The Soft Opt-in Exception: When You Can Email Without Consent

Most people assume you always need explicit consent to send marketing emails. Sign up, tick a box, confirm your address. That's the rule, right?

Not always. The ePrivacy Directive includes an exception that lets you email existing customers without asking for fresh consent first. It's called the soft opt-in, and it exists for a good reason: if someone just bought shoes from your webshop, it shouldn't be illegal to email them about matching laces next week.

But the soft opt-in has strict boundaries. Get one detail wrong and you're sending spam in the eyes of the law.

What the soft opt-in actually is

Article 13(2) of the ePrivacy Directive (2002/58/EC) creates an exception to the general rule that marketing emails require prior consent. Each EU member state was required to write this exception into national law.

The logic is simple. If someone already bought from you, forcing them through a full opt-in flow for related marketing makes little sense. They know who you are. A follow-up email about a related product isn't the same as cold outreach from a stranger.

This only works when there's an existing customer relationship. Bought lists and scraped addresses don't qualify.

The four conditions you must meet

All four conditions must be true at the same time. Missing even one means the exception doesn't apply and you're back to needing explicit consent.

1. The email was collected during a sale or negotiation

You got the customer's email address in the context of selling them something. This covers completed purchases but also abandoned carts, quote requests and booking enquiries where the person provided their email.

A visitor who landed on your homepage and left doesn't count. Someone who filled in a contact form asking about pricing does.

2. You're marketing your own similar products or services

The products you're promoting must be similar to what the customer originally bought or showed interest in. A running shoe shop can email past buyers about new running shoes, socks or insoles. A restaurant that collected emails during reservations can email about seasonal menu changes or special dining events.

The key word is "similar." You can't sell running shoes and then email about car insurance. Even if you happen to sell both.

3. You gave the customer a clear way to opt out at collection time

When you first collected the email, the customer needed a clear option to say no. This typically means an unchecked checkbox saying something like "We'd like to send you offers about similar products. Untick this box if you'd rather not hear from us."

You also need a visible, working unsubscribe link in every email after that.

4. The customer hasn't opted out

If someone unsubscribes, you stop. Immediately. Not "after the current campaign finishes." You stop. Your mailing system needs to process opt-outs without delay.

Practical examples

A Dutch webshop sells kitchen equipment. A customer buys a chef's knife and enters their email at checkout. The order form includes a clear notice about marketing with an opt-out checkbox. The shop can now email about cutting boards, knife sharpeners and other kitchen tools. Not about garden furniture.

A Belgian restaurant collects email addresses during online reservations. Guests see a note about occasional menu updates with an option to refuse. Those who don't opt out can receive emails about seasonal menus and dining events. Not about the owner's side business selling real estate.

An Irish SaaS company sells project management software. A business signs up for a free trial and provides their email. The company can email about premium features and add-ons. Not about an unrelated analytics tool they also happen to sell.

What the soft opt-in does NOT cover

These common scenarios are not covered:

Third-party marketing. You can only promote your own products. Sending promotions for a partner company or sponsor requires separate consent.

Unrelated products. "Similar" means products in the same category or closely related to the original purchase. A bookshop that also sells electronics can't email book buyers about laptops.

Purchased email lists. Buying a list of "customers in your industry" and claiming soft opt-in is flat-out wrong. You didn't collect those emails during a sale. There's no existing relationship. This is unsolicited marketing and it's illegal in every EU country.

Newsletter signups without a purchase. If someone subscribes to your blog but never buys anything, there was no sale or negotiation. The soft opt-in doesn't apply. You need proper consent, which means a GDPR-compliant signup form.

Where soft opt-in works (and where it doesn't)

Each country implemented the ePrivacy Directive differently. Some embrace the soft opt-in, others barely recognize it.

Works well in: the Netherlands (Telecommunicatiewet Art. 11.7a), the UK (PECR), Belgium, Ireland and the Nordic countries.

Does not work in Germany. German courts interpret the exception under §7 Abs. 3 UWG so narrowly that it's almost useless. Combined with the risk of Abmahnungen (cease-and-desist letters from competitors), you should use double opt-in for German subscribers. Don't rely on soft opt-in for the German market.

Limited in France and Spain. Stricter interpretations make the soft opt-in risky. If you're targeting French or Spanish customers, get explicit consent instead.

For a full country breakdown, see our email marketing consent guide.

Common mistakes that get businesses fined

Emailing about a completely different product line

A fitness studio collects emails for gym memberships, then emails those members about a new beauty salon they opened next door. Different product line, different service category. The soft opt-in doesn't cover this. You need separate consent for the salon marketing.

No opt-out option on the original form

Your checkout form collects emails but never mentions marketing and provides no checkbox to refuse it. Even if you're emailing about similar products, you skipped condition three. Without a clear opt-out option at the point of collection, the exception doesn't apply.

Treating old databases as soft opt-in eligible

You have a customer database from five years ago. You never mentioned marketing emails and never gave anyone a way to refuse. Starting now isn't soft opt-in. It's cold email with extra steps. Go back and get proper consent.

Buying lists and calling it soft opt-in

If you didn't collect the email yourself during a transaction with that specific customer, the soft opt-in exception cannot apply. Bought lists, scraped addresses and emails shared between group companies all need explicit consent.

FAQ

Can I use soft opt-in for B2B email marketing?

In most countries, yes. B2B emails are treated more leniently than B2C. In the Netherlands, UK, Ireland, Belgium and the Nordics, B2B cold email is legal with certain conditions even without soft opt-in. The exception is Germany, where rules are strict for both B2B and B2C.

How long does the soft opt-in last?

There's no specific time limit in the directive. But if a customer bought from you three years ago and you've never emailed them since, starting now feels like cold outreach. A good rule: if you haven't emailed someone within 12 months of their last purchase, get fresh consent.

Does an abandoned cart count as a "sale or negotiation"?

It depends on how far the customer got. If someone added items to their cart and entered their email during checkout but didn't complete the purchase, most regulators would consider that a negotiation. Someone who just browsed without entering details has not started one.

Can I email customers who bought through a marketplace?

Usually no. If a customer bought your product through Amazon or Bol.com, that marketplace collected the email. Not you. The customer's relationship is with the marketplace. You'd need to collect the email yourself through a direct interaction.

What happens if I get this wrong?

Regulators can fine you. The Dutch ACM has issued fines of tens of thousands of euros for unsolicited marketing. In Germany, competitors can hit you with Abmahnungen costing €1,000+ each. Beyond fines, high spam complaint rates damage your email deliverability for months.

Check your setup

Not sure if your email signup forms and marketing practices meet the rules? Run a free scan to check your website for common compliance issues, including missing unsubscribe links, pre-checked boxes and consent problems.

If you're setting up email marketing from scratch, start with our guide on GDPR-compliant newsletter signups and the full country-by-country consent rules. And make sure your privacy policy lists email marketing as one of the ways you use personal data.