Under GDPR, an email address counts as personal data, so sending marketing email to anyone in the EU requires a lawful basis under Article 6, most often the recipient’s freely given, specific consent, or for existing customers, the narrower soft opt-in exception. Consent has to be an unambiguous opt-in: pre-ticked boxes, bundled agreements, and silence do not count, and withdrawal has to be as easy as consent itself. Transactional email, receipts, password resets, shipping updates, rests on a different lawful basis and does not need marketing consent, though it is still personal data processing subject to GDPR’s general principles.
This guide covers valid consent, the soft opt-in, how transactional email diverges from marketing email under GDPR (see our full breakdown of transactional vs. marketing email for the deliverability side of that same distinction), and a practical compliance checklist.
Consent or Legitimate Interest: The Two Lawful Bases for Marketing Email
GDPR’s Article 6 lists six lawful bases for processing personal data, but only two apply realistically to marketing email. The first is consent: Article 6(1)(a) permits processing where “the data subject has given consent to the processing of his or her personal data for one or more specific purposes.” This is the basis most SaaS companies should default to, since it creates the clearest paper trail and the least regulatory risk.
The second is legitimate interest, under Article 6(1)(f): processing “necessary for the purposes of the legitimate interests pursued by the controller… except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.” Regulators treat this narrowly for direct marketing: fine for inviting a webinar attendee to a related event, weak ground for cold outreach to a purchased list, and it still requires a documented assessment plus an easy way to object.
For most SaaS teams: use consent for new subscribers and cold segments, the soft opt-in (below) for existing customers where it applies, and reserve legitimate interest for narrow, justified cases.
What GDPR-Valid Consent Actually Requires
GDPR defines consent in Article 4(11) as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.” Four words carry the legal weight:
- Freely given: no penalty for refusing, and consent cannot be bundled with unrelated terms of service.
- Specific: one checkbox cannot cover email marketing, SMS marketing, and data sharing with partners at once; each purpose needs its own opt-in.
- Informed: the person needs to know who is processing their data and why, before they consent, not buried in a privacy policy they never open.
- Unambiguous: only an active, affirmative step counts. Pre-ticked boxes, inactivity, and silence do not qualify.
Article 7(1) puts the burden of proof on you: “the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.” In practice, keep the timestamp, wording shown, form version, and collection method on file for every subscriber, not just a boolean “subscribed” flag. A confirmed double opt-in flow strengthens this evidence, since the confirmation click becomes a second, unambiguous record of intent. Mailchimp’s GDPR-enabled forms, for instance, “record the field information in a plain-text version of your form,” a ready-made snapshot of what a subscriber saw and agreed to.
Article 7(3) also requires that “it shall be as easy to withdraw as to give consent,” which is the legal basis behind the one-click unsubscribe requirements most major mailbox providers now enforce.
The Soft Opt-In: Emailing Existing Customers Without Fresh Consent
The soft opt-in is an exception, not a loophole: it lets you send marketing email to someone without a separate consent step, but only if every condition holds. Per the ICO’s guidance on electronic mail marketing, the products and services soft opt-in applies only where all of the following are true:
- You obtained the contact details yourself, directly from the recipient, not from a third-party list or partner database.
- You did so while selling or negotiating to sell a product or service, including a free trial signup or a quote request.
- You are marketing only your own similar products or services, not an unrelated line of business.
- You gave the recipient a clear chance to opt out when you collected their details.
- You give that same chance to opt out in every message since.
This is the UK’s implementation under the Privacy and Electronic Communications Regulations (PECR); other EU states apply the same rule from the ePrivacy Directive with their own wording, so check local implementation if you operate across jurisdictions. A common failure mode: treating a purchased or scraped list as soft-opt-in eligible. It is not, no matter how it was marketed to you.
Transactional vs. Marketing Email: Different Rules, Different Risk
GDPR does not define “transactional” or “marketing” as legal terms, but the distinction determines which lawful basis applies. A transactional message, an order confirmation, a password reset, a shipping update, is sent because the recipient already took an action that requires it. It typically rests on Article 6(1)(b) (contract necessity) or 6(1)(f) (legitimate interest), not consent. A marketing message needs its own lawful basis: almost always consent, or the soft opt-in above.
| Transactional email | Marketing email | |
|---|---|---|
| Triggered by | A specific action the recipient took | A campaign, list, or automation |
| Typical lawful basis | Contract necessity or legitimate interest | Consent or soft opt-in |
| Needs opt-in consent | No | Yes, in most cases |
| Needs an unsubscribe mechanism | Not legally required, but recommended | Yes, required |
The line blurs once promotional content gets added, a “20% off your next order” banner inside a receipt, for example. GDPR and the ePrivacy rules look at substance over label: a receipt that reads mostly as an ad can get reclassified as marketing, pulling opt-in requirements back into play.
Unsubscribe Requests, Objection, and the Right to Erasure
Three separate rights come into play once someone wants out of your marketing, and they are not interchangeable.
Article 21(2) gives every data subject an absolute right to object to direct marketing: “the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.” Article 21(3) is unusually strict: once someone objects, “the personal data shall no longer be processed for such purposes,” with no balancing test and no override. This is why marketing consent has to be genuinely easy to withdraw: a working unsubscribe link plus a List-Unsubscribe header covers both the legal requirement and the deliverability expectation Gmail and Yahoo enforce.
Unsubscribing is not erasure. Objecting to marketing stops that processing purpose; it does not delete the person’s record. The right to erasure under Article 17 is a separate request, and it only applies where a specific ground is met, most commonly that the data is no longer necessary for its original purpose, or consent has been withdrawn with no other lawful basis remaining. In practice: suppress the contact from future sends immediately on objection, and handle erasure as its own workflow.
A GDPR Email Compliance Checklist for SaaS Teams
- Identify the lawful basis for every list or segment (consent, contract, legitimate interest, or soft opt-in) and document it.
- Use an unambiguous opt-in for marketing signups: no pre-ticked boxes, no consent bundled into your terms of service.
- Record how, when, and what someone consented to, not just a “subscribed” boolean.
- Keep transactional and marketing sends on separate lawful bases, and never staple a promotional pitch onto a receipt.
- Only use the soft opt-in for contacts you collected directly, for your own similar products, with an opt-out you keep offering.
- Process unsubscribe and objection requests immediately, and handle erasure requests as a separate workflow.
- Keep a signed Data Processing Agreement with your ESP; they process data on your behalf, but you remain the controller.
This explains how GDPR generally applies to email marketing. It is not legal advice; if you handle sensitive data, operate in a regulated industry, or are unsure which lawful basis applies, talk to a qualified privacy lawyer or your Data Protection Officer.
Frequently Asked Questions
Does GDPR require consent for every marketing email?
Not in theory, but in practice it is the default you should use. Article 6(1)(a) permits processing based on consent, while Article 6(1)(f) allows processing necessary for a controller’s legitimate interests where those interests do not override the individual’s rights. Regulators treat legitimate interest narrowly for direct marketing, since a less intrusive alternative, asking for consent, is usually available. Most SaaS teams should rely on consent or the soft opt-in instead.
What is the GDPR soft opt-in, and when can I use it?
It lets you email an existing customer about your own similar products or services without a fresh consent step, provided you collected their details directly during a sale or its negotiation and gave a clear opt-out both at collection and in every message since. It does not apply to purchased lists, scraped contacts, or unrelated products.
Does GDPR apply if my company is not based in the EU?
Yes, if you offer goods or services to people in the EU or monitor their behavior there. Article 3(2) extends the regulation to controllers offering goods or services “to such data subjects in the Union,” or monitoring “their behaviour as far as their behaviour takes place within the Union.” A US-based SaaS company with EU signups or site visitors is generally in scope, regardless of incorporation.
What happens when someone withdraws consent?
You must stop processing their data for that purpose going forward. Article 7(3) confirms withdrawal “shall not affect the lawfulness of processing based on consent before its withdrawal,” so past sends remain lawful, but you cannot keep emailing them under that consent. Withdrawal also has to be as easy as giving consent, which is the legal basis behind one-click unsubscribe requirements.
Do I need to delete a contact’s data after they unsubscribe?
Not automatically. Unsubscribing exercises the right to object under Article 21, which stops marketing processing immediately, but erasure under Article 17 is a separate right the person has to invoke, and it only applies where a specific ground is met. In practice, suppress the contact from future sends right away, and treat any explicit erasure request as its own workflow.
Is GDPR the same as CAN-SPAM?
No. CAN-SPAM, the US law, is opt-out: you can email someone without prior consent as long as you honor opt-outs and follow its labeling and header rules. GDPR is opt-in for most marketing use cases and applies based on where the recipient is located, not where your company is registered, so a US company with EU subscribers generally has to satisfy both regimes for the same list.
I’ve spent my career building software at scale with a soft spot for email: deliverability, lifecycle campaigns, and getting messages to actually land. I started Coldletter to fix what bugged me about transactional and marketing email tools. I’m based in Vancouver.
