Resources / Compliance
EU email marketing: GDPR and ePrivacy
In the EU, marketing email is governed by the ePrivacy Directive (the consent rule) layered over the GDPR (the data rule). ePrivacy Article 13 generally requires prior opt-in for individuals; GDPR supplies the lawful basis, the right to object, and the accountability that turns consent into something you must be able to prove. Because the directive is transposed by each member state, the specifics vary by country.
Last checked: June 21, 2026
EU marketing email sits at the intersection of two instruments. The ePrivacy Directive (2002/58/EC) governs the act of sending an electronic marketing message - the consent rule lives in Article 13. The GDPR (Regulation (EU) 2016/679) governs the personal data underneath - the lawful basis, the right to object, and the accountability that means you must be able to prove what you relied on. A directive is transposed by each member state, so the EU gives you the framework and the country gives you the exact text.
This is general information, not legal advice. Consult counsel in the relevant member state. The points below come from the European Commission’s guidance and the primary legislative texts; member-state transpositions differ.
The 60-second version
- ePrivacy Article 13 generally requires prior opt-in consent to send electronic marketing to individual subscribers.
- The directive contains a limited existing-customer exception (the basis for what the UK transposes as “soft opt-in”); how it is implemented varies by member state.
- GDPR consent is freely given, specific, informed, and unambiguous - an affirmative act.
- A list obtained from a third party can only be used if that party can show it was collected GDPR-compliantly and may be used for marketing.
- Such third-party lists are typically processed on legitimate interests (GDPR Art. 6(1)(f)), which automatically triggers the right to object (Art. 21).
- You must inform a new contact, at the latest at first contact, that you hold and will use their data for marketing.
- National DPAs enforce; the EDPB coordinates. We describe GDPR fines qualitatively - see the penalties note.
The two layers, kept separate
| Layer | Instrument | What it controls |
|---|---|---|
| Sending | ePrivacy Directive (2002/58/EC), Art. 13 | Whether you may send a marketing email at all - the consent rule for electronic mail |
| Data | GDPR (2016/679) | The lawful basis for processing the address, the right to object, transparency, and accountability |
Satisfying GDPR’s data rules does not by itself make a send lawful under ePrivacy, and vice versa. Both have to hold.
Consent under ePrivacy and GDPR
ePrivacy Article 13 generally requires prior opt-in consent for electronic marketing to individual subscribers. The meaning of “consent” is borrowed from the GDPR: it must be freely given, specific, informed, and unambiguous, signalled by a clear affirmative action. Pre-ticked boxes, inactivity, or bundled “accept everything” flows do not meet it.
The existing-customer exception (the “soft opt-in”)
The directive includes a narrow exception allowing a business to market similar products or services to its own existing customers, provided the customer was given the chance to object when their details were collected and in every later message. This is the EU-level root of what the UK transposes as the soft opt-in. Because ePrivacy is a directive, the exact conditions and B2B treatment are set by each member state’s transposition - treat the existing-customer exception as country-specific, not a single EU-wide rule.
Lawful basis and third-party data
The GDPR requires a lawful basis for processing the personal data behind a campaign. Two are common for marketing:
- Consent (GDPR Art. 6(1)(a)) - the most common basis where ePrivacy also demands opt-in.
- Legitimate interests (GDPR Art. 6(1)(f)) - the basis on which lists acquired from third parties are typically processed.
For third-party / acquired lists, the European Commission’s guidance is concrete:
- Before acquiring a list, the other organisation must be able to demonstrate the data was obtained in compliance with the GDPR and that it may be used for advertising.
- If the original data was collected on consent, that consent must have explicitly included the possibility of transmitting the data to other recipients for their own direct marketing.
- Processing such a list on legitimate interests automatically creates a right for individuals to object (Art. 21) - and you must not send to anyone who has objected.
- You must still comply with the ePrivacy Directive for the use of email as a marketing channel.
Transparency: telling people at first contact
When you obtain personal data from a source other than the individual, GDPR’s information duties apply. The Commission’s guidance states that, at the latest at the time of the first communication with a new contact, the controller must inform them that their data was collected and will be used for marketing.
The right to object
Individuals have an absolute right to object to processing for direct marketing under GDPR Article 21. Unlike some other objection rights, there is no balancing test for direct marketing: once someone objects, you must stop. This functions as the EU’s always-available “unsubscribe” at the data-protection layer, on top of any ePrivacy opt-out.
Who enforces, and the roles
| Body | Role |
|---|---|
| National supervisory authorities (DPAs) | Enforce the GDPR (and, with national regulators, ePrivacy transpositions) in each member state - e.g., CNIL (France), BfDI (Germany) |
| European Data Protection Board (EDPB) | Coordinates DPAs and issues guidance to keep enforcement consistent across the EU |
Penalties (described, not numbered)
The GDPR provides for administrative fines under Article 83, structured in two tiers by the type of infringement, and ePrivacy penalties are set by each member state’s own legislation.
We do not print a specific GDPR fine figure on this page. The headline maximum is well known, but it was not stated on the primary source we verified, and ePrivacy fines vary by country. Rather than restate an unverified number, we point you to GDPR Article 83 and the relevant member-state law for the applicable maxima.
Common confusion
- “GDPR consent and ePrivacy consent are different bars.” ePrivacy uses the GDPR definition of consent - the affirmative-action standard.
- “Legitimate interests lets me skip consent for email.” It can be the lawful basis for the data, but ePrivacy still governs the send, and it triggers an immediate right to object.
- “There is one EU answer for B2B.” No - ePrivacy is transposed per member state; B2B treatment differs by country.
- “A bought list is fine if I delete objectors.” Only if the seller can show GDPR-compliant collection and a consent (where relied on) that explicitly covered onward marketing - and you inform contacts at first contact.
What Egressif does, and what stays with you
Egressif provides the mechanics: authenticated, identifiable sending (SPF/DKIM/DMARC), a working opt-out, suppression applied on receipt so an Article 21 objection or an ePrivacy opt-out is honored immediately, and durable consent and suppression records that feed the GDPR accountability principle. What stays with you - and your member-state counsel - is the legal substance: choosing and documenting a lawful basis, securing valid consent or a valid existing-customer exception, vetting any acquired list, and meeting the first-contact transparency duty. We make your handling provable; we do not supply the lawful basis.
Related references
- Email marketing laws by country (2026) Anti-spam laws look alike until you sort them by consent. The US (and, for B2B, Turkey) let you mail first and honor opt-outs; Canada, the UK, the EU, and Australia want permission before the first message. This page lines all six up on consent, sender identity, unsubscribe timeframe, who enforces, and the penalties we could verify.
- CAN-SPAM Act: what US email law requires CAN-SPAM is an opt-out law: you may email someone who never asked, as long as the message is honest, names you, carries a physical address, and offers an unsubscribe you honor within 10 business days. There is no B2B exemption, and each non-compliant email is a separate violation.
- CASL: Canada's anti-spam law for senders CASL is an express opt-in law with a narrow, time-limited implied-consent exception. Every commercial electronic message must identify you and carry a working unsubscribe honored within 10 business days, and the burden of proving consent is on the sender. Penalties reach CAD $1M for individuals and CAD $10M for businesses per violation.
- UK PECR and UK GDPR for email marketing UK email marketing runs on two laws at once - PECR for the consent rules and UK GDPR for the data underneath. Marketing to individuals is opt-in (with a narrow soft opt-in for existing customers), while corporate bodies can be emailed without prior consent. We describe the ICO's enforcement powers qualitatively because the specific PECR penalty ceiling is not confirmed from a primary source.
- Australia's Spam Act 2003 for senders Australia's Spam Act 2003 is an opt-in law built on three rules - consent, identify, unsubscribe. Consent is express or (narrowly) inferred, the burden of proving it sits on the sender, and an unsubscribe must work and be honored within 5 working days. ACMA enforces; we describe its role without a penalty figure because the current amounts were not confirmed from a primary source.
- Turkey's ETK, KVKK and IYS for email Turkey requires prior consent (onay) to send commercial electronic messages to consumers, allows B2B sends to merchants and traders without consent, and routes consent and opt-outs through a central government registry, the IYS. Unsubscribe must be honored within 3 business days. The ETK obligations below come from the official law text; the KVKK data-protection layer is flagged where we could not verify it.
Tell us what you run today.
Domains, rough volume, current providers, and what hurts. You will get a straight answer on fit, and a real number, in one conversation.