--- title: "EU ePrivacy soft opt-in marketing checklist" canonical_url: "https://www.sorena.io/artifacts/eu/eprivacy-directive/soft-opt-in-marketing" source_url: "https://www.sorena.io/artifacts/eu/eprivacy-directive/soft-opt-in-marketing" author: "Sorena AI" description: "source-linked checklist for using the EU ePrivacy Directive soft opt-in exception for customer email marketing, opt-outs, sender identity, suppression records, and national-law caveats." published_at: "2026-05-09" updated_at: "2026-05-09" keywords: - "EU ePrivacy Directive" - "Article 13" - "soft opt-in marketing" - "direct marketing" - "electronic mail" - "unsubscribe" - "suppression list" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # EU ePrivacy soft opt-in marketing checklist source-linked checklist for using the EU ePrivacy Directive soft opt-in exception for customer email marketing, opt-outs, sender identity, suppression records, and national-law caveats. *Artifact Guide* *EU* ## EU ePrivacy Directive soft opt-in marketing Decide when customer email marketing can rely on the Article 13 soft opt-in exception instead of fresh prior consent. Use this checklist to test the existing customer relationship, similar-product limit, opt-out mechanics, sender identity, suppression evidence, GDPR overlap, and Member State implementation caveats. Article 13 of the ePrivacy Directive starts from prior consent for automated calls, fax, and electronic mail direct marketing. The soft opt-in exception is narrower: the same sender may use customer electronic contact details collected during a sale of a product or service to market its own similar products or services, but only if the customer had a clear, distinct, free, and easy chance to object when the details were collected and in every later message. ## Soft opt-in gate Approve a campaign only when every condition is true. Treat one failed condition as a move back to the Article 13(1) prior-consent rule or to the applicable national rule for that channel. The exception is tied to electronic contact details obtained from customers in the context of a sale. It should not be used for purchased lists, scraped contacts, prospect leads with no qualifying sale context, partner lists, or contacts collected by a different legal person. - Existing customer relationship: the contact details came from the sender's customer in the context of a product or service sale. - Same sender: the legal or natural person sending the marketing is the same person that obtained the contact details. - Own similar products or services: the campaign is for the sender's own offering and the similarity rationale is recorded before launch. - Collection opt-out: the customer was clearly and distinctly told about direct-marketing use and could object free of charge and easily when the details were collected. - Message opt-out: every message repeats a free and easy objection route unless the customer already refused the use. - Sender identity: the email does not disguise or conceal the identity of the sender on whose behalf it is made. - Valid stop address: the message includes a valid address or mechanism for the recipient to request that the communications cease. Sources for this answer: - [Directive 2002/58/EC, Article 13 on unsolicited communications](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32002L0058&ref=sorena.io) - Article 13(1) sets the prior-consent baseline; Article 13(2) states the customer-sale, same-sender, similar-product, and opt-out conditions for soft opt-in email marketing. - [Directive 2009/136/EC amendments to Article 13](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02009L0136-20201221&ref=sorena.io) - Shows the amended Article 13 wording, including subscribers or users, objection at collection and each message, and the sender-identity prohibition. ## Opt-out design Soft opt-in is not a one-time list label. It is a continuing control: the collection notice, CRM consent or preference state, email template, unsubscribe endpoint, suppression process, and campaign selection rules must all match the Article 13 conditions. The objection path should be visible in the collection journey and in each email. Do not require login, payment, a sales call, or a complex preference flow before stopping the marketing use covered by the objection. - At collection, show direct-marketing use next to the email capture field or checkout/account flow where the address is obtained. - Use plain wording that lets the customer refuse marketing use without losing the product or service they are buying. - In each email, include an unsubscribe link or valid reply/stop address that works for the recipient without extra friction. - Apply the objection to all systems that can send the same campaign type, including CRM, lifecycle messaging, sales automation, and data warehouse audience exports. - Test unsubscribe latency before launch and after template, ESP, CRM, or identity-system changes. Sources for this answer: - [Directive 2002/58/EC, Article 13(2) and 13(4)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32002L0058&ref=sorena.io) - Supports the free and easy objection requirement at collection and each message, and the ban on email marketing without a valid address for stop requests. - [EDPB Guidelines 05/2020 on consent under GDPR](https://www.edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_202005_consent_en.pdf?ref=sorena.io) - Used for consent and withdrawal quality where consent is needed instead of soft opt-in, including the need for easy withdrawal and demonstrable consent. ## Evidence record Keep campaign evidence at the audience-rule level, not only at the template level. A compliant template does not prove that each recipient met the customer-sale and similar-product conditions. Suppression records should prove both sides of the control: who was eligible for soft opt-in and who was removed because they objected, unsubscribed, bounced into a suppression rule, or was excluded by a country-specific rule. - Source of contact: checkout, renewal, account, quote-to-order, or other sale-context event that produced the electronic contact detail. - Legal-entity match: the sender or brand on whose behalf the email is sent matches the person that obtained the address, or the mismatch is escalated and excluded. - Similarity rationale: a short explanation of why the promoted product or service is similar to the sold product or service. - Collection notice snapshot: wording, placement, timestamp or release version, and whether the customer objected at collection. - Message evidence: rendered email, sender identity, valid stop address or unsubscribe link, and suppression test result. - Suppression log: objection source, received time, applied systems, campaign exclusions, and evidence that later audience builds respected the stop flag. - Country check: Member State implementation or local counsel note for campaigns where national law changes the route, scope, or permissible channel. Sources for this answer: - [Directive 2002/58/EC, Article 13](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32002L0058&ref=sorena.io) - Supports the specific facts that must be evidenced before relying on the soft opt-in exception: customer sale context, same sender, similar products or services, and objection opportunities. - [EDPB Guidelines 05/2020 on consent under GDPR](https://www.edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_202005_consent_en.pdf?ref=sorena.io) - Supports keeping enough records to demonstrate valid consent when consent is the applicable basis, without collecting unnecessary proof data. ## GDPR and national-law caveats Soft opt-in under ePrivacy does not answer every GDPR question. The ePrivacy Directive particularises and complements GDPR for electronic communications, and EDPB guidance recognises that some processing can fall within both instruments. Teams still need a GDPR lawful basis, transparency, data minimisation, retention, and rights handling for the personal-data processing around the campaign. Article 13 leaves several points to Member State implementation, including the approach for direct-marketing cases outside Article 13(1) and 13(2), and protection of subscribers other than natural persons. Record the country rule check instead of assuming that one EU-wide marketing playbook covers every recipient or channel. - Do not use soft opt-in for non-similar offers, third-party offers, affiliate promotions, or unrelated newsletters unless a separate source-linked route applies. - Do not treat a GDPR legitimate-interest assessment as a substitute for Article 13 email-marketing conditions. - Check national implementation before sending to business contacts, legal persons, local branches, or mixed B2B/B2C lists. - Escalate campaigns involving automated calls, fax, SMS, messenger channels, or voice calls because Article 13 and national law may treat the channel differently. - Keep the GDPR record beside the ePrivacy record: purpose, lawful basis, transparency text, data categories, retention, processor/ESP details, transfer checks, and rights workflow. Sources for this answer: - [EDPB Opinion 5/2019 on ePrivacy Directive and GDPR interplay](https://www.edpb.europa.eu/sites/default/files/files/file1/201905_edpb_opinion_eprivacydir_gdpr_interplay_en.pdf?ref=sorena.io) - Supports the relationship between ePrivacy and GDPR, including that Article 13 can have an extended material scope and that GDPR may still apply to processing not covered by a specific ePrivacy rule. - [European Commission proposal for an ePrivacy Regulation](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A52017PC0010&ref=sorena.io) - Commission material confirms direct-marketing rules remained relevant in the ePrivacy review and describes the similar-products customer-relationship concept in proposed Article 16. - [Directive 2002/58/EC, Article 13(3) and 13(5)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32002L0058&ref=sorena.io) - Supports the national-law caveat for other direct-marketing cases and protection of subscribers other than natural persons. ## Pre-send checklist Use this final check before enabling an audience, lifecycle automation, newsletter segment, win-back campaign, or sales-assisted email sequence that relies on soft opt-in. If the answer is uncertain, pause the send for the affected segment rather than diluting the rule across the full list. - Each recipient is a customer whose electronic contact details were obtained in a sale context. - The sender is the same person that obtained the contact details. - The promoted offering is the sender's own similar product or service, with the similarity rationale saved. - Collection-time opt-out wording and evidence are available for the recipient source. - Each message identifies the sender and includes a valid, working stop route. - Suppression flags are applied before send and retested after any ESP, CRM, or data pipeline change. - National-law caveats are checked for the recipient countries and channels. - A fallback route is defined for excluded recipients: prior consent, non-marketing service communication, or no send. Sources for this answer: - [Directive 2002/58/EC, Article 13(2)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32002L0058&ref=sorena.io) - Primary rule for the pre-send checks: customer sale context, same sender, own similar products or services, and opt-out at collection and each message. - [Directive 2009/136/EC amendments to Article 13](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02009L0136-20201221&ref=sorena.io) - Confirms the amended Article 13 text that added the current user/subscriber wording and reinforced each-message objection and sender-identity controls. *Recommended next step* *Placement: before sources* ## Review email marketing eligibility before launch Sorena can help convert the Article 13 conditions on this page into audience rules, collection notices, unsubscribe tests, suppression evidence, and country-check records for EU campaigns. - [Open Research Copilot for EU ePrivacy Directive](/solutions/research-copilot.md): Ask source-linked questions about Article 13, soft opt-in eligibility, opt-outs, sender identity, and evidence records using the cited sources on this page. - [Talk through implementation](/contact.md): Review your customer email marketing workflow, suppression records, source gaps, and national-law caveats with Sorena. ## Primary sources - [Directive 2002/58/EC, Article 13 on unsolicited communications](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32002L0058&ref=sorena.io) - Primary ePrivacy Directive source for prior consent, the customer soft opt-in exception, sender identity, valid stop address, and Member State implementation caveats. - Quote: "own similar products or services" - [Directive 2009/136/EC amendments to Article 13](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02009L0136-20201221&ref=sorena.io) - Amending Directive source for the current Article 13 wording on subscribers or users, objection at collection and each message, and the prohibition on concealed sender identity. - Quote: "on the occasion of each message" - [EDPB Guidelines 05/2020 on consent under GDPR](https://www.edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_202005_consent_en.pdf?ref=sorena.io) - Consent-quality and withdrawal source for cases where soft opt-in is unavailable and prior consent is required. - Quote: "as easy as giving consent" - [EDPB Opinion 5/2019 on ePrivacy Directive and GDPR interplay](https://www.edpb.europa.eu/sites/default/files/files/file1/201905_edpb_opinion_eprivacydir_gdpr_interplay_en.pdf?ref=sorena.io) - Explains how the ePrivacy Directive particularises and complements GDPR and why GDPR duties can still matter around ePrivacy-covered marketing operations. - Quote: "particularise and complement" - [European Commission proposal for an ePrivacy Regulation](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A52017PC0010&ref=sorena.io) - Commission ePrivacy material confirming that unsolicited marketing rules remained relevant and discussing the similar-products existing-customer concept in the proposed Regulation. - Quote: "existing customer relationship" ## Related Topic Guides - [Are cookie walls allowed under the EU ePrivacy Directive?](/artifacts/eu/eprivacy-directive/faq/cookie-walls.md): FAQ answer on cookie walls under the EU ePrivacy Directive, covering freely given consent, refusal and withdrawal paths, banner evidence, and national-law caveats. - [Do Analytics Cookies Require Consent under the EU ePrivacy Directive?](/artifacts/eu/eprivacy-directive/faq/analytics-cookies.md): FAQ answer on analytics cookies under Article 5(3) ePrivacy, limited analytics exemptions, configuration evidence, consent logs, and national-law caveats. - [ePrivacy cookie consent vs DSA ads obligations: source-limited comparison](/artifacts/eu/eprivacy-directive/eprivacy-vs-dsa-ads.md): Compare ePrivacy cookie and tracking-consent duties with DSA ads workstreams without merging consent, transparency, and evidence obligations. - [ePrivacy Directive vs GDPR: cookies, communications, consent, and evidence](/artifacts/eu/eprivacy-directive/eprivacy-directive-vs-gdpr.md): Compare the EU ePrivacy Directive and GDPR across subject matter, lex specialis overlap, terminal equipment, communications confidentiality, marketing, consent, enforcement, and evidence. - [EU cookie banner requirements under the ePrivacy Directive](/artifacts/eu/eprivacy-directive/eu-cookie-banner-requirements.md): EU ePrivacy cookie banner requirements for non-exempt cookies and trackers: prior consent, reject choices, no pre-ticked boxes, withdrawal, analytics limits, cookie walls, and evidence logs. - [EU ePrivacy analytics cookies: consent, exemption, and evidence guide](/artifacts/eu/eprivacy-directive/analytics-cookies.md): source-linked guide to analytics cookies under EU ePrivacy: Article 5(3) scope, when consent is usually needed, limited analytics exemptions, consent records, and evidence gaps. - [EU ePrivacy Applicability Test for Cookies, SDKs, Pixels, Communications, and Marketing](/artifacts/eu/eprivacy-directive/applicability-test.md): A concrete EU ePrivacy Directive applicability test for electronic communications services, terminal-equipment storage or access, cookies, SDKs, pixels, local storage, direct marketing, GDPR overlap, and evidence. - [EU ePrivacy Article 5(3) terminal equipment test](/artifacts/eu/eprivacy-directive/article-5-3-terminal-equipment-test.md): A source-linked Article 5(3) test for cookies, pixels, local identifiers, device APIs, strictly necessary exceptions, and consent evidence. - [EU ePrivacy Confidentiality of Communications: Article 5 controls](/artifacts/eu/eprivacy-directive/confidentiality-of-communications.md): Article 5 confidentiality guide for EU ePrivacy communications, traffic data, metadata, terminal-equipment access, consent limits, and GDPR interplay. - [EU ePrivacy consent-log evidence workflow for cookies and trackers](/artifacts/eu/eprivacy-directive/consent-log-evidence-workflow.md): Build an ePrivacy consent-log workflow that records cookie and tracker decisions, banner versions, consent signals, withdrawals, vendor evidence, and audit-ready outputs. - [EU ePrivacy cookie banner UX test cases](/artifacts/eu/eprivacy-directive/banner-ux-test-cases.md): source-linked cookie banner UX tests for Article 5(3) ePrivacy consent: reject all, pre-ticked boxes, withdrawal, cookie walls, analytics toggles, and consent evidence. - [EU ePrivacy Cookie Scope Classifier Workflow](/artifacts/eu/eprivacy-directive/cookie-scope-classifier-workflow.md): Classify cookies, pixels, SDKs, local storage, device identifiers, and analytics tracers under Article 5(3) ePrivacy rules, with consent and exemption evidence outputs. - [EU ePrivacy direct-marketing consent checklist](/artifacts/eu/eprivacy-directive/direct-marketing-consent-checklist.md): Checklist for ePrivacy Directive direct-marketing messages: consent, soft opt-in, sender identity, opt-out handling, proof records, suppression, and national-law caveats. - [EU ePrivacy Directive compliance calendar for cookies, consent, and marketing](/artifacts/eu/eprivacy-directive/deadlines-and-compliance-calendar.md): source-linked ePrivacy calendar covering Directive milestones, Article 5(3) cookie reviews, consent evidence, direct marketing checks, and national-law follow-up. - [EU ePrivacy Directive Compliance Checklist](/artifacts/eu/eprivacy-directive/checklist.md): A concrete ePrivacy checklist for terminal equipment access, cookie consent, exemptions, banner UX, direct marketing, confidentiality, GDPR interplay, and evidence records. - [EU ePrivacy Directive Compliance Guide for Cookies, Marketing, and Communications](/artifacts/eu/eprivacy-directive/compliance.md): Practical ePrivacy Directive compliance checks for terminal equipment, communications confidentiality, cookie consent, exemptions, direct marketing, evidence, and national-law caveats. - [EU ePrivacy Directive Cookies and Consent: Article 5(3), exemptions, and banner evidence](/artifacts/eu/eprivacy-directive/cookies-and-consent.md): Cookie consent guide for the EU ePrivacy Directive: Article 5(3) scope, strictly necessary and transmission exemptions, consent UX, withdrawal, logs, analytics caveats, and GDPR interplay. - [EU ePrivacy Directive direct marketing rules for electronic mail](/artifacts/eu/eprivacy-directive/direct-marketing-rules.md): source-linked guide to Article 13 ePrivacy Directive rules for electronic mail marketing, prior consent, customer soft opt-in, opt-out handling, sender identity, and Member State caveats. - [EU ePrivacy Directive Enforcement and Fines](/artifacts/eu/eprivacy-directive/enforcement-and-fines.md): Source-grounded guide to ePrivacy Directive enforcement, national penalties, competent authorities, GDPR interplay, cookie-banner risk, and evidence limits. - [EU ePrivacy Directive FAQ: cookies, consent, marketing, GDPR interplay](/artifacts/eu/eprivacy-directive/faq.md): Answers to recurring EU ePrivacy Directive questions on Article 5(3), terminal-equipment access, cookie consent, exemptions, analytics, direct marketing, GDPR interplay, national enforcement, and evidence. - [EU ePrivacy Directive Member State Cookie Rules](/artifacts/eu/eprivacy-directive/member-state-cookie-rules.md): How to evidence EU ePrivacy cookie compliance when Article 5(3) is implemented through Member State law and national authority practice. - [EU ePrivacy Directive Metadata and Location Data Guide](/artifacts/eu/eprivacy-directive/metadata-and-location-data.md): source-linked guide to EU ePrivacy Directive rules for traffic data, location data, anonymisation, consent, value-added services, Article 5(3) overlap, and national-law limits. - [EU ePrivacy Directive penalties and fines: national enforcement caveats](/artifacts/eu/eprivacy-directive/penalties-and-fines.md): source-linked guide to ePrivacy Directive penalty exposure, national transposition caveats, cookie enforcement evidence, consent defects, and GDPR overlap limits. - [EU ePrivacy Directive Requirements: cookies, communications and marketing](/artifacts/eu/eprivacy-directive/requirements.md): source-linked map of EU ePrivacy Directive requirements for communications confidentiality, terminal-equipment access, consent, traffic and location data, and direct marketing. - [EU ePrivacy Directive vs GDPR: cookies, communications, marketing, and evidence](/artifacts/eu/eprivacy-directive/eprivacy-vs-gdpr.md): Compare the EU ePrivacy Directive and GDPR by trigger, consent standard, lex specialis overlap, enforcement caveats, and evidence outputs for cookies, device access, communications, and marketing. - [EU ePrivacy Directive vs UK PECR: source-limited cookie and marketing comparison](/artifacts/eu/eprivacy-directive/eprivacy-vs-uk-pecr.md): Compare EU ePrivacy Directive rules with a source-limited UK PECR workstream for cookies, terminal equipment, direct marketing, consent, soft opt-in, and evidence. - [EU ePrivacy soft opt-in FAQ for email marketing](/artifacts/eu/eprivacy-directive/faq/soft-opt-in.md): When Article 13(2) soft opt-in can support EU customer email marketing, including existing-customer, similar-offer, opt-out, sender-identity, suppression-list, and national-law checks. - [EU ePrivacy soft opt-in marketing review workflow](/artifacts/eu/eprivacy-directive/soft-opt-in-marketing-review-workflow.md): Review whether an EU electronic-mail marketing send can rely on the ePrivacy soft opt-in, with checks for customer relationship evidence, similar products, opt-out, sender identity, suppression records, and national-law caveats. - [EU ePrivacy Strictly Necessary Cookie Exemptions](/artifacts/eu/eprivacy-directive/strictly-necessary-exemptions.md): source-linked guide to the Article 5(3) ePrivacy exemptions for transmission cookies, requested-service cookies, analytics caveats, evidence, and national-law checks. - [Is a reject-all button required for EU ePrivacy cookie consent?](/artifacts/eu/eprivacy-directive/faq/reject-all-button.md): Standalone FAQ answer on EU ePrivacy reject-all and refuse options for cookie banners, including equal prominence, deceptive UX, consent evidence, withdrawal, and national-law caveats. - [Strictly Necessary Cookies under the EU ePrivacy Directive](/artifacts/eu/eprivacy-directive/faq/strictly-necessary-cookies.md): FAQ answer on when EU ePrivacy Article 5(3) allows cookies without consent, with grounded examples, analytics caveats, evidence records, and national-law cautions. - [What should CMP consent logs retain under the EU ePrivacy Directive?](/artifacts/eu/eprivacy-directive/faq/cmp-consent-logs.md): FAQ answer on CMP consent logs for EU ePrivacy cookie consent: retained fields, consent validity signals, banner versioning, refusal and withdrawal events, proof limits, and national-law caveats. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/eu/eprivacy-directive/soft-opt-in-marketing