Email Compliance Guide
In Europe, you generally need prior opt-in consent before sending marketing emails, and legitimate interest on its own is rarely enough to press send. Two laws apply to every campaign at once: the GDPR governs how you hold and process the email address, while national ePrivacy rules govern whether you may actually email it. Those national rules differ meaningfully from country to country - Germany effectively demands double opt-in, Ireland caps its existing-customer exception at 12 months, and in 2026 France and Italy tightened the rules on email tracking too. This guide walks through what consent actually means, when the soft opt-in applies, and how the rules shift across the main European markets.
A note before we start. This article is general information, not legal advice. Email consent rules depend on where your recipients are, what you sell, and how you collected each address - and they change often. Always seek qualified legal advice for your specific location, audience and services before building or changing your email programme.
Most of the confusion around email consent comes from treating "GDPR compliance" as one question. It is two. The GDPR is an EU-wide regulation that governs the processing of personal data - collecting, storing, segmenting and enriching an email address all count. Separately, the ePrivacy Directive governs electronic communications themselves, and every member state has implemented it through its own national law: Germany through the UWG, Ireland through SI 336/2011, France through the French Data Protection Act, and so on. The UK kept its own version, PECR, after leaving the EU. You must satisfy both regimes for every send, and getting one right does not excuse getting the other wrong.
Governs the personal data itself. You need a lawful basis under Article 6 to hold and process an email address - and legitimate interest can be that basis for direct marketing purposes.
Govern the act of sending the email. Each country's national implementation decides when you need opt-in consent, whether a soft opt-in exists, and how strictly it is all enforced.
This split matters because a plan to replace the ePrivacy Directive with a single harmonised EU regulation was formally abandoned - the European Commission withdrew the proposal in February 2026 after years of stalemate. That means the country-by-country differences below are not a temporary quirk waiting to be smoothed out. They are the operating environment for the foreseeable future, and if anything, national regulators are diverging further rather than converging.
"We're using legitimate interest" is probably the most misused sentence in European marketing. It is true that the GDPR names direct marketing as a possible legitimate interest, and plenty of vendors quote that line in isolation. What it actually covers is much narrower than most teams assume.
Recital 47 of the GDPR says processing personal data for direct marketing purposes may be regarded as a legitimate interest. That can justify holding, segmenting and enriching contact data. It says nothing about your right to land a marketing email in someone's inbox - that question belongs to the ePrivacy rules, and in most of Europe the answer there is prior consent.
The ePrivacy rules act as the specialist law for electronic marketing, so where a country's implementation demands consent for the send, you cannot substitute a legitimate interest assessment. Germany is the sharpest example: you can lawfully process a prospect's business contact data under legitimate interest and still break the law the moment you email them without consent, because the UWG treats unsolicited email advertising as unreasonable harassment - even B2B.
Under Article 21 of the GDPR, recipients have an absolute right to object to processing for direct marketing. There is no balancing test - if someone objects or unsubscribes, marketing to them stops, full stop, regardless of which legal basis you were relying on. Every message needs a free, simple opt-out, and suppression lists need to actually work.
The main exception to prior consent is the soft opt-in, sometimes called the existing-customer exception. It lets you email people who have bought from you (or, in some countries, negotiated a sale with you) without a separate marketing consent - but only if every condition is met, and this is where most lists quietly fall out of compliance. The conditions are broadly consistent wherever the exception exists:
The contact details must have been obtained directly by your legal entity during a sale or, in some countries, genuine negotiations for one. Bought lists, scraped addresses and contacts inherited from a sister company do not qualify. Some countries interpret "context of a sale" strictly - in Germany a completed contract is generally required, and a product enquiry or abandoned basket is not enough.
The exception only covers your own offering, and only things similar to what the person originally bought or enquired about. It never covers third-party promotions. German courts read "similar" very narrowly - sometimes requiring the products to be effectively interchangeable - so a customer who bought one thing cannot simply be enrolled in everything you sell.
The person must have been given a clear, free and simple chance to refuse marketing at the moment their details were collected, and again in every single email. Miss the opt-out at the point of collection and the soft opt-in never attaches to that contact - you cannot repair it retrospectively.
Some countries bolt on their own conditions. Ireland is the clearest example: soft opt-in emails may only be sent for 12 months from the sale (or from the last compliant marketing message the customer did not opt out of), after which the exception simply expires. Spain applies its version so narrowly that in practice many businesses treat it as unavailable.
The GDPR sets the floor; national ePrivacy implementations build very different houses on top of it. Here is how the major markets compare - and remember, what matters is where your recipient is, not where your business is registered.
Germany implements the ePrivacy rules through Section 7 of its Unfair Competition Act (UWG), which treats email advertising without prior express consent as unreasonable harassment - and applies the same standard to B2B as to B2C. Because the sender carries the burden of proving consent, and the Federal Court of Justice ruled that single opt-in is insufficient evidence, double opt-in is the de facto standard: the subscriber signs up, then confirms via a link in a confirmation email.
The distinctive German risk is not just regulator fines (up to €300,000 per offence under the UWG, with GDPR penalties potentially on top). It is the Abmahnung - a formal cease-and-desist letter that competitors and consumer bodies can send over a single unlawful email, typically arriving with legal fees of €1,000 or more attached. The existing-customer exception exists but is interpreted narrowly: a completed purchase is required, and only genuinely similar products may be promoted.
Italy's regulator, the Garante, is one of Europe's most active on marketing. Opt-in consent is the rule, the soft opt-in is applied narrowly, and enforcement has teeth - the Garante fined Enel Energia €26.5 million in 2022 over unsolicited marketing practices, one of the largest marketing-related penalties in Europe.
In April 2026 the Garante went further with Provision No. 284, a binding measure on email tracking pixels. It treats the pixel that powers your open rate like a cookie: individual open tracking for marketing analytics needs consent, with compliance required by 28 October 2026. Italy does allow that consent to be bundled with general marketing consent if the wording is neutral, and exempts fully anonymised aggregate open counts - but it demands granular withdrawal, meaning a recipient must be able to switch off tracking while continuing to receive your emails. A single combined unsubscribe does not pass.
France's CNIL requires opt-in consent for consumer marketing and takes a hard line on consent quality - it regularly sanctions organisations over invalid sign-up mechanisms and the reuse of data collected for other purposes. B2B is treated more pragmatically: emailing professionals at their work address is generally accepted on an opt-out basis where the message is relevant to their role, which makes France notably more workable for business outreach than Germany.
France also moved on tracking pixels in 2026. The CNIL's recommendation, published on 14 April, takes the position that measuring individual email opens generally requires prior consent - and is explicit that consent to receive a newsletter is not consent to be tracked inside it. Existing contacts could keep being tracked only if sent a clear notice and opt-out before 14 July 2026; new sign-ups need tracking consent captured at the point of collection, where silence counts as refusal.
Spain regulates commercial email through the LSSI alongside the GDPR, enforced by the AEPD. Explicit opt-in is required, the soft opt-in exception is applied so narrowly that it is rarely a safe foundation in practice, and B2B contacts get essentially the same protection as consumers. If Spain is a meaningful market for you, build your list on clear, documented consent and nothing else.
Ireland implements the ePrivacy Directive through Regulation 13 of SI 336/2011, enforced by the Data Protection Commission, and is one of the more workable regimes in Europe. Consumers need opt-in consent, but the soft opt-in is available with a distinctive twist: marketing under it may only be sent for 12 months from the sale, or from the most recent compliant message the customer received and did not opt out of. Let a customer go quiet for a year and the exception lapses.
B2B is genuinely lighter: marketing email to a corporate address is permitted on an opt-out basis, provided the message relates to the recipient's commercial activity, you identify yourself honestly, and you honour objections. Do not mistake light-touch for no-touch, though - breaching the Irish rules is a criminal offence, with fines that can reach €250,000 per message on indictment.
The UK's rules live in PECR alongside the UK GDPR, enforced by the ICO. For individual subscribers - anyone on a personal email address, plus sole traders and ordinary partnerships even at work addresses - you need consent or a valid soft opt-in. The UK's soft opt-in is one of Europe's more generous, covering details collected during a sale or negotiations for one, and from February 2026 a PECR amendment extended a version of it to charities marketing in furtherance of their charitable purposes.
The distinctive UK feature is the corporate subscriber exemption: PECR's email marketing rules simply do not apply to corporate bodies, so you can email a limited company without PECR consent, provided you identify yourself and offer an unsubscribe. Two cautions - a named contact's work email is still personal data under the UK GDPR, so you still need a lawful basis and must honour objections; and the ICO's guidance is to treat any address you cannot classify as an individual subscriber.
Several markets stay close to the ePrivacy baseline without piling on extra restrictions. The Netherlands and Belgium require opt-in for consumers but are comparatively permissive for B2B outreach with a clear opt-out. Belgium accepts single opt-in with clear consent language and an unticked checkbox, and its enforcement on email has been moderate compared with Germany or France. The Nordic countries follow a similar pattern: opt-in as the rule, the soft opt-in available under the standard conditions, and enforcement focused on larger-scale violations. Double opt-in is not legally required in any of them, though many businesses use it voluntarily for list quality and proof.
| Country | B2C Consent | B2B Lighter Rules | Soft Opt-In | Notable Quirk |
|---|---|---|---|---|
| Germany | Opt-in (double opt-in de facto) | ✗ | Very narrow | Abmahnungen from competitors |
| Italy | Opt-in | ✗ | Narrow | Pixel consent binding from Oct 2026 |
| France | Opt-in | ✓ | ✓ | Pixel consent guidance from Jul 2026 |
| Spain | Opt-in | ✗ | Rarely usable | LSSI applies alongside GDPR |
| Ireland | Opt-in | ✓ | ✓ | 12-month soft opt-in limit |
| United Kingdom | Opt-in | ✓ | ✓ | Corporate subscriber exemption |
| Netherlands / Belgium | Opt-in | ✓ | ✓ | Single opt-in accepted |
Simplified summary for orientation only - each cell hides conditions and exceptions, national rules change, and this table is no substitute for legal advice on your specific situation.
Knowing the rules is half the job; being able to prove you followed them is the other half. Every framework above puts the burden of proof on the sender, so your CRM needs to answer three questions for any contact at any time: what did they consent to, when, and how. HubSpot gives you the machinery - set up during onboarding and maintained afterwards, it does the heavy lifting.
Define separate subscription types for your newsletter, product updates and promotional sends, so consent is specific rather than blanket - a core GDPR requirement. Recipients can then manage preferences granularly instead of facing an all-or-nothing unsubscribe, which also protects your list from unnecessary attrition.
Settings → Marketing → Email → Subscriptions
HubSpot supports confirmed opt-in natively, sending a confirmation email that the subscriber must click before they become mailable. For German recipients treat this as mandatory; for everyone else it is the strongest consent evidence you can hold, and it keeps low-quality addresses off your list.
HubSpot's GDPR features let you store the legal basis for processing and communicating with each contact, timestamped against the form or import that created it. Pair that with honest form language - unticked checkboxes, plain descriptions of what people are signing up for - and segment by country so German contacts are never caught by a campaign built on an Irish-style soft opt-in.
One unhappy recipient is all it takes to trigger a regulator enquiry - or, in Germany, a competitor's cease-and-desist letter. Here is how to tell whether your email programme is built on solid ground.
The training was very detailed, and any questions we had were answered thoroughly and with great patience. I would definitely recommend warbble as an onboarding partner.
- Kennedy, S. · Jul 2025 · CRM Implementation & Migration
Get a free Thrive Score in 30 minutes. We benchmark your portal across Feature Adoption, Data Quality, Automation Maturity, and Revenue Readiness - including how your subscription types, consent properties and suppression lists are actually set up.