Email Infrastructure and Regulatory Compliance in Europe

← Operational Notes

Email Infrastructure and Regulatory Compliance in Europe

September 29, 2026·11 min read·Marek Novák

Why European compliance is a two-law problem

A sender marketing into Europe faces a regulatory environment that is strict, actively enforced, and structured in a way that catches out senders who think of it simply. The fines are not theoretical, GDPR penalties reach into the tens of millions of euros or a percentage of global turnover, and regulators have shown they will impose them. But the more common failure is not a dramatic violation; it is a sender who believed they were compliant because they addressed one law and did not realize a second law also applied.

This operational note is about getting that structure right. The structure of this note: why European compliance is a two-law problem, the two-layer framework of GDPR and the ePrivacy Directive, why ePrivacy governs the act of sending, the consent standard GDPR sets, the soft opt-in for existing customers, why double opt-in matters in practice, the consent records and data subject rights an operation must handle, and data residency and how compliance interacts with the email infrastructure itself.

This note is operational guidance, not legal advice; an operation marketing into Europe should get its specific situation reviewed by a qualified data protection professional. The aim here is to give an operator the structural understanding that lets them ask the right questions and build their infrastructure and processes on the correct foundation.

The two-layer framework: GDPR and ePrivacy

The single most important thing to understand about European email compliance is that it is governed by two laws operating together, and a sender must satisfy both.

LawGoverns
GDPR (General Data Protection Regulation)The processing of personal data, including the email addresses and recipient data
The ePrivacy DirectiveElectronic communications, including the act of sending marketing email

The GDPR is the comprehensive framework for processing personal data across Europe. An email address is personal data, so GDPR governs the collection, storage, and use of the email addresses and the data about recipients, and it sets the standard for the consent and the lawful basis.

The ePrivacy Directive is a more specific law covering electronic communications. EU member states implement it through their own national legislation, so its details vary by country, but it governs, among other things, the act of sending marketing communications.

The two address different aspects of the same activity: GDPR sets the standard for the personal data and the consent, and ePrivacy governs the actual sending of the marketing email. When the two overlap, the ePrivacy Directive, as the more specific rule, the lex specialis, takes precedence for the matter it specifically governs.

The practical consequence is direct: a sender must comply with both layers, and satisfying one does not satisfy the other. The most common European compliance mistake is thinking of GDPR alone, addressing the personal-data layer and missing the ePrivacy layer that governs the send itself.

Why ePrivacy governs the act of sending

The two-layer structure has a specific, consequential implication that deserves its own treatment: the ePrivacy layer governs the act of sending, and that is why a GDPR lawful basis alone is not enough to send.

Under GDPR, processing personal data requires a lawful basis, and one of the available bases is legitimate interest, which allows certain processing without consent. A sender might reason: we have a legitimate interest in marketing our products, legitimate interest is a valid GDPR basis, therefore we can send marketing email.

A GDPR legitimate-interest basis does not permit the send

That reasoning stops at the GDPR layer and ignores the ePrivacy layer, and it is one of the most consequential mistakes in European email compliance. The ePrivacy Directive specifically governs sending marketing communications by electronic means, and it requires either prior consent or a valid soft opt-in for the send. Legitimate interest under GDPR can cover internal data processing activities, but it does not satisfy the ePrivacy requirement and does not give permission to send the promotional email itself. A sender relying on legitimate interest as their justification for sending marketing email in Europe has addressed the GDPR layer and not the ePrivacy layer, and is, in the typical case, not compliant. The compliant bases for the send are consent or the soft opt-in, not legitimate interest.

So the correct mental model is: GDPR governs whether the operation may hold and process the personal data, and ePrivacy governs whether the operation may send the marketing message to it. Both questions must be answered yes, on their own terms. An operation marketing into Europe builds its sending on consent or the soft opt-in, the ePrivacy-valid bases for the send, not on a GDPR processing basis alone.

For most marketing email in Europe, the basis is consent, and GDPR sets a specific, demanding standard for what counts as valid consent.

Valid consent under GDPR is, in essence:

  • Explicit and affirmative. The recipient must take a clear, positive action to consent, ticking an unchecked box, for example. Consent cannot be assumed from silence or inaction, and a pre-ticked box is not valid consent.
  • Specific. Consent must be for the specific purpose, marketing email. Marketing consent must be separate from other consents; consenting to a privacy policy, or to account terms, is not consent to marketing.
  • Informed. The recipient must know what they are consenting to, who will send the marketing, what it will be about.
  • Freely given. Consent must be a genuine choice, not bundled into something the recipient needs, not a condition of a service that does not require it.

A practical implication that catches many senders: marketing consent must not be buried. A signup form that says "by creating an account you agree to our privacy policy", with the marketing consent hidden in the privacy policy, does not produce valid marketing consent. The marketing opt-in must be a separate, specific, unchecked, affirmative choice.

This standard also rules out a common bad practice: a purchased or rented list, or a list acquired from a partner, does not come with valid consent for the new sender, because the recipients consented (if at all) to someone else, not to this sender's marketing. Adding such a list and mailing it violates the consent requirement before a single message is sent. Consent is specific to the sender and the purpose, and it cannot be transferred or assumed.

The soft opt-in for existing customers

There is one significant exception to the requirement for prior explicit consent: the soft opt-in, which applies to marketing to existing customers.

The soft opt-in allows a business to send marketing email to its existing customers about similar products or services without fresh explicit consent, when certain conditions are met. In essence, the soft opt-in applies when:

  • The recipient is an existing customer whose contact details were obtained in the course of a sale.
  • The marketing is for the business's own similar products or services.
  • The recipient was given a clear and simple opportunity to opt out when their details were collected.
  • Every subsequent message also gives an easy way to opt out.

When those conditions hold, the business can market to that existing customer without the recipient having explicitly opted in, on the basis that a customer relationship and a non-objection are present.

The soft opt-in is genuinely useful, it lets a business stay in touch with its own customers about relevant offerings, but its boundaries matter and must be respected:

  • It applies to existing customers, not to prospects, leads, or purchased lists.
  • It covers similar products and services, not unrelated offerings.
  • It depends on the opt-out having been offered at collection and in every message.

A business relying on the soft opt-in must genuinely meet all the conditions. The soft opt-in stretched beyond its boundaries, applied to non-customers or to unrelated marketing, is not a valid basis, and the sending is non-compliant. For marketing to anyone who is not an existing customer in the similar-products sense, explicit consent is required. The soft opt-in is a real and helpful provision, but it is narrow, and an operation should be clear about exactly which of its recipients it actually covers.

Why double opt-in matters in practice

Double opt-in, the practice of confirming a new subscriber by sending them a confirmation email they must click before they are added to the list, deserves specific attention, because its status is a useful illustration of how European compliance works in practice.

Double opt-in is, strictly, not legally required by GDPR or ePrivacy in most member states; the law requires valid consent, not specifically a confirmation step. But two things make double opt-in important in practice.

It is effectively mandatory in some member states. The ePrivacy Directive is implemented through national law, and the requirements vary by country. In some member states, notably Germany and Italy, the practical and regulatory expectation is strong enough that double opt-in is effectively mandatory. An operation marketing across the EU, into those countries among others, therefore has good reason to use double opt-in everywhere.

It is the strongest proof of consent. Even where double opt-in is not mandatory, it is the best evidence a sender can have that consent was genuinely given. GDPR requires not just that consent was obtained but that the sender can demonstrate it. A double opt-in produces a clear, datable record that the specific recipient confirmed their subscription from their own mailbox, which is far stronger proof than a single-opt-in form submission alone.

So the practical guidance is that, although double opt-in is not universally legally mandated, an operation marketing into Europe has strong reasons to use it: it satisfies the effective requirement in the member states that expect it, and it gives the operation the robust consent proof that GDPR's demonstrability requirement makes valuable. Double opt-in also tends to improve list quality and engagement, which helps deliverability, so it serves the compliance and the deliverability goals together.

Consent records and data subject rights

Two ongoing obligations shape how an operation must handle the data and the recipients: keeping consent records, and honouring data subject rights.

Consent records. GDPR requires a sender not just to obtain consent but to be able to demonstrate it. So the operation must keep records of consent, and the record for each consent should capture, in essence, who consented, when, what they were shown and agreed to, and how the consent was given, along with the current status, whether the consent is still active or has been withdrawn. These records must be kept securely and retained for as long as the data is in use. An operation that mails a recipient and, challenged, cannot produce a record showing valid consent has a compliance problem regardless of whether the consent was in fact obtained, because demonstrability is itself a requirement.

The right to withdraw consent. A recipient must be able to withdraw consent, to unsubscribe, and withdrawing must be as easy as giving consent was. The operation must provide a simple unsubscribe mechanism, and a withdrawal must be honoured promptly, the recipient suppressed so they are not mailed again. An operation can offer a preference centre, but a straightforward unsubscribe-from-all must be available; the recipient cannot be forced through a complicated process to stop receiving mail.

Other data subject rights. GDPR gives individuals further rights over their personal data, including the right to access the data an operation holds about them, the right to have it corrected, and the right to have it erased. An operation must be able to respond to these requests, and within the time limit GDPR sets, generally one month. The operation's systems must therefore make it possible to find, export, correct, and delete a specific individual's data on request.

These obligations have a direct implication for how the operation's systems and data are organized: the consent records, the suppression handling, and the ability to act on data subject requests all need to be built into the operation's data architecture, not bolted on. An operation that cannot readily produce a consent record or action an erasure request has a structural compliance gap.

Data residency and the infrastructure interaction

Finally, European compliance interacts with the email infrastructure itself, in particular through data residency and the transfer of personal data.

Data residency and transfers. GDPR regulates the transfer of personal data outside the European Economic Area. Personal data, the recipient lists, the data about recipients, can be transferred outside the EEA only under specific conditions, an adequacy decision for the destination, or appropriate safeguards. For an email operation, this means the question of where the personal data is stored and processed matters: the sending platform, the database holding the lists, the servers, their location and the location of any third parties involved all bear on whether personal data is being transferred outside the EEA and whether that transfer is on a valid footing. An operation serving European recipients should know where its recipient data resides and ensure any transfer outside the EEA is properly handled, which is one reason some operations serving European senders choose EEA-based infrastructure, to keep the personal data within the EEA and simplify this question.

The infrastructure as part of compliance. More broadly, the email infrastructure is part of the compliance picture, not separate from it. GDPR's security obligations mean the personal data, the recipient lists, must be held securely, which bears on the security of the servers and the systems. The ability to honour data subject rights depends on the systems being able to find and act on an individual's data. The consent records have to live somewhere and be retrievable. The suppression of withdrawn consents has to be reliably applied by the sending system. So an operation's email infrastructure, the platform, the databases, the servers, the processes, is itself a compliance instrument: it has to be built and operated so that the compliance obligations can actually be met. An operation that treats compliance as a purely legal or marketing matter, separate from the infrastructure, will find that the infrastructure cannot support the obligations when they are tested.

The campaign that was GDPR-compliant and still not allowed

An operation we worked with was expanding its marketing into Europe and believed they had done their compliance homework. They had focused on GDPR, the law everyone knows, and had a GDPR story they were confident in: they had identified a lawful basis for processing the personal data, legitimate interest, reasoning that they had a legitimate business interest in marketing their products, and that legitimate interest is a recognized GDPR basis. They had documented it, they had a privacy policy, they had what they considered a defensible position. On that footing, they prepared to send marketing email to a set of European recipients who were not existing customers, prospects whose details they had gathered. We reviewed the plan before they sent, and the problem was structural. Their GDPR analysis was not the whole picture, because European email marketing is governed by two laws, and they had addressed only one. The ePrivacy Directive governs the act of sending marketing communications, and for recipients who are not existing customers it requires prior explicit consent. Legitimate interest is a GDPR processing basis; it does not satisfy the ePrivacy requirement for the send. So even with a documented legitimate-interest basis, they were not permitted to send the marketing email to those prospects, because the ePrivacy layer required consent they did not have. Their compliance work had been real but incomplete: they had a defensible answer to "may we process this data" and no answer to "may we send this marketing email", the question ePrivacy asks. The recommendation was to rebuild the program for that audience around a consent-gathering opt-in step rather than an immediate send. For recipients who were genuinely existing customers being marketed similar products, the soft opt-in could apply, but that was a smaller group. The lesson is the central one of this note: European email compliance is a two-law problem, and the common mistake is a sender who does a careful job on GDPR and does not realize ePrivacy is a separate law governing the send itself. A GDPR basis for processing the data is necessary but not sufficient; the send needs its own ePrivacy-valid basis, and legitimate interest does not provide it.

Email regulatory compliance in Europe is, at its core, a two-law problem: the GDPR governs the processing of the personal data, and the ePrivacy Directive governs the act of sending the marketing communication, and a sender must satisfy both, because satisfying one does not satisfy the other. The most consequential implication is that a GDPR lawful basis alone, in particular legitimate interest, does not permit the send; the ePrivacy layer requires prior explicit consent or a valid soft opt-in. GDPR's consent standard is demanding, explicit, specific, informed, freely given, and not buried, and it rules out mailing purchased lists. The soft opt-in is a real but narrow exception for marketing similar products to existing customers. Double opt-in, though not universally mandated, is effectively required in some member states and is the strongest consent proof everywhere. The operation must keep demonstrable consent records, honour the right to withdraw and the other data subject rights within GDPR's time limits, and handle data residency so personal data is not improperly transferred outside the EEA, which means the email infrastructure itself, the platform, the databases, the processes, is part of the compliance picture. Operations that build their European sending on both layers, with consent or the soft opt-in as the basis for the send, market into Europe on a sound footing; operations that address GDPR alone, as the case shows, can find a campaign they believed compliant was never permitted at all. This note is operational guidance and not legal advice, and an operation should have its specific situation reviewed by a qualified data protection professional.

M
Marek Novák

Email Compliance and Security Specialist at Cloud Server for Email. Advises on email compliance and sending practice for operations marketing into Europe. Related: Lessons Building Infrastructure for European Senders, How to Evaluate Email Infrastructure Providers, Building a Deliverability Runbook.