Belgian Soft Opt-in: Email Customers Without Consent

Most people assume you always need explicit consent to send marketing emails. Sign up, tick a box, confirm your address. That's the rule, right?

Not always. The ePrivacy Directive includes an exception that lets you email existing customers without asking for fresh consent first. It's called the soft opt-in exception. It exists for a good reason: if someone just bought shoes from your Belgian webshop, it shouldn't be illegal to email them about matching laces next week.

But the soft opt-in exception has strict boundaries. Get one detail wrong and you're sending spam in the eyes of the law, and the Belgian regulators have authority to fine you for it.

What the soft opt-in actually is

Article 13(2) of the ePrivacy Directive (2002/58/EC) creates an exception to the general rule that marketing emails require prior consent. Each EU member state was required to write this exception into national law. Belgium did so through Article XII.13 of the Code of Economic Law (Wetboek van economisch recht / Code de droit économique, Book XII), which is what your Belgian webshop is operating under when it relies on the soft opt-in.

The logic is simple. If someone already bought from you, forcing them through a full opt-in flow for related marketing makes little sense. They know who you are. A follow-up email about a related product isn't the same as cold outreach from a stranger.

This only works when there's an existing customer relationship. Bought lists and scraped addresses don't qualify.

The four conditions you must meet

All four conditions must be true at the same time. Missing even one means the exception doesn't apply and you're back to needing explicit consent.

1. The email was collected during a sale or negotiation

You got the customer's email address in the context of selling them something. This covers completed purchases but also abandoned carts, quote requests and booking enquiries where the person provided their email.

A visitor who landed on your homepage and left doesn't count. Someone who filled in a contact form asking about pricing does.

2. You're marketing your own similar products or services

The products you're promoting must be similar to what the customer originally bought or showed interest in. A running shoe shop can email past buyers about new running shoes, socks or insoles. A restaurant that collected emails during reservations can email about seasonal menu changes or special dining events.

The key word is "similar." You can't sell running shoes and then email about car insurance. Even if you happen to sell both.

3. You gave the customer a clear way to opt out at collection time

When you first collected the email, the customer needed a clear option to say no. This typically means an unchecked checkbox saying something like "We'd like to send you offers about similar products. Untick this box if you'd rather not hear from us."

You also need a visible, working unsubscribe link in every email after that.

4. The customer hasn't opted out

If someone unsubscribes, you stop. Immediately. Not "after the current campaign finishes." You stop. Your mailing system needs to process opt-outs without delay.

The condition most often missed in audits is number three: an opt-out checkbox at collection time. If you want a quick read on whether your own signup forms make this mistake, run a free scan of your website. It flags pre-checked boxes, missing unsubscribe links and other patterns that take the soft opt-in defence away from you.

Practical examples

A Belgian webshop sells kitchen equipment. A customer buys a chef's knife and enters their email at checkout. The order form includes a clear notice about marketing with an opt-out checkbox. The shop can now email about cutting boards, knife sharpeners and other kitchen tools. Not about garden furniture.

A Belgian restaurant collects email addresses during online reservations. Guests see a note about occasional menu updates with an option to refuse. Those who don't opt out can receive emails about seasonal menus and dining events. Not about the owner's side business selling real estate.

A Brussels-based SaaS company sells project management software. A business signs up for a free trial and provides their email. The company can email about premium features and add-ons. Not about an unrelated analytics tool they also happen to sell.

What the soft opt-in does NOT cover

These common scenarios are not covered:

Third-party marketing. You can only promote your own products. Sending promotions for a partner company or sponsor requires separate consent.

Unrelated products. "Similar" means products in the same category or closely related to the original purchase. A bookshop that also sells electronics can't email book buyers about laptops.

Purchased email lists. Buying a list of "customers in your industry" and claiming soft opt-in is flat-out wrong. You didn't collect those emails during a sale. There's no existing relationship. This is unsolicited marketing and it's illegal in every EU country.

Newsletter signups without a purchase. If someone subscribes to your blog but never buys anything, there was no sale or negotiation. The soft opt-in doesn't apply. You need proper consent, which means a GDPR-compliant signup form.

Where soft opt-in works (and where it doesn't)

Each EU country transposed Article 13(2) ePrivacy differently. The table below shows the practical status for the markets a Belgian webshop is most likely to sell into.

For Germany specifically, the Abmahnung risk (cease-and-desist letters from competitor firms, each costing €1,000 or more) means even a textbook-compliant soft opt-in email can become a paid lawyer dispute. Use double opt-in for German subscribers and do not rely on the exception there.

For France and Spain the safe path is the same: collect explicit consent before you email.

For a full country breakdown including B2B nuance, see our email marketing consent guide.

Who enforces the soft opt-in exception in Belgium

Two Belgian authorities share enforcement. They look at different aspects of the same email.

• The Gegevensbeschermingsautoriteit (GBA / APD) supervises the GDPR side. A complaint about an unsolicited marketing email, missing transparency information, or an opt-out that does not work tends to land here. The GBA can open an inspection, issue a reprimand, and impose administrative fines that can reach the GDPR ceiling of €20 million or 4% of global turnover for the most serious infringements.
• The FOD Economie / SPF Économie supervises the Code of Economic Law side, including Book XII on the digital economy. The FOD investigates breaches of Article XII.13 WER directly and can impose administrative fines and seek criminal sanctions through the public prosecutor.

In practice, GBA action is more common for individual complaints, while the FOD Economie acts on broader market-conduct issues such as a webshop systematically emailing scraped addresses. A single non-compliant send can trigger both.

Common mistakes that get businesses fined

Emailing about a completely different product line

A fitness studio collects emails for gym memberships, then emails those members about a new beauty salon they opened next door. Different product line, different service category. The soft opt-in doesn't cover this. You need separate consent for the salon marketing.

No opt-out option on the original form

Your checkout form collects emails but never mentions marketing and provides no checkbox to refuse it. Even if you're emailing about similar products, you skipped condition three. Without a clear opt-out option at the point of collection, the exception doesn't apply.

Treating old databases as soft opt-in eligible

You have a customer database from five years ago. You never mentioned marketing emails and never gave anyone a way to refuse. Starting now isn't soft opt-in. It's cold email with extra steps. Go back and get proper consent.

Buying lists and calling it soft opt-in

If you didn't collect the email yourself during a transaction with that specific customer, the soft opt-in exception cannot apply. Bought lists, scraped addresses and emails shared between group companies all need explicit consent.

FAQ

Can I use soft opt-in for B2B email marketing?

In most countries, yes. B2B emails are treated more leniently than B2C. In Belgium, the UK, Ireland, the Netherlands and the Nordics, B2B cold email is legal under certain conditions even without soft opt-in. The exception is Germany, where the rules are strict for both B2B and B2C. In Belgium specifically, the Gegevensbeschermingsautoriteit (GBA / APD) treats a clearly business-related professional address as approachable without prior consent, provided the message is relevant to the recipient's professional role and includes a one-click opt-out.

How long does the soft opt-in last?

There's no specific time limit in the directive. But if a customer bought from you three years ago and you've never emailed them since, starting now feels like cold outreach. A good rule: if you haven't emailed someone within 12 months of their last purchase, get fresh consent.

Does an abandoned cart count as a "sale or negotiation"?

It depends on how far the customer got. If someone added items to their cart and entered their email during checkout but didn't complete the purchase, most regulators would consider that a negotiation. Someone who just browsed without entering details has not started one.

Can I email customers who bought through a marketplace?

Usually no. If a customer bought your product through Amazon or Bol.com, that marketplace collected the email. Not you. The customer's relationship is with the marketplace. You'd need to collect the email yourself through a direct interaction.

What happens if I get this wrong?

Regulators can fine you. The Belgian FOD Economie has issued fines of tens of thousands of euros for unsolicited marketing. In Germany, competitors can hit you with Abmahnungen costing €1,000+ each. Beyond fines, high spam complaint rates damage your email deliverability for months.

Check your setup

Not sure if your email signup forms and marketing practices meet the rules? Run a free scan to check your website for common compliance issues, including missing unsubscribe links, pre-checked boxes and consent problems.

If you're setting up email marketing from scratch, start with our guide on GDPR-compliant newsletter signups and the full country-by-country consent rules. And make sure your privacy policy lists email marketing as one of the ways you use personal data.