Email Marketing Consent: Country-by-Country Rules

You'd think email marketing rules would be the same across Europe. The GDPR applies everywhere, after all. But consent requirements for marketing emails vary wildly from one country to the next. What's perfectly legal in Ireland could land you a cease-and-desist letter in Germany.

That's because the GDPR only sets a baseline. Each country has its own ePrivacy or telecom law that adds extra rules on top. These national laws cover the specifics: when you need opt-in, whether soft opt-in counts and how strictly regulators enforce the rules.

If you're sending marketing emails to people in more than one European country, you need to know these differences. Getting it wrong doesn't just mean fines. It means wasted effort, damaged sender reputation and emails that never reach anyone's inbox.

The GDPR baseline

The GDPR requires consent for processing personal data. For marketing emails specifically, Article 6 and Recital 47 lay the groundwork. But the actual rules about sending electronic marketing messages come from the ePrivacy Directive (2002/58/EC), which each EU member state has implemented differently through national law.

The ePrivacy Directive says you need prior consent before sending marketing emails. But it also includes a "soft opt-in" exception: if someone bought something from you or showed clear interest in your products, you can email them about similar offerings without fresh consent. How broadly or narrowly each country interprets this exception is where things get interesting.

Country-by-country breakdown

Netherlands

Law: Telecommunicatiewet, Article 11.7a Regulator: ACM (Autoriteit Consument & Markt) Consent required: Yes, opt-in for marketing email

The Netherlands requires opt-in consent before you can send marketing emails. Your signup forms need clear consent language and a working privacy policy link.

The soft opt-in exception applies for existing customers. If someone bought from you and you collected their email during that transaction, you can email them about similar products or services. But you must give them a clear way to opt out at the point of collection and in every email after that.

The ACM takes enforcement seriously. They've fined companies for sending unsolicited marketing emails, with penalties reaching tens of thousands of euros for repeat offenders.

Germany

Law: UWG §7 (Unfair Competition Act) + DSGVO (German GDPR implementation) Regulator: State data protection authorities + competitors via Abmahnungen Consent required: Double opt-in is the de facto standard

Germany is the strictest country in Europe for email marketing. While no single law says "you must use double opt-in," German courts have made it clear that you need solid proof of consent for every subscriber. Double opt-in is the only method courts consistently accept as sufficient proof.

The real danger in Germany isn't fines from regulators. It's Abmahnungen. These are formal cease-and-desist letters that competitors or consumer protection groups can send under the UWG. Each one comes with legal fees starting around €1,000. Some businesses have faced multiple Abmahnungen for the same mailing list.

The soft opt-in exception exists in German law (§7 Abs. 3 UWG) but courts interpret it very narrowly. You need to meet all four conditions perfectly: the email was collected during a sale, you're marketing similar products, the customer could opt out when you collected the address and they can opt out in every email. Miss one condition and it doesn't apply.

If you have German subscribers, use double opt-in. No exceptions.

United Kingdom

Law: PECR (Privacy and Electronic Communications Regulations) + UK GDPR Regulator: ICO (Information Commissioner's Office) Consent required: Yes, with a generous soft opt-in exception

The UK has some of the more practical email marketing rules in Europe. PECR allows soft opt-in for existing customers without additional consent. If someone bought from you or actively enquired about your products, you can send them marketing emails about similar items.

The conditions: you collected the email during a sale or negotiation, you're promoting your own similar products, you gave them a chance to opt out when you first collected the address and you include an unsubscribe link in every email.

For contacts who haven't bought from you, you need proper opt-in consent. A clear, unchecked checkbox with specific language works. Pre-checked boxes don't count.

The maximum fine under PECR is currently £500,000. New legislation is expected to raise this to £17.5 million or 4% of global turnover, matching the UK GDPR maximum.

Belgium

Law: National GDPR implementation + ePrivacy transposition Regulator: GBA (Gegevensbeschermingsautoriteit) Consent required: Yes, with soft opt-in available

Belgium follows the GDPR baseline closely without adding many extra restrictions. Opt-in consent is required for marketing emails, but the soft opt-in exception is available for existing customers under similar conditions as other EU countries.

The GBA hasn't pushed for double opt-in. Single opt-in with clear consent language, an unchecked checkbox and a privacy policy link meets the standard. Belgian enforcement on email marketing has been moderate compared to Germany or France.

Ireland

Law: SI 336/2011 (European Communities Electronic Communications Regulations) Regulator: DPC (Data Protection Commission) Consent required: Yes for B2C, lighter rules for B2B

Ireland is one of the more business-friendly countries for email marketing in Europe. B2B marketing email is generally allowed as long as you include an opt-out mechanism. You can email business contacts at their work addresses without prior opt-in consent, provided you give them a clear way to unsubscribe.

For B2C marketing, the standard rules apply. You need consent before sending, and the soft opt-in exception is available for existing customers.

The DPC has been more focused on big tech enforcement than small business email marketing, but that doesn't mean you should ignore the rules.

France

Law: Loi Informatique et Libertés + transposition of ePrivacy Directive Regulator: CNIL Consent required: Strict opt-in, limited soft opt-in

France takes a strict approach to email marketing consent. The CNIL requires clear, affirmative opt-in before you can send marketing emails. They've been particularly active in enforcement and have fined companies for inadequate consent mechanisms.

The soft opt-in exception exists but the CNIL interprets it narrowly. You need a genuine prior commercial relationship and the marketing must be about closely similar products. "Similar" in the French interpretation is tighter than in the UK or Netherlands.

Spain

Law: LSSI (Ley de Servicios de la Sociedad de la Informacion) Regulator: AEPD (Agencia Espanola de Proteccion de Datos) Consent required: Strict opt-in only

Spain has some of the tightest email marketing rules in Europe alongside Germany. The LSSI requires explicit prior consent for all commercial electronic communications. The soft opt-in exception is very limited in practice.

The AEPD enforces actively and has issued fines for unsolicited commercial emails. If you're marketing to Spanish recipients, get proper consent first. There's very little room for grey areas.

Nordics (Sweden, Norway, Denmark, Finland)

Law: National telecom acts implementing the ePrivacy Directive Regulators: National data protection authorities Consent required: GDPR baseline with standard ePrivacy rules

The Nordic countries generally follow the GDPR baseline without adding heavy extra restrictions. Opt-in is required for marketing emails. The soft opt-in exception is available under standard conditions. These regulators tend to focus enforcement on larger violations rather than individual marketing emails from small businesses.

Double opt-in isn't required in any Nordic country, though many businesses use it voluntarily for list quality.

The soft opt-in exception explained

The soft opt-in (sometimes called "existing customer exemption") lets you send marketing emails to people who've already bought from you, without asking for separate consent. It exists in most European countries, but the conditions are the same everywhere it applies.

All four of these must be true:

1. You collected the email during a sale or active negotiation. Someone browsing your site doesn't count. They need to have bought something or taken a concrete step toward buying.
2. You're marketing similar products or services. If someone bought shoes from you, you can email them about new shoe arrivals. You probably can't email them about your new insurance product.
3. You offered an opt-out at the point of collection. When you first got their email, they had a visible and easy way to say "don't email me marketing."
4. Every email includes an unsubscribe option. This applies to all marketing emails, not just soft opt-in ones.

The key word is "similar." What counts as similar varies by country. The UK and Netherlands interpret it broadly. Germany and France interpret it narrowly. When in doubt, ask for proper consent instead of relying on the exception.

For a deeper look at how soft opt-in works in practice, read our guide on the soft opt-in exception.

B2B vs B2C: the rules aren't always the same

Some countries treat business-to-business email differently from business-to-consumer email. This matters if you're marketing to other companies rather than individual consumers.

Ireland is the clearest example. B2B marketing email to corporate email addresses (like info@company.ie or name@company.ie) is allowed without prior consent, as long as you include an opt-out. This is because corporate email addresses in Ireland aren't treated the same as personal ones under SI 336/2011.

The UK makes a similar distinction. PECR's consent rules apply to "individual subscribers." Emails to companies (Ltd, PLC) at generic addresses don't always need prior consent. But emails to sole traders, partnerships and individuals at their work address do.

The Netherlands and Belgium allow B2B cold email under certain conditions, with clear opt-out mechanisms.

Germany makes no meaningful distinction. B2B email marketing still needs consent and is still subject to Abmahnungen. Don't assume that because you're emailing a business address in Germany, the rules are softer.

France and Spain apply consent requirements to B2B email marketing just as strictly as B2C.

The safest approach for B2B: always include an opt-out link, keep your emails relevant to the recipient's business and stop immediately when someone unsubscribes.

What this means for your website

If your signup forms collect email addresses for marketing, the consent mechanism needs to match the strictest country you're marketing to. For most European businesses, that means:

• Use a clear, unchecked consent checkbox with specific language about what you'll send
• Link to your privacy policy next to the form
• Consider double opt-in for everyone (required if you have any German subscribers)
• Store consent records with timestamps and IP addresses
• Include a working unsubscribe link in every email

Your newsletter signup form is the foundation. Get that right and most countries' rules are satisfied.

Check your email compliance

Our free website scan checks your newsletter signup forms for missing consent language, pre-checked boxes and privacy policy links. It flags the specific issues and tells you what to fix.

If you're sending marketing emails across Europe, knowing which country's rules apply to which subscribers is the first step. The second step is making sure your website collects consent properly in the first place.

FAQ

Do I need consent to send marketing emails in Europe?

Yes, with few exceptions. The ePrivacy Directive and GDPR require prior consent for marketing emails across the EU and UK. The main exception is the soft opt-in for existing customers who bought from you. Even then, you still need to offer an easy opt-out in every message.

Which European country has the strictest email marketing rules?

Germany. The combination of the UWG (Unfair Competition Act) and strict court interpretations means double opt-in is the de facto requirement. Competitors can send Abmahnungen (cease-and-desist letters) with legal fees of €1,000 or more. Spain is also very strict, requiring explicit opt-in with almost no soft opt-in exception in practice.

Can I send B2B cold emails in Europe?

It depends on the country. Ireland and the UK allow B2B email to corporate addresses with an opt-out mechanism. The Netherlands and Belgium are generally permissive for B2B. Germany, France and Spain apply the same strict consent rules to B2B as to B2C. Always check the specific rules for each country you're targeting.

What happens if I send marketing emails without proper consent?

Consequences range from fines to legal action. In Germany, the biggest risk is Abmahnungen from competitors costing €1,000+ each. The UK ICO can fine up to £500,000 under current PECR rules. National data protection authorities across Europe can issue GDPR fines of up to €20 million or 4% of global turnover. Beyond fines, your sender reputation suffers when people mark unwanted emails as spam.

Is the soft opt-in exception the same in every country?

No. The basic conditions are similar everywhere: existing customer relationship, similar products, opt-out offered at collection, unsubscribe in every email. But how broadly "similar products" is interpreted varies significantly. The UK and Netherlands read it broadly. Germany and France interpret it narrowly. Some countries like Spain barely apply it at all.