EU Soft Opt-in: Email Customers Without Consent
Steven | TrustYourWebsite · April 5, 2026 · Last updated: May 2026
Most people assume you always need explicit consent to send marketing emails. Sign up, tick a box, confirm your address. That's the rule, right?
Not always. The soft opt-in is a narrow exception in Article 13(2) of the ePrivacy Directive (2002/58/EC) that lets you email existing customers about similar products without asking for fresh consent first. It exists for a good reason. If someone just bought shoes from your webshop, it should not be illegal to email them about matching laces next week.
But the soft opt-in has strict boundaries. Get one detail wrong and you are sending spam in the eyes of the law. Run a free scan to check whether your signup forms and unsubscribe handling already meet the rules.
What the soft opt-in actually is
Article 13(2) of the ePrivacy Directive (2002/58/EC) creates an exception to the general rule that marketing emails require prior consent. Each EU member state was required to write this exception into national law.
The logic is simple. If someone already bought from you, forcing them through a full opt-in flow for related marketing makes little sense. They know who you are. A follow-up email about a related product is not the same as cold outreach from a stranger.
This only works when there is an existing customer relationship. Bought lists and scraped addresses do not qualify.
The four conditions: a checklist
All four boxes must be ticked at the same time. Missing even one means the exception does not apply and you are back to needing explicit consent.
| # | Condition | What counts | What does not count |
|---|---|---|---|
| 1 | Existing customer | Completed purchase, abandoned checkout where the customer entered their email, quote or booking enquiry | A visitor who only browsed the homepage. Addresses bought from a list |
| 2 | Similar product or service | Same category as the original sale (running shoes → new shoes, insoles, socks) | Unrelated categories under the same brand (running shoes → garden furniture) |
| 3 | Free and clear refusal at collection | Unticked checkbox + plain-language notice, shown at the moment of capture | Pre-ticked boxes (invalid since Planet49 C-673/17). Buried T&C clauses |
| 4 | Working opt-out in every email | One-click unsubscribe processed immediately, opt-out present in every message | "Reply to unsubscribe", links that 404, opt-outs that take effect "after this campaign" |
If you cannot tick all four boxes for a given contact, you need fresh GDPR-grade consent before mailing them. The European Data Protection Board's Guidelines 05/2020 on consent set the EU-wide standard for what valid consent looks like.
What "similar" really means
The key word is "similar." You cannot sell running shoes and then email about car insurance even if you happen to sell both. Regulators look at customer expectation. Would a reasonable buyer expect the new promotion to come from the same shop based on what they originally bought?
What "opted out" really means
If someone unsubscribes, you stop. Immediately. Not "after the current campaign finishes." Your mailing system needs to process opt-outs without delay. The unsubscribe link must also work on the first click.
Practical examples
A Dutch webshop sells kitchen equipment. A customer buys a chef's knife and enters their email at checkout. The order form includes a clear notice about marketing with an opt-out checkbox. The shop can now email about cutting boards, knife sharpeners and other kitchen tools. Not about garden furniture.
A Belgian restaurant collects email addresses during online reservations. Guests see a note about occasional menu updates with an option to refuse. Those who don't opt out can receive emails about seasonal menus and dining events. Not about the owner's side business selling real estate.
An Irish SaaS company sells project management software. A business signs up for a free trial and provides their email. The company can email about premium features and add-ons. Not about an unrelated analytics tool they also happen to sell.
What the soft opt-in does NOT cover
These common scenarios are not covered:
Third-party marketing. You can only promote your own products. Sending promotions for a partner company or sponsor requires separate consent.
Unrelated products. "Similar" means products in the same category or closely related to the original purchase. A bookshop that also sells electronics can't email book buyers about laptops.
Purchased email lists. Buying a list of "customers in your industry" and claiming soft opt-in is flat-out wrong. You didn't collect those emails during a sale. There's no existing relationship. This is unsolicited marketing and it's illegal in every EU country.
Newsletter signups without a purchase. If someone subscribes to your blog but never buys anything, there was no sale or negotiation. The soft opt-in does not apply. You need proper consent, which means a GDPR-compliant signup form.
Where the soft opt-in works: country-by-country
Each member state implemented the ePrivacy Directive into its own law. Some accept the exception clearly. Others read it so narrowly that you should not rely on it. The table below summarises the seven biggest markets at a glance.
| Country | Regulator | Statute | Soft opt-in available | Key restriction |
|---|---|---|---|---|
| Netherlands | ACM | Telecommunicatiewet Art. 11.7a | Yes | Existing customer, similar product, opt-out at collection and in every email |
| United Kingdom | ICO | PECR reg. 22(3) | Yes | Same four conditions, ICO enforces opt-out wording strictly |
| Ireland | DPC | SI 336/2011 reg. 13(11) | Yes | 12-month limit since last sale or refusal |
| Belgium | APD/GBA | Boek XII Wetboek Economisch Recht | Yes | B2C only, B2B needs prior consent in practice |
| Germany | BfDI + civil courts | §7 Abs. 3 UWG | Yes on paper, no in practice | Read narrowly, Abmahnungen risk, double opt-in expected |
| France | CNIL | Article L34-5 CPCE | Limited | B2C explicit consent default, soft opt-in only for similar products to existing customers |
| Spain | AEPD | Art. 21 LSSI | Limited | Prior consent default, narrow similar-product carve-out for existing customers |
A few short notes on the country pattern:
- Works well in the Netherlands, the UK, Ireland, Belgium and the Nordic countries. Apply the four conditions and you are on safe ground.
- Does not work in practice in Germany. German civil courts read §7 Abs. 3 UWG very narrowly. Abmahnungen from competitors are also common. Use double opt-in for German subscribers instead.
- Limited in France and Spain. Both regulators treat the exception cautiously. If you are targeting French or Spanish customers, collect explicit consent rather than rely on the soft opt-in.
For a fuller country breakdown including the Nordics and Italy, see the email marketing consent guide.
Common mistakes that get businesses fined
Emailing about a completely different product line
A fitness studio collects emails for gym memberships, then emails those members about a new beauty salon they opened next door. Different product line, different service category. The soft opt-in doesn't cover this. You need separate consent for the salon marketing.
No opt-out option on the original form
Your checkout form collects emails but never mentions marketing and provides no checkbox to refuse it. Even if you're emailing about similar products, you skipped condition three. Without a clear opt-out option at the point of collection, the exception doesn't apply.
Treating old databases as soft opt-in eligible
You have a customer database from five years ago. You never mentioned marketing emails and never gave anyone a way to refuse. Starting now isn't soft opt-in. It's cold email with extra steps. Go back and get proper consent.
Buying lists and calling it soft opt-in
If you didn't collect the email yourself during a transaction with that specific customer, the soft opt-in exception cannot apply. Bought lists, scraped addresses and emails shared between group companies all need explicit consent.
FAQ
Can I use soft opt-in for B2B email marketing?
In most countries, yes. B2B emails are treated more leniently than B2C. In the Netherlands, UK, Ireland, Belgium and the Nordics, B2B cold email is legal with certain conditions even without soft opt-in. The exception is Germany, where rules are strict for both B2B and B2C.
How long does the soft opt-in last?
There's no specific time limit in the directive. But if a customer bought from you three years ago and you've never emailed them since, starting now feels like cold outreach. A good rule: if you haven't emailed someone within 12 months of their last purchase, get fresh consent.
Does an abandoned cart count as a "sale or negotiation"?
It depends on how far the customer got. If someone added items to their cart and entered their email during checkout but didn't complete the purchase, most regulators would consider that a negotiation. Someone who just browsed without entering details has not started one.
Can I email customers who bought through a marketplace?
Usually no. If a customer bought your product through Amazon or Bol.com, that marketplace collected the email. Not you. The customer's relationship is with the marketplace. You'd need to collect the email yourself through a direct interaction.
What happens if I get this wrong?
Regulators can fine you. The Dutch ACM has issued fines of tens of thousands of euros for unsolicited marketing. In Germany, competitors can hit you with Abmahnungen costing €1,000+ each. Beyond fines, high spam complaint rates damage your email deliverability for months.
Check your setup
Not sure if your email signup forms and marketing practices meet the rules? Run a free scan to check your website for common compliance issues, including missing unsubscribe links, pre-checked boxes and consent problems.
If you're setting up email marketing from scratch, start with our guide on GDPR-compliant newsletter signups and the full country-by-country consent rules. And make sure your privacy policy lists email marketing as one of the ways you use personal data.
Website Guides
Email Marketing Consent: Country-by-Country Rules
Email marketing rules differ across Europe. Here are the consent requirements for the Netherlands, Germany, UK, Belgium and more.
Is Double Opt-in Required? It Depends on the Country
Is double opt-in required? Yes in Germany, recommended in Austria, optional elsewhere. What ePrivacy and GDPR say per country.
Newsletter Signup Forms: GDPR Requirements
Your newsletter signup form needs more than a checkbox. Here are the GDPR rules for email consent, what to store and how to avoid common mistakes.