.
EU ePrivacy soft opt-in FAQ for email marketing
When Article 13(2) soft opt-in can support EU customer email marketing, including existing-customer, similar-offer, opt-out, sender-identity, suppression-list, and national-law checks.
EU ePrivacy soft opt-in marketing checklist
source-linked checklist for using the EU ePrivacy Directive soft opt-in exception for customer email marketing, opt-outs, sender identity, suppression records, and national-law caveats.
EU ePrivacy Strictly Necessary Cookie Exemptions
source-linked guide to the Article 5(3) ePrivacy exemptions for transmission cookies, requested-service cookies, analytics caveats, evidence, and national-law checks.
Is a reject-all button required for EU ePrivacy cookie consent?
Standalone FAQ answer on EU ePrivacy reject-all and refuse options for cookie banners, including equal prominence, deceptive UX, consent evidence, withdrawal, and national-law caveats.
Strictly Necessary Cookies under the EU ePrivacy Directive
FAQ answer on when EU ePrivacy Article 5(3) allows cookies without consent, with grounded examples, analytics caveats, evidence records, and national-law cautions.
What should CMP consent logs retain under the EU ePrivacy Directive?
FAQ answer on CMP consent logs for EU ePrivacy cookie consent: retained fields, consent validity signals, banner versioning, refusal and withdrawal events, proof limits, and national-law caveats.