COMPLIANCE GUIDE — EUROPEAN UNION

EU Email Marketing Regulations: ePrivacy, GDPR & What Changed in 2025

The ePrivacy Regulation was withdrawn. A landmark CJEU ruling expanded the soft opt-in. France's CNIL may require consent for open tracking. Here is what EU email marketing law actually requires in 2025–2026.

Two Overlapping Frameworks: ePrivacy and GDPR

EU email marketing is governed by two separate legal frameworks that interact with — and sometimes override — each other. Understanding both is essential before designing your email programme for European audiences.

The ePrivacy Directive (2002/58/EC) governs the act of sending marketing communications. It determines whether you need consent before sending an email, and what the "soft opt-in" exception allows. As a directive (not a regulation), it is not directly applicable EU-wide — each member state has enacted its own national law implementing it, and these national laws vary in important ways.

The GDPR governs the processing of personal data — including collecting, storing, and using email addresses. It determines what constitutes valid consent when consent is required by ePrivacy, and it applies data subject rights (access, erasure, portability) to subscriber data.

The November 2025 CJEU ruling clarified their relationship:

In its judgment of 13 November 2025 (C-654/23), the Court of Justice of the EU confirmed the principle of lex specialis — where the ePrivacy Directive's soft opt-in provision is satisfied, a separate legal basis under GDPR Article 6 (consent or legitimate interest) is not additionally required. This resolves years of uncertainty where some data protection authorities demanded compliance with both simultaneously.

The ePrivacy Regulation Is Not Coming — February 2025 Withdrawal

For years, email marketers anticipated the proposed ePrivacy Regulation as a replacement for the 2002 Directive — a single, directly applicable EU-wide rule that would supersede the patchwork of national implementations. On 11 February 2025, the European Commission formally withdrew the proposal from its 2025 Work Programme.

The Commission's stated reason: "No foreseeable agreement — no agreement is expected from the colegislators. Furthermore, the proposal is outdated in view of some recent legislation in both the technological and the legislative landscape."

The practical consequence: the current ePrivacy Directive from 2002 and all national implementations remain the applicable law indefinitely. There is no EU-wide harmonisation on the horizon. Senders must continue complying with each member state's national ePrivacy law for recipients in that country.

The Soft Opt-In — What It Is and Who It Covers

Article 13(2) of the ePrivacy Directive provides the most commercially important exception to the consent requirement. The soft opt-in permits sending marketing emails without prior explicit consent when four conditions are all met:

1
Contact obtained "in the context of a sale" — the recipient's email was collected during a transaction, whether a purchase or a service signup. The November 2025 CJEU ruling confirmed that free accounts qualify if the free access is part of a freemium model leading to a paid service.
2
Marketing is for similar products or services — you cannot use soft opt-in to market completely unrelated offerings. A SaaS company can use it for upsell campaigns to free-tier users; it cannot use it to market partner products.
3
Clear opt-out opportunity at collection — when the email address was collected, the recipient must have been given a clear, easy opportunity to object to marketing. A pre-ticked "uncheck to opt out" box at checkout satisfies this; a buried notice in terms and conditions does not.
4
Unsubscribe in every message — every marketing email sent under the soft opt-in must contain a clear, functioning unsubscribe mechanism, and opt-out requests must be honoured promptly.
Important: national variation on soft opt-in

Germany does not implement the soft opt-in exception. German law (UWG §7) requires prior explicit consent for all commercial email, B2C and B2B. Austria and Switzerland are similarly strict. The soft opt-in rules below apply only to countries whose national ePrivacy implementation includes the Article 13(2) exception.

Consent Rules by Country — Key Markets

The ePrivacy Directive is implemented differently in each member state. The following covers the largest EU email marketing markets:

CountryB2C emailB2B emailSoft opt-in available?
GermanyOpt-in required (UWG)Opt-in required (UWG)No — strictest in EU
FranceOpt-in required (LCEN)Legitimate interest OKYes — existing customers
NetherlandsOpt-in requiredLegitimate interest OKYes — existing customers
SpainOpt-in required (LSSI)Legitimate interest OKYes — existing customers
ItalyOpt-in requiredOpt-in generally requiredYes — limited
PolandOpt-in requiredLegitimate interest (debated)Yes — existing customers
SwedenOpt-in requiredLegitimate interest OKYes
UK (post-Brexit)Opt-in required (PECR)Corporate subscribers exemptYes — existing customers

Note: This table is a general overview only — national implementations change and enforcement interpretations vary. Always verify current requirements with legal counsel for any specific country. Data correct as of April 2026.

Watch: France CNIL Tracking Pixel Consultation (2025)

In June 2025, France's data protection authority (CNIL) launched a public consultation on a draft recommendation that would classify email tracking pixels as equivalent to cookies — requiring explicit prior consent for their use. If adopted, this would create a double-consent framework for email marketing in France:

  • Consent to receive marketing emails (existing requirement)
  • Separate, explicit consent specifically for email open tracking via pixels

This proposal is not yet adopted or in force as of April 2026. However, the consultation signals the regulatory direction in France, which has been one of the most active enforcers of digital marketing privacy. The September 2025 €325 million fine against Google Ireland, which included ePrivacy consent violations related to advertising in Gmail, demonstrates that the CNIL takes these obligations seriously.

Senders with significant French recipient volumes should monitor the CNIL's finalisation of this recommendation and consider whether their email analytics practices would require modification if the draft is adopted as guidance or regulation.

Infrastructure Requirements for EU Compliance

Legal compliance and technical infrastructure compliance are separate layers — both required for a functioning EU email programme. The ePrivacy and GDPR requirements translate into specific technical demands:

Consent management and logging

Every EU subscriber's consent event must be logged with: timestamp, IP address, consent text version shown, and acquisition source. Double opt-in creates the confirmation click as a natural consent record. Single opt-in requires separate logging. Records must be retained for 3 years and retrievable on demand.

One-click unsubscribe in every message

Required by both ePrivacy (unsubscribe must be present and easy) and Gmail/Yahoo's 2024 bulk sender requirements. The List-Unsubscribe and List-Unsubscribe-Post headers enable native one-click unsubscribe in email clients. Our infrastructure configures these headers on all outbound mail by default.

EU data residency

Subscriber personal data — including email addresses, bounce records, and FBL complaint data — must be processed under GDPR. Hosting on EU-based infrastructure (Article 28 DPA required with hosting provider) avoids the complexity of US data transfer mechanisms (SCCs, adequacy decisions). Our infrastructure operates from our datacenter at Tornimae 5, Tallinn, Estonia (EU).

Suppression list integrity across all systems

Opt-outs must be honoured globally — a subscriber who unsubscribes from one campaign must be suppressed across all campaigns from the same controller. Technical suppression lists must be synchronised across all sending systems within your infrastructure.

EU-Based Infrastructure — GDPR Compliant by Default

Our infrastructure runs from our datacenter at Tornimae 5, Tallinn, Estonia. Every plan includes a signed GDPR Data Processing Agreement. Bounce data, FBL complaints, and subscriber data never leave EU infrastructure. Authentication is configured for full DMARC alignment — the technical minimum for compliant EU bulk sending in 2026.

2025–2026 Updates

Feb 2025

ePrivacy Regulation proposal officially withdrawn. Current 2002 Directive remains in force indefinitely.

Nov 2025

CJEU ruling (C-654/23): free accounts qualify as "sale of service" for soft opt-in. ePrivacy lex specialis confirmed over GDPR.

Sep 2025

CNIL fines Google €325M for ePrivacy consent violations on Gmail advertising.

Jun 2025

CNIL launches consultation on tracking pixels in emails — potential double-consent requirement in France.

Disclaimer: This guide provides general information on EU email marketing regulations as of April 2026. It does not constitute legal advice. Requirements vary by country and change as national authorities update their interpretations. Consult qualified legal counsel for advice specific to your jurisdiction and programme.