May I email existing customers about a new product?

It depends. If the new product is similar to what the customer previously bought, you can use the soft opt-in. If it's a completely different product category, you need new consent. A working unsubscribe link must always be present.

Do I need consent for every email to customers?

No. Transactional emails such as order confirmations, invoices, and service notifications do not require marketing consent. They fall under the legal basis of 'performance of a contract'. Only promotional and commercial messages require consent or a soft opt-in.

Does a newsletter always require consent?

Yes. A newsletter is by definition direct marketing. You need prior, freely given, and unambiguous consent. A pre-ticked checkbox does not count. And the recipient must be able to easily unsubscribe in every newsletter.

What is the difference between the GDPR and the ePrivacy Directive for email marketing?

The GDPR governs the processing of personal data. The ePrivacy Directive specifically regulates electronic communications, including email marketing. Both apply and you must comply with both.

Direct Marketing and GDPR - Rules for Email, Newsletters, and Advertising

Can you simply email your customers? The GDPR sets clear rules for direct marketing: when you need consent, when the soft opt-in suffices, and how to respect the right to object.

Not all emails are equal

The GDPR makes an important distinction that many business owners overlook: not every email you send is marketing. And not every marketing email requires consent. But if you get it wrong, you risk a complaint to the supervisory authority or, worse, a fine.

Let’s keep it clear. There are three types of emails you send as a business, and different rules apply to each.

Transactional emails: just send them

Order confirmations, invoices, shipping notifications, password resets, appointment reminders - these are transactional emails. They are necessary for performing a contract or delivering a service.

You do not need marketing consent for these. The legal basis is “performance of a contract” (Article 6(1)(b) GDPR). Your customer expects these messages because they are part of the service you provide.

Note: the moment you add a promotional block to a transactional email (“Check out our new collection!”), it becomes a hybrid message. The supervisory authority may treat it as marketing.

Want to send a newsletter? A promotional email? An event invitation? Then you need prior consent. No exceptions.

That consent must meet the GDPR requirements:

Freely given - no pre-ticked checkboxes, no mandatory sign-up as a condition for a service
Specific - the person knows what they are consenting to
Unambiguous - an active action, such as ticking a checkbox or clicking a confirmation link (double opt-in)
Documented - you must be able to demonstrate when and how someone gave consent

And every newsletter must contain a working unsubscribe link. Not hidden at the bottom in grey type, but clearly visible.

The soft opt-in: exception for existing customers

This is the rule many business owners don’t know but are happy to learn about. If someone is already your customer, you may email them about similar products or services without asking for new consent. This is called the soft opt-in.

The conditions are:

You obtained the email address in the context of a sale - the customer bought something or used a service
You promote similar products or services - an accountant may email clients about a new tax service, but not about an unrelated side project
The customer could object when the email address was collected - you offered an opt-out at the point of purchase
Every email includes an unsubscribe option - the customer can say “stop” with every message

Example: an online shop selling sportswear may email existing customers about new sportswear. But not about a completely different product line, such as furniture.

The right to object: absolute for direct marketing

This is where the GDPR is particularly strict. Article 21(2) gives data subjects an absolute right to object to processing for direct marketing. No balancing test, no exceptions.

When someone says “stop sending me marketing”, you stop. Immediately. Not after the next campaign, not at the end of the month. Right away.

This also applies if you email based on legitimate interest or the soft opt-in. It does not matter which legal basis you use: once someone objects to direct marketing, it’s over.

Practical rules of thumb

Situation	Consent needed?
Sending an order confirmation	No
Emailing an invoice	No
Service notification about an active contract	No
Newsletter to new contacts	Yes
Promotional email to existing customer (similar product)	No (soft opt-in)
Promotional email to existing customer (different product)	Yes
Cold email to prospects	Yes
Webinar invitation to your mailing list	Yes

Common mistakes

No unsubscribe link in commercial emails
Pre-ticked checkboxes on sign-up forms
No record of when and how consent was given
Interpreting the soft opt-in too broadly by emailing about completely different products
Ignoring or delaying objection requests

Document your marketing activities

Direct marketing belongs in your records of processing activities. Record which marketing channels you use, which legal basis you apply per channel, how you collect and register consent, and how you handle unsubscriptions. This way you can immediately demonstrate compliance during an audit or complaint.

auto_awesome Are your marketing activities in your processing register?

GDPRWise helps you document all your processing activities, including marketing, legal bases, and consent records. Automated and compliant.

Start your free scan

Direct Marketing and GDPR: What Is and Isn't Allowed?