Email Marketing Consent Rules in Europe.

Email Compliance Guide

What Are the Email Marketing Consent Rules in Europe?

In Europe, you generally need prior opt-in consent before sending marketing emails, and legitimate interest on its own is rarely enough to press send. Two laws apply to every campaign at once: the GDPR governs how you hold and process the email address, while national ePrivacy rules govern whether you may actually email it. Those national rules differ meaningfully from country to country - Germany effectively demands double opt-in, Ireland caps its existing-customer exception at 12 months, and in 2026 France and Italy tightened the rules on email tracking too. This guide walks through what consent actually means, when the soft opt-in applies, and how the rules shift across the main European markets. 

 

What Are the Email Marketing Consent Rules in Europe? | warbble·digital

A note before we start. This article is general information, not legal advice. Email consent rules depend on where your recipients are, what you sell, and how you collected each address - and they change often. Always seek qualified legal advice for your specific location, audience and services before building or changing your email programme.

2
Legal frameworks apply to every marketing email you send
€26.5M
Fined by Italy's regulator for unsolicited marketing in a single case
12
Months Ireland's existing-customer exception lasts before it expires

Two Laws, One Send Button.

Most of the confusion around email consent comes from treating "GDPR compliance" as one question. It is two. The GDPR is an EU-wide regulation that governs the processing of personal data - collecting, storing, segmenting and enriching an email address all count. Separately, the ePrivacy Directive governs electronic communications themselves, and every member state has implemented it through its own national law: Germany through the UWG, Ireland through SI 336/2011, France through the French Data Protection Act, and so on. The UK kept its own version, PECR, after leaving the EU. You must satisfy both regimes for every send, and getting one right does not excuse getting the other wrong.

The data law
GDPR

Governs the personal data itself. You need a lawful basis under Article 6 to hold and process an email address - and legitimate interest can be that basis for direct marketing purposes.

  • Applies EU-wide, one uniform text
  • Recital 47 recognises direct marketing as a potential legitimate interest
  • Gives recipients an absolute right to object to marketing at any time
The sending law
ePrivacy Rules

Govern the act of sending the email. Each country's national implementation decides when you need opt-in consent, whether a soft opt-in exists, and how strictly it is all enforced.

  • 27+ national rulebooks, all slightly different
  • Default position: prior consent before marketing email
  • Where these rules demand consent, legitimate interest cannot override them

This split matters because a plan to replace the ePrivacy Directive with a single harmonised EU regulation was formally abandoned - the European Commission withdrew the proposal in February 2026 after years of stalemate. That means the country-by-country differences below are not a temporary quirk waiting to be smoothed out. They are the operating environment for the foreseeable future, and if anything, national regulators are diverging further rather than converging.

Can You Rely on Legitimate Interest for Email Marketing?

"We're using legitimate interest" is probably the most misused sentence in European marketing. It is true that the GDPR names direct marketing as a possible legitimate interest, and plenty of vendors quote that line in isolation. What it actually covers is much narrower than most teams assume.

01

Legitimate interest covers the processing, not the sending

Recital 47 of the GDPR says processing personal data for direct marketing purposes may be regarded as a legitimate interest. That can justify holding, segmenting and enriching contact data. It says nothing about your right to land a marketing email in someone's inbox - that question belongs to the ePrivacy rules, and in most of Europe the answer there is prior consent.

02

Where national law requires consent, legitimate interest loses

The ePrivacy rules act as the specialist law for electronic marketing, so where a country's implementation demands consent for the send, you cannot substitute a legitimate interest assessment. Germany is the sharpest example: you can lawfully process a prospect's business contact data under legitimate interest and still break the law the moment you email them without consent, because the UWG treats unsolicited email advertising as unreasonable harassment - even B2B.

03

The right to object always wins

Under Article 21 of the GDPR, recipients have an absolute right to object to processing for direct marketing. There is no balancing test - if someone objects or unsubscribes, marketing to them stops, full stop, regardless of which legal basis you were relying on. Every message needs a free, simple opt-out, and suppression lists need to actually work.

How the Soft Opt-In Actually Works.

The main exception to prior consent is the soft opt-in, sometimes called the existing-customer exception. It lets you email people who have bought from you (or, in some countries, negotiated a sale with you) without a separate marketing consent - but only if every condition is met, and this is where most lists quietly fall out of compliance. The conditions are broadly consistent wherever the exception exists:

01
You collected the details yourself, in the context of a sale

The contact details must have been obtained directly by your legal entity during a sale or, in some countries, genuine negotiations for one. Bought lists, scraped addresses and contacts inherited from a sister company do not qualify. Some countries interpret "context of a sale" strictly - in Germany a completed contract is generally required, and a product enquiry or abandoned basket is not enough.

02
You are marketing your own similar products or services

The exception only covers your own offering, and only things similar to what the person originally bought or enquired about. It never covers third-party promotions. German courts read "similar" very narrowly - sometimes requiring the products to be effectively interchangeable - so a customer who bought one thing cannot simply be enrolled in everything you sell.

03
You offered an opt-out at collection, and in every message since

The person must have been given a clear, free and simple chance to refuse marketing at the moment their details were collected, and again in every single email. Miss the opt-out at the point of collection and the soft opt-in never attaches to that contact - you cannot repair it retrospectively.

04
Local extras may apply

Some countries bolt on their own conditions. Ireland is the clearest example: soft opt-in emails may only be sent for 12 months from the sale (or from the last compliant marketing message the customer did not opt out of), after which the exception simply expires. Spain applies its version so narrowly that in practice many businesses treat it as unavailable.

How the Rules Differ Across Europe.

The GDPR sets the floor; national ePrivacy implementations build very different houses on top of it. Here is how the major markets compare - and remember, what matters is where your recipient is, not where your business is registered.

DE
Germany - the strictest in Europe

Germany implements the ePrivacy rules through Section 7 of its Unfair Competition Act (UWG), which treats email advertising without prior express consent as unreasonable harassment - and applies the same standard to B2B as to B2C. Because the sender carries the burden of proving consent, and the Federal Court of Justice ruled that single opt-in is insufficient evidence, double opt-in is the de facto standard: the subscriber signs up, then confirms via a link in a confirmation email.

The distinctive German risk is not just regulator fines (up to €300,000 per offence under the UWG, with GDPR penalties potentially on top). It is the Abmahnung - a formal cease-and-desist letter that competitors and consumer bodies can send over a single unlawful email, typically arriving with legal fees of €1,000 or more attached. The existing-customer exception exists but is interpreted narrowly: a completed purchase is required, and only genuinely similar products may be promoted.

IT
Italy - strict opt-in, aggressive enforcement

Italy's regulator, the Garante, is one of Europe's most active on marketing. Opt-in consent is the rule, the soft opt-in is applied narrowly, and enforcement has teeth - the Garante fined Enel Energia €26.5 million in 2022 over unsolicited marketing practices, one of the largest marketing-related penalties in Europe.

In April 2026 the Garante went further with Provision No. 284, a binding measure on email tracking pixels. It treats the pixel that powers your open rate like a cookie: individual open tracking for marketing analytics needs consent, with compliance required by 28 October 2026. Italy does allow that consent to be bundled with general marketing consent if the wording is neutral, and exempts fully anonymised aggregate open counts - but it demands granular withdrawal, meaning a recipient must be able to switch off tracking while continuing to receive your emails. A single combined unsubscribe does not pass.

FR
France - strict B2C, pragmatic B2B, new tracking rules

France's CNIL requires opt-in consent for consumer marketing and takes a hard line on consent quality - it regularly sanctions organisations over invalid sign-up mechanisms and the reuse of data collected for other purposes. B2B is treated more pragmatically: emailing professionals at their work address is generally accepted on an opt-out basis where the message is relevant to their role, which makes France notably more workable for business outreach than Germany.

France also moved on tracking pixels in 2026. The CNIL's recommendation, published on 14 April, takes the position that measuring individual email opens generally requires prior consent - and is explicit that consent to receive a newsletter is not consent to be tracked inside it. Existing contacts could keep being tracked only if sent a clear notice and opt-out before 14 July 2026; new sign-ups need tracking consent captured at the point of collection, where silence counts as refusal.

ES
Spain - explicit opt-in, little room to manoeuvre

Spain regulates commercial email through the LSSI alongside the GDPR, enforced by the AEPD. Explicit opt-in is required, the soft opt-in exception is applied so narrowly that it is rarely a safe foundation in practice, and B2B contacts get essentially the same protection as consumers. If Spain is a meaningful market for you, build your list on clear, documented consent and nothing else.

IE
Ireland - business-friendly, with a 12-month clock

Ireland implements the ePrivacy Directive through Regulation 13 of SI 336/2011, enforced by the Data Protection Commission, and is one of the more workable regimes in Europe. Consumers need opt-in consent, but the soft opt-in is available with a distinctive twist: marketing under it may only be sent for 12 months from the sale, or from the most recent compliant message the customer received and did not opt out of. Let a customer go quiet for a year and the exception lapses.

B2B is genuinely lighter: marketing email to a corporate address is permitted on an opt-out basis, provided the message relates to the recipient's commercial activity, you identify yourself honestly, and you honour objections. Do not mistake light-touch for no-touch, though - breaching the Irish rules is a criminal offence, with fines that can reach €250,000 per message on indictment.

UK
United Kingdom - PECR and the corporate subscriber quirk

The UK's rules live in PECR alongside the UK GDPR, enforced by the ICO. For individual subscribers - anyone on a personal email address, plus sole traders and ordinary partnerships even at work addresses - you need consent or a valid soft opt-in. The UK's soft opt-in is one of Europe's more generous, covering details collected during a sale or negotiations for one, and from February 2026 a PECR amendment extended a version of it to charities marketing in furtherance of their charitable purposes.

The distinctive UK feature is the corporate subscriber exemption: PECR's email marketing rules simply do not apply to corporate bodies, so you can email a limited company without PECR consent, provided you identify yourself and offer an unsubscribe. Two cautions - a named contact's work email is still personal data under the UK GDPR, so you still need a lawful basis and must honour objections; and the ICO's guidance is to treat any address you cannot classify as an individual subscriber.

EU
The Netherlands, Belgium and the Nordics - closer to the baseline

Several markets stay close to the ePrivacy baseline without piling on extra restrictions. The Netherlands and Belgium require opt-in for consumers but are comparatively permissive for B2B outreach with a clear opt-out. Belgium accepts single opt-in with clear consent language and an unticked checkbox, and its enforcement on email has been moderate compared with Germany or France. The Nordic countries follow a similar pattern: opt-in as the rule, the soft opt-in available under the standard conditions, and enforcement focused on larger-scale violations. Double opt-in is not legally required in any of them, though many businesses use it voluntarily for list quality and proof.

Consent Requirements by Country.

Country B2C Consent B2B Lighter Rules Soft Opt-In Notable Quirk
GermanyOpt-in (double opt-in de facto)Very narrowAbmahnungen from competitors
ItalyOpt-inNarrowPixel consent binding from Oct 2026
FranceOpt-inPixel consent guidance from Jul 2026
SpainOpt-inRarely usableLSSI applies alongside GDPR
IrelandOpt-in12-month soft opt-in limit
United KingdomOpt-inCorporate subscriber exemption
Netherlands / BelgiumOpt-inSingle opt-in accepted

Simplified summary for orientation only - each cell hides conditions and exceptions, national rules change, and this table is no substitute for legal advice on your specific situation.

How to Manage Consent Properly in HubSpot.

Knowing the rules is half the job; being able to prove you followed them is the other half. Every framework above puts the burden of proof on the sender, so your CRM needs to answer three questions for any contact at any time: what did they consent to, when, and how. HubSpot gives you the machinery - set up during onboarding and maintained afterwards, it does the heavy lifting.

01

Use subscription types, not one giant list

Define separate subscription types for your newsletter, product updates and promotional sends, so consent is specific rather than blanket - a core GDPR requirement. Recipients can then manage preferences granularly instead of facing an all-or-nothing unsubscribe, which also protects your list from unnecessary attrition.

Settings → Marketing → Email → Subscriptions

02

Switch on double opt-in where it matters

HubSpot supports confirmed opt-in natively, sending a confirmation email that the subscriber must click before they become mailable. For German recipients treat this as mandatory; for everyone else it is the strongest consent evidence you can hold, and it keeps low-quality addresses off your list.

03

Record the lawful basis and keep the receipts

HubSpot's GDPR features let you store the legal basis for processing and communicating with each contact, timestamped against the form or import that created it. Pair that with honest form language - unticked checkboxes, plain descriptions of what people are signing up for - and segment by country so German contacts are never caught by a campaign built on an Irish-style soft opt-in.

Would Your List Survive a Complaint?

One unhappy recipient is all it takes to trigger a regulator enquiry - or, in Germany, a competitor's cease-and-desist letter. Here is how to tell whether your email programme is built on solid ground.

Signs You're in Good Shape

Every contact has a recorded consent source, timestamp and the exact wording they agreed to
Subscription types are specific, and forms use unticked checkboxes with plain language
Soft opt-in contacts are flagged separately and only receive similar-product marketing
Unsubscribes suppress immediately across every send, and lists are segmented by recipient country
You have reviewed how open tracking is used for French and Italian recipients

Warning Signs

"Legitimate interest" is your answer to every consent question
The list contains purchased, scraped or inherited contacts with no consent trail
One blanket subscription covers everything you send, to every country, identically
Nobody can say when a given contact opted in, or what the form said at the time
Old customers from years ago still receive promotions under an assumed soft opt-in
The warbble take. The strictness is not going away - with the harmonised ePrivacy Regulation withdrawn, national regulators are diverging, and the 2026 tracking rulings show they are now looking inside your emails, not just at your list. But we would gently push back on the idea that compliance is the enemy of performance: a properly consented list opens more, converts better and protects your sender reputation, and the mechanics of doing it well are a solved problem inside HubSpot. What is not optional is the legal layer - the rules genuinely differ by country and by what you sell, so treat this article as a map, not a route, and get qualified legal advice for your specific markets. If you want to know whether your portal's subscription setup, consent records and data quality would hold up, that is exactly the kind of thing a Thrive Score audit surfaces in 30 minutes.

Frequently Asked Questions.

Can I use legitimate interest to send marketing emails in the EU?
Usually not on its own. Legitimate interest under the GDPR can justify processing contact data for marketing purposes, but the separate ePrivacy rules govern the sending of the email itself, and in most European countries those rules require prior consent. Where national law demands consent, a legitimate interest assessment cannot replace it. The main areas where legitimate interest does more work are B2B outreach in the more permissive countries, such as Ireland, the UK, France and the Netherlands - always with an opt-out and always subject to local conditions.
What is the soft opt-in and when can I use it?
The soft opt-in lets you email existing customers without separate marketing consent, provided you collected their details yourself in the context of a sale, you are marketing your own similar products or services, and you offered a free, simple opt-out both at collection and in every message. Conditions vary by country: Ireland limits it to 12 months from the sale, Germany requires a completed purchase and reads "similar" very narrowly, and Spain applies it so tightly that it is rarely a safe foundation.
Do I need double opt-in to comply with GDPR?
No law in Europe names double opt-in as a requirement, including the GDPR. What the law does require is provable consent - and because the burden of proof sits with the sender, German courts have treated single opt-in as insufficient evidence, making double opt-in the de facto standard there. If you have German subscribers, use it. Elsewhere it is best practice rather than obligation, and it has the side benefit of keeping fake and mistyped addresses off your list.
Are the rules different for B2B email marketing?
It depends entirely on the country. Ireland and the UK allow marketing email to corporate addresses on an opt-out basis, and the Netherlands and Belgium are comparatively permissive too. Germany, Spain and (for consumers' standards of consent) Italy apply broadly the same strict rules to B2B as to B2C - in Germany, a cold B2B email without consent is unlawful even though processing the contact's data may have been fine. Never assume a business address softens the rules without checking the recipient's country.
What changed with email tracking pixels in 2026?
France's CNIL and Italy's Garante both ruled that the tracking pixel behind your open rate is functionally a cookie, so tracking individual opens for marketing analytics generally requires prior consent. France set a 14 July 2026 deadline for notifying existing contacts and offering an opt-out; Italy's binding measure requires compliance by 28 October 2026 and insists recipients can switch off tracking without unsubscribing. Neither regulator considers this new law - their position is that the obligation already existed and was being ignored. Other countries have not issued equivalent guidance yet, but the underlying EU principles are the same everywhere.
Do these rules apply if my company is based outside the EU?
Yes. What matters is where your recipients are, not where you are incorporated. A South African, American or UK company emailing people in Germany must meet German standards for those recipients, and the GDPR applies whenever you process the personal data of people in the EU. The practical approach is to segment your database by country and apply each market's rules to its own segment - and to take legal advice covering every market you actually send into.
"
★★★★★ CRM Implementation & Migration

The training was very detailed, and any questions we had were answered thoroughly and with great patience. I would definitely recommend warbble as an onboarding partner.

- Kennedy, S.  ·  Jul 2025  ·  CRM Implementation & Migration

Free Thrive Score

Not sure your consent records would hold up?

Get a free Thrive Score in 30 minutes. We benchmark your portal across Feature Adoption, Data Quality, Automation Maturity, and Revenue Readiness - including how your subscription types, consent properties and suppression lists are actually set up.

Book Your Free Thrive Score →

 

Share

Book some time with our Marketing Expert.