--- title: "EU ePrivacy soft opt-in marketing review workflow" canonical_url: "https://www.sorena.io/artifacts/eu/eprivacy-directive/soft-opt-in-marketing-review-workflow" source_url: "https://www.sorena.io/artifacts/eu/eprivacy-directive/soft-opt-in-marketing-review-workflow" author: "Sorena AI" description: "Review whether an EU electronic-mail marketing send can rely on the ePrivacy soft opt-in, with checks for customer relationship evidence, similar products, opt-out, sender identity, suppression records, and national-law caveats." published_at: "2026-05-09" updated_at: "2026-05-09" keywords: - "EU ePrivacy Directive" - "Article 13" - "soft opt-in" - "electronic mail marketing" - "direct marketing" - "opt-out evidence" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # EU ePrivacy soft opt-in marketing review workflow Review whether an EU electronic-mail marketing send can rely on the ePrivacy soft opt-in, with checks for customer relationship evidence, similar products, opt-out, sender identity, suppression records, and national-law caveats. *Workflow* *EU* ## EU ePrivacy Directive soft opt-in marketing review workflow Use this workflow before sending electronic-mail direct marketing without fresh consent under the Article 13 soft opt-in. The review focuses on proof of an existing customer relationship, own similar products or services, collection-time and message-level opt-out, sender identity, suppression records, approval gates, and national transposition caveats. Article 13 of the ePrivacy Directive starts from prior consent for electronic-mail direct marketing, then allows a narrow existing-customer exception for a sender's own similar products or services when the customer received a clear, free, easy opportunity to object at collection and with each later message. This workflow turns that exception into an approval record for marketing, product, privacy, CRM, and regional operations teams. ## Gate 1: confirm the customer relationship and collection context Start with the contact-detail event, not the campaign brief. The soft opt-in is tied to electronic contact details obtained from customers in the context of a product or service sale, with the later 2009 amendment text referring to the same customer relationship logic for Article 13. Approve this gate only when the CRM record can show what was sold or negotiated, when the address was collected, which legal entity collected it, the privacy notice or checkout screen shown at collection, and whether the person objected at that moment. - Evidence to collect: order, subscription, trial, renewal, quote, or negotiation record; contact-detail source; collection timestamp; country or regional store; collecting legal entity; and screenshot or versioned copy of the opt-out language shown at collection. - Reject or escalate: purchased lists, scraped addresses, event badge scans without a sale or negotiation record, contacts imported from another group company, or addresses collected by a partner that is not the sending entity. - Approval gate: CRM owner certifies the source record, privacy/legal confirms the Article 13 basis is available for the contact source, and marketing operations locks the approved segment before creative review. - Record format: one campaign-level decision plus a sampled contact-evidence pack, with a link to the suppression query used to exclude objectors. Sources for this answer: - [Directive 2002/58/EC, Article 13](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32002L0058&ref=sorena.io) - Supports the baseline Article 13 rule that prior consent is required for electronic-mail direct marketing, with a limited customer-relationship exception. - [Directive 2009/136/EC amendments to Directive 2002/58/EC](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02009L0136-20201221&ref=sorena.io) - Shows the amended Article 13 wording used to review the soft opt-in conditions after the 2009 changes. - [EDPB Guidelines 05/2020 on consent under GDPR](https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_202005_consent_en.pdf?ref=sorena.io) - Used for the fallback path where the Article 13 soft opt-in is unavailable and the sender must rely on valid consent instead. ## Gate 2: test own similar products or services The campaign must market the same sender's own similar products or services. Treat this as a product-scope review, not a copywriting preference: the product owner must explain why the offer is adjacent to what the customer bought or negotiated for, and why the sending entity is the same natural or legal person that obtained the address. Use a short similarity matrix before audience upload. Compare the original purchase category, intended customer use, pricing model, delivery channel, brand or legal entity, and whether a reasonable customer would recognize the new message as related to the earlier relationship. - Approve: replenishment, renewal, compatible add-ons, upgrades, service extensions, or closely related replacements from the same sender when the relationship evidence and opt-out gates also pass. - Escalate: unrelated product lines, third-party offers, affiliate campaigns, cross-sell by a different legal entity, or campaigns where similarity depends only on broad customer-interest profiling. - Document: product owner rationale, legal/entity check, campaign objective, audience source, creative summary, and the reason each borderline product category is included or excluded. - Control: block campaign cloning into new countries, brands, or entities until the similarity and national-law checks are repeated. Sources for this answer: - [Directive 2002/58/EC, Article 13](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32002L0058&ref=sorena.io) - Provides the Article 13 condition that the contact details may be used only for direct marketing of the sender's own similar products or services. - [Commission ePrivacy future-proof framework overview](https://digital-strategy.ec.europa.eu/en/library/eprivacyeu-towards-future-proof-legal-framework-online-privacy?ref=sorena.io) - Commission material frames ePrivacy as the sector-specific privacy framework for electronic communications, supporting a channel-specific review rather than a generic GDPR-only check. ## Gate 3: verify opt-out, sender identity, and suppression controls The opt-out must exist twice: at collection and on each marketing message if the customer did not initially refuse. The send must also avoid disguised or concealed sender identity and provide a valid address or mechanism for requests to stop further communications. Marketing operations should test the unsubscribe path before approval, then prove suppression after the test. The record should show that an objection entered through the campaign link, reply route, preference center, or support channel reaches the same suppression store used by the sending platform. - Collection-time check: clear and distinct objection wording, no charge for refusal, easy action, and stored evidence of whether the customer refused. - Message-level check: visible marketing identity, sender identity on whose behalf the message is sent, valid stop-contact address or link, and no creative or routing pattern that hides the sender. - Suppression check: global and campaign-level suppression lists applied before send, unsubscribe test completed, bounced or manual opt-out channels mapped, and objectors excluded from retargeting uploads based on the same campaign. - Closeout check: export campaign audience count, suppression count, test unsubscribe evidence, final creative, approval log, and the query or segment version used for the live send. Sources for this answer: - [Directive 2002/58/EC, Article 13](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32002L0058&ref=sorena.io) - Supports the collection-time and each-message opportunity to object, plus the prohibition on concealed sender identity or missing stop-contact address. - [Directive 2009/136/EC amendments to Directive 2002/58/EC](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02009L0136-20201221&ref=sorena.io) - Confirms the post-amendment Article 13 wording for clear, free, easy objection and sender-identity controls. - [EDPB Guidelines 05/2020 on consent under GDPR](https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_202005_consent_en.pdf?ref=sorena.io) - Used for the consent fallback: if soft opt-in fails and consent is used instead, the consent mechanism must be free, specific, informed, unambiguous, and withdrawable. ## Gate 4: national-law caveat and final approval Do not convert this EU-level workflow into a country-rule database. Article 13 is implemented through national provisions, and the ePrivacy/GDPR relationship can affect enforcement and documentation. Before launch, the regional owner should confirm whether the target country implementation changes the practical result for the channel, audience type, timing, or objection mechanism. If a national-law answer is missing, record the issue as blocked for that country instead of guessing. The campaign can proceed only for countries whose legal, product-similarity, opt-out, sender-identity, and suppression gates are approved. - Country caveat checklist: target country or countries, B2C or legal-person audience classification if relevant to the local implementation, channel type, opt-out wording language, timing since sale if the local review requires it, and whether a local reviewer approved or blocked the send. - Approval order: CRM source owner, product owner, privacy/legal owner, marketing operations owner, regional owner, then final campaign approver. - Reopen triggers: new product category, new sending entity, imported audience, changed unsubscribe flow, preference-center migration, expansion to another country, complaint spike, or a material change to national transposition guidance. - Blocked outcome: use fresh consent or suppress the audience until the missing customer-relationship, similarity, opt-out, sender-identity, suppression, or national-law evidence is complete. Sources for this answer: - [Commission ePrivacy future-proof framework overview](https://digital-strategy.ec.europa.eu/en/library/eprivacyeu-towards-future-proof-legal-framework-online-privacy?ref=sorena.io) - Supports treating ePrivacy as a continuing EU privacy framework for electronic communications rather than a one-time marketing-policy note. - [Directive 2002/58/EC, Article 15a](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32002L0058&ref=sorena.io) - Supports the national-law caveat because Member States lay down rules and penalties for national provisions adopted under the Directive. *Recommended next step* *Placement: before sources* ## Review the send before the audience leaves CRM Sorena can help convert the Article 13 checks on this page into campaign approval gates, segment evidence, suppression tests, and reusable regional review records. - [Open Research Copilot for EU ePrivacy](/solutions/research-copilot.md): Ask cited questions about customer relationship evidence, similar products, opt-out controls, sender identity, and soft opt-in campaign approval. - [Talk through implementation](/contact.md): Review a proposed electronic-mail marketing send, source gaps, and national-law caveats before launch. ## Primary sources - [Directive 2002/58/EC, Article 13](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32002L0058&ref=sorena.io) - Binding EU source for the prior-consent rule, soft opt-in customer exception, similar-products condition, each-message objection opportunity, and sender-identity prohibition for electronic-mail direct marketing. - Quote: "direct marketing of its own similar products or services" - [Directive 2009/136/EC amendments to Directive 2002/58/EC](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02009L0136-20201221&ref=sorena.io) - Official amendment text used to verify the amended Article 13 wording for unsolicited communications and electronic-mail marketing controls. - Quote: "customers clearly and distinctly are given the opportunity to object" - [EDPB Guidelines 05/2020 on consent under GDPR](https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_202005_consent_en.pdf?ref=sorena.io) - Used only for the consent fallback and withdrawal-quality checks where a campaign cannot rely on the ePrivacy soft opt-in. - Quote: "as easy as granting it" - [Commission ePrivacy future-proof framework overview](https://digital-strategy.ec.europa.eu/en/library/eprivacyeu-towards-future-proof-legal-framework-online-privacy?ref=sorena.io) - Commission ePrivacy material used for context that electronic communications privacy remains a distinct framework alongside GDPR. - Quote: "ePrivacy" ## Related Topic Guides - [Are cookie walls allowed under the EU ePrivacy Directive?](/artifacts/eu/eprivacy-directive/faq/cookie-walls.md): FAQ answer on cookie walls under the EU ePrivacy Directive, covering freely given consent, refusal and withdrawal paths, banner evidence, and national-law caveats. - [Do Analytics Cookies Require Consent under the EU ePrivacy Directive?](/artifacts/eu/eprivacy-directive/faq/analytics-cookies.md): FAQ answer on analytics cookies under Article 5(3) ePrivacy, limited analytics exemptions, configuration evidence, consent logs, and national-law caveats. - [ePrivacy cookie consent vs DSA ads obligations: source-limited comparison](/artifacts/eu/eprivacy-directive/eprivacy-vs-dsa-ads.md): Compare ePrivacy cookie and tracking-consent duties with DSA ads workstreams without merging consent, transparency, and evidence obligations. - [ePrivacy Directive vs GDPR: cookies, communications, consent, and evidence](/artifacts/eu/eprivacy-directive/eprivacy-directive-vs-gdpr.md): Compare the EU ePrivacy Directive and GDPR across subject matter, lex specialis overlap, terminal equipment, communications confidentiality, marketing, consent, enforcement, and evidence. - [EU cookie banner requirements under the ePrivacy Directive](/artifacts/eu/eprivacy-directive/eu-cookie-banner-requirements.md): EU ePrivacy cookie banner requirements for non-exempt cookies and trackers: prior consent, reject choices, no pre-ticked boxes, withdrawal, analytics limits, cookie walls, and evidence logs. - [EU ePrivacy analytics cookies: consent, exemption, and evidence guide](/artifacts/eu/eprivacy-directive/analytics-cookies.md): source-linked guide to analytics cookies under EU ePrivacy: Article 5(3) scope, when consent is usually needed, limited analytics exemptions, consent records, and evidence gaps. - [EU ePrivacy Applicability Test for Cookies, SDKs, Pixels, Communications, and Marketing](/artifacts/eu/eprivacy-directive/applicability-test.md): A concrete EU ePrivacy Directive applicability test for electronic communications services, terminal-equipment storage or access, cookies, SDKs, pixels, local storage, direct marketing, GDPR overlap, and evidence. - [EU ePrivacy Article 5(3) terminal equipment test](/artifacts/eu/eprivacy-directive/article-5-3-terminal-equipment-test.md): A source-linked Article 5(3) test for cookies, pixels, local identifiers, device APIs, strictly necessary exceptions, and consent evidence. - [EU ePrivacy Confidentiality of Communications: Article 5 controls](/artifacts/eu/eprivacy-directive/confidentiality-of-communications.md): Article 5 confidentiality guide for EU ePrivacy communications, traffic data, metadata, terminal-equipment access, consent limits, and GDPR interplay. - [EU ePrivacy consent-log evidence workflow for cookies and trackers](/artifacts/eu/eprivacy-directive/consent-log-evidence-workflow.md): Build an ePrivacy consent-log workflow that records cookie and tracker decisions, banner versions, consent signals, withdrawals, vendor evidence, and audit-ready outputs. - [EU ePrivacy cookie banner UX test cases](/artifacts/eu/eprivacy-directive/banner-ux-test-cases.md): source-linked cookie banner UX tests for Article 5(3) ePrivacy consent: reject all, pre-ticked boxes, withdrawal, cookie walls, analytics toggles, and consent evidence. - [EU ePrivacy Cookie Scope Classifier Workflow](/artifacts/eu/eprivacy-directive/cookie-scope-classifier-workflow.md): Classify cookies, pixels, SDKs, local storage, device identifiers, and analytics tracers under Article 5(3) ePrivacy rules, with consent and exemption evidence outputs. - [EU ePrivacy direct-marketing consent checklist](/artifacts/eu/eprivacy-directive/direct-marketing-consent-checklist.md): Checklist for ePrivacy Directive direct-marketing messages: consent, soft opt-in, sender identity, opt-out handling, proof records, suppression, and national-law caveats. - [EU ePrivacy Directive compliance calendar for cookies, consent, and marketing](/artifacts/eu/eprivacy-directive/deadlines-and-compliance-calendar.md): source-linked ePrivacy calendar covering Directive milestones, Article 5(3) cookie reviews, consent evidence, direct marketing checks, and national-law follow-up. - [EU ePrivacy Directive Compliance Checklist](/artifacts/eu/eprivacy-directive/checklist.md): A concrete ePrivacy checklist for terminal equipment access, cookie consent, exemptions, banner UX, direct marketing, confidentiality, GDPR interplay, and evidence records. - [EU ePrivacy Directive Compliance Guide for Cookies, Marketing, and Communications](/artifacts/eu/eprivacy-directive/compliance.md): Practical ePrivacy Directive compliance checks for terminal equipment, communications confidentiality, cookie consent, exemptions, direct marketing, evidence, and national-law caveats. - [EU ePrivacy Directive Cookies and Consent: Article 5(3), exemptions, and banner evidence](/artifacts/eu/eprivacy-directive/cookies-and-consent.md): Cookie consent guide for the EU ePrivacy Directive: Article 5(3) scope, strictly necessary and transmission exemptions, consent UX, withdrawal, logs, analytics caveats, and GDPR interplay. - [EU ePrivacy Directive direct marketing rules for electronic mail](/artifacts/eu/eprivacy-directive/direct-marketing-rules.md): source-linked guide to Article 13 ePrivacy Directive rules for electronic mail marketing, prior consent, customer soft opt-in, opt-out handling, sender identity, and Member State caveats. - [EU ePrivacy Directive Enforcement and Fines](/artifacts/eu/eprivacy-directive/enforcement-and-fines.md): Source-grounded guide to ePrivacy Directive enforcement, national penalties, competent authorities, GDPR interplay, cookie-banner risk, and evidence limits. - [EU ePrivacy Directive FAQ: cookies, consent, marketing, GDPR interplay](/artifacts/eu/eprivacy-directive/faq.md): Answers to recurring EU ePrivacy Directive questions on Article 5(3), terminal-equipment access, cookie consent, exemptions, analytics, direct marketing, GDPR interplay, national enforcement, and evidence. - [EU ePrivacy Directive Member State Cookie Rules](/artifacts/eu/eprivacy-directive/member-state-cookie-rules.md): How to evidence EU ePrivacy cookie compliance when Article 5(3) is implemented through Member State law and national authority practice. - [EU ePrivacy Directive Metadata and Location Data Guide](/artifacts/eu/eprivacy-directive/metadata-and-location-data.md): source-linked guide to EU ePrivacy Directive rules for traffic data, location data, anonymisation, consent, value-added services, Article 5(3) overlap, and national-law limits. - [EU ePrivacy Directive penalties and fines: national enforcement caveats](/artifacts/eu/eprivacy-directive/penalties-and-fines.md): source-linked guide to ePrivacy Directive penalty exposure, national transposition caveats, cookie enforcement evidence, consent defects, and GDPR overlap limits. - [EU ePrivacy Directive Requirements: cookies, communications and marketing](/artifacts/eu/eprivacy-directive/requirements.md): source-linked map of EU ePrivacy Directive requirements for communications confidentiality, terminal-equipment access, consent, traffic and location data, and direct marketing. - [EU ePrivacy Directive vs GDPR: cookies, communications, marketing, and evidence](/artifacts/eu/eprivacy-directive/eprivacy-vs-gdpr.md): Compare the EU ePrivacy Directive and GDPR by trigger, consent standard, lex specialis overlap, enforcement caveats, and evidence outputs for cookies, device access, communications, and marketing. - [EU ePrivacy Directive vs UK PECR: source-limited cookie and marketing comparison](/artifacts/eu/eprivacy-directive/eprivacy-vs-uk-pecr.md): Compare EU ePrivacy Directive rules with a source-limited UK PECR workstream for cookies, terminal equipment, direct marketing, consent, soft opt-in, and evidence. - [EU ePrivacy soft opt-in FAQ for email marketing](/artifacts/eu/eprivacy-directive/faq/soft-opt-in.md): When Article 13(2) soft opt-in can support EU customer email marketing, including existing-customer, similar-offer, opt-out, sender-identity, suppression-list, and national-law checks. - [EU ePrivacy soft opt-in marketing checklist](/artifacts/eu/eprivacy-directive/soft-opt-in-marketing.md): source-linked checklist for using the EU ePrivacy Directive soft opt-in exception for customer email marketing, opt-outs, sender identity, suppression records, and national-law caveats. - [EU ePrivacy Strictly Necessary Cookie Exemptions](/artifacts/eu/eprivacy-directive/strictly-necessary-exemptions.md): source-linked guide to the Article 5(3) ePrivacy exemptions for transmission cookies, requested-service cookies, analytics caveats, evidence, and national-law checks. - [Is a reject-all button required for EU ePrivacy cookie consent?](/artifacts/eu/eprivacy-directive/faq/reject-all-button.md): Standalone FAQ answer on EU ePrivacy reject-all and refuse options for cookie banners, including equal prominence, deceptive UX, consent evidence, withdrawal, and national-law caveats. - [Strictly Necessary Cookies under the EU ePrivacy Directive](/artifacts/eu/eprivacy-directive/faq/strictly-necessary-cookies.md): FAQ answer on when EU ePrivacy Article 5(3) allows cookies without consent, with grounded examples, analytics caveats, evidence records, and national-law cautions. - [What should CMP consent logs retain under the EU ePrivacy Directive?](/artifacts/eu/eprivacy-directive/faq/cmp-consent-logs.md): FAQ answer on CMP consent logs for EU ePrivacy cookie consent: retained fields, consent validity signals, banner versioning, refusal and withdrawal events, proof limits, and national-law caveats. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/eu/eprivacy-directive/soft-opt-in-marketing-review-workflow