Email marketing is one of the areas where compliance requirements change fastest — and where violations are easiest to detect. Every organisation running a newsletter, email campaigns, or any form of direct electronic marketing across the EU must navigate two parallel legal frameworks: the GDPR and the ePrivacy rules. These operate simultaneously and address different aspects of the same activity — getting either wrong creates legal exposure regardless of which member state the sender or recipient is in.

The ePrivacy framework derives from the EU ePrivacy Directive (2002/58/EC), which all member states have implemented in national law. The implementations differ in detail: in Poland, the Directive was replaced from 10 November 2024 by a new Electronic Communications Law (PKE) which strengthened the consent requirements for direct marketing; Germany applies strict opt-in rules under the UWG; France enforces through the CNIL under the French Data Protection Act. The underlying EU-level requirement — that sending marketing to an individual’s electronic address requires a valid consent or a permissible legitimate interest basis — is consistent across all implementations.

Two Legal Frameworks — GDPR and ePrivacy Together

Email marketing is subject to two separate regulatory regimes that apply simultaneously and must not be confused.

The GDPR governs the processing of personal data — including email addresses — and requires identifying a lawful basis for processing under Article 6. For marketing, the available bases are consent (Article 6(1)(a)) or legitimate interests (Article 6(1)(f)).

The ePrivacy rules require a separate consent specifically for sending marketing communications to an individual’s electronic communications address — email, phone, or messaging. This is an additional requirement on top of the GDPR, not a replacement for it.

The practical consequence: a company needs both — a lawful basis for processing the email address under the GDPR, and a valid consent for sending marketing communications under the ePrivacy rules. These can be obtained together in a single consent mechanism, but they are legally distinct requirements.

What Constitutes Valid Consent for Email Marketing

Consent under both frameworks must meet the same general requirements derived from the GDPR:

Freely given — the data subject must have a genuine choice. Consent bundled with acceptance of terms and conditions, or where refusal results in loss of a service, is not freely given.

Specific — consent must be given for a specific purpose. A general “I agree to marketing” checkbox is insufficient where the organisation intends to send marketing for multiple distinct products or services.

Informed — the data subject must know who is asking for consent, for what purpose, and how they can withdraw it.

Unambiguous — consent must be expressed through a clear affirmative action. Pre-ticked boxes do not constitute valid consent. Silence, inactivity, or scrolling past a notice are not consent.

Granular — where multiple types of marketing communications are intended (newsletters, promotional offers, partner communications), separate consent should be obtained for each type.

Legitimate Interest as an Alternative to Consent

Under the GDPR’s legitimate interest basis (Article 6(1)(f)), organisations may in certain circumstances send marketing communications without prior consent — specifically where:

• the recipient is an existing customer
• the marketing relates to similar products or services to those the customer has previously purchased
• the customer was given a clear opportunity to object at the time their contact details were collected and on each subsequent communication
• the customer has not objected

This is often called the “soft opt-in” or customer exemption. It applies to business-to-consumer marketing of similar goods and services. It does not apply to new contacts, prospecting, or B2B marketing to individuals (as opposed to generic company email addresses).

Even where legitimate interest applies as the GDPR basis, the ePrivacy rules in some national implementations may still require separate consent. The soft opt-in exception must be applied carefully and documented.

B2B Email Marketing — Different Rules

Marketing sent to generic business email addresses (e.g. office@company.com, info@company.com) generally falls outside the scope of ePrivacy rules applicable to individuals — these addresses belong to organisations, not natural persons.

However, where a B2B email is addressed to an identified individual at a company (e.g. firstname.lastname@company.com), it constitutes personal data and the full GDPR and ePrivacy framework applies.

The practical distinction: a marketing email to the CEO of a company by name, using their individual address, requires a lawful basis and — under most national implementations — prior consent or a documented legitimate interest basis.

Consent Management — What to Document

Every organisation conducting email marketing should maintain documented evidence of:

• when consent was obtained (timestamp)
• how it was obtained (which form, which wording)
• what was consented to (specific purpose and type of communication)
• where the data subject was informed of their right to withdraw

This documentation is the evidence required during a supervisory inspection. Without it, the organisation cannot demonstrate that consent was validly obtained — and the burden of proof rests with the controller.

The Right to Withdraw Consent

Data subjects must be able to withdraw consent at any time, easily and without detriment. This means:

• every marketing email must contain an unsubscribe link that works immediately
• the unsubscribe process must not require logging in, identity verification, or multiple steps
• withdrawal must be processed promptly — the person should not receive further communications after acting on the unsubscribe link
• withdrawal of consent does not affect the lawfulness of processing before the withdrawal

After withdrawal, the email address should be moved to a suppression list — a list of addresses that have opted out — to prevent re-addition of the contact to marketing lists.

How the Rules Compare Across Europe

Germany — the UWG implements a strict opt-in requirement for all electronic direct marketing. The double opt-in mechanism (where the subscriber confirms their subscription by clicking a link in a confirmation email) is the standard in Germany and is considered essential evidence of valid consent. German courts regularly uphold significant damages claims for unsolicited marketing emails.

France — the CNIL requires separate consent for marketing and applies strict rules to the reuse of data collected for other purposes. The CNIL has issued detailed guidance on newsletter sign-up mechanisms and regularly sanctions organisations for invalid consent banners and opt-in mechanisms.

Spain — the AEPD applies the ePrivacy soft opt-in exception narrowly. Spain’s LSSI (Ley de Servicios de la Sociedad de la Información) governs electronic commercial communications and supplements GDPR requirements.

Netherlands — the AP and the ACM (Authority for Consumers and Markets) share enforcement competence for direct marketing rules. The Netherlands applies a strict opt-in requirement and has fined organisations for purchasing marketing lists without verifying the validity of consents in those lists.

United Kingdom (post-Brexit) — UK GDPR and PECR (Privacy and Electronic Communications Regulations) mirror the EU framework. The ICO actively enforces direct marketing rules and has issued significant fines for spam and invalid consent practices.

The consistent theme across jurisdictions: pre-ticked boxes are invalid everywhere, unsubscribe must always work, and the burden of proving consent validity rests with the sender.

Most Common Mistakes

Pre-ticked consent boxes. Still widespread, and invalid in every EU jurisdiction. Silence or inactivity is not consent.

Bundled consent. Combining marketing consent with acceptance of terms and conditions produces invalid consent — each type of processing requiring consent needs its own clear affirmative action.

No timestamp or mechanism documentation. Inability to demonstrate when and how consent was obtained makes it impossible to defend a marketing database during a supervisory inspection.

Continuing to send after opt-out. Sending a marketing email after a person has unsubscribed is a straightforward violation that generates the most supervisory complaints across the EU.

Purchasing mailing lists without verifying consent validity. Buying a list of email addresses does not transfer the consents under which those addresses were collected. The buyer becomes a controller and must independently verify that it has a valid basis for sending to those addresses.

Soft opt-in applied too broadly. Using the customer exemption for contacts who are not existing customers, or for products unrelated to the original purchase, is a violation.

Summary

Email marketing requires two parallel bases: a GDPR lawful basis for processing the email address, and a valid consent (or permissible legitimate interest) under ePrivacy rules for sending the communication. Consent must be freely given, specific, informed, unambiguous, and documented with a timestamp and mechanism. The right to withdraw must be simple and immediate. The soft opt-in exception applies only to existing customers for similar products. Documentation of consent is the key evidence in any supervisory investigation.

FAQ