In November 2025, the Court of Justice of the European Union (CJEU) delivered a landmark judgment, providing crucial guidance on the interpretation of the ePrivacy Directive regarding the distribution of marketing emails and its interplay with the EU GDPR.
The ePrivacy Directive requires organisations to obtain consent before sending marketing emails to third parties. However, Article 13(2) of the ePrivacy Directive provides for an exception to the consent requirement (often discussed as “soft opt-in”) with high practical relevance if the contact data (1) was obtained “in the context of a sale”, (2) is used for direct marketing of “similar products or services”, and (3) if the recipients can object to the use of their electronic contact data when they are collected and in every subsequent marketing message.
The recent judgment of the CJEU clarifies several (previously) unresolved questions regarding the interpretation of these requirements and the relationship between the ePrivacy Directive and the EU GDPR, providing much‑needed legal certainty for organisations engaging in email marketing.
Background of the case
A Romanian online news journal allowed users to view a maximum number of six articles per month free of charge. Further, the news journal offered a “Premium Service” based on the following terms:
- Users could create a free account to access a limited number of additional articles per month.
- Upon registration, users would also receive a daily email newsletter containing summaries of legislative news and hyperlinks to the full articles on the website.
- The news journal also offered a paid subscription for full access to all articles and a more comprehensive newsletter.
Users could object to receiving the newsletter, either by ticking a box during the account creation process or by using an unsubscribe button included in every email.
The Romanian data protection authority (ANSPDCP) imposed a fine on the news journal, arguing that sending the newsletter would constitute further processing of personal data (the user’s email address) for a purpose that was incompatible with the initial collection and, crucially, without the user’s explicit consent as required under Article 6(1)(a) of the EU GDPR.
Newsletters as direct marketing
In its judgment, the CJEU confirmed that distributing a free newsletter falls under the definition of “direct marketing” within the meaning of the ePrivacy Directive. It argued that by sending newsletters encouraging users to consume free content, the news journal was implicitly advertising its paid subscription. This pursuit of a commercial purpose is sufficient to qualify the activity as direct marketing (Article 13(1) of the ePrivacy Directive), regardless of the newsletter’s informational content.
Thereby, the decision strengthens the soft opt-in and thus facilitates email marketing: organisations are permitted to send newsletters with mixed content (both informative and promotional elements) without having to obtain separate consent, provided they comply with the conditions of Article 13(2) of the ePrivacy Directive.
A “sale” does not require direct payment from the user
Further, the CJEU assessed whether providing contact details for a free service could be considered “in the context of the sale of a service”. In particular, the CJEU held that where a free service is provided to advertise paid products, the cost of the free service is considered indirect remuneration. This cost is considered as being effectively incorporated into the overall price of the paid goods or services the company offers. In this instance, the free newsletter and limited article access served to promote the journal’s paid subscription, thereby satisfying the requirement of (being collected) “in the context of a sale”.
Therefore, the ruling allows organisations to more confidently leverage the soft opt-in exception to convert users of their free services into paying customers through direct marketing.
No separate legal basis under the EU GDPR required
Finally, the CJEU confirmed the principle of lex specialis, ruling that where the conditions of the ePrivacy Directive’s soft opt-in provision are met (or more specifically, the Member State law implementing Article 13(2) of the ePrivacy Directive), a separate legal basis under Article 6 of the EU GDPR (e.g., consent or legitimate interest) is not required. In these cases, the national provision implementing the ePrivacy Directive can be understood as the legal basis for the processing.
This ruling has three significant implications:
- The judgment explicitly rejects the approach pursued by some data protection authorities, which demanded a justification under both the national ePrivacy implementation laws and the GDPR. This provides welcome relief for organisations, as the burdensome requirements for EU GDPR consent do not apply when the soft opt-in criteria are met.
- The decision confirms that data protection authorities cannot impose a GDPR fine based on the absence of consent under Article 6(1)(a) of the EU GDPR for email marketing that complies with the soft opt-in rules. It effectively constrains the ability of data protection authorities to use the EU GDPR’s general clauses to enforce stricter requirements than those laid down in more specific EU legislation, such as the ePrivacy Directive.
- Moreover, the decision raises a follow-up question: if an organisation fails to meet the soft opt-in conditions, do data protection authorities have the authority to take measures (such as imposing fines) for that specific violation of law? There is an argument that they may lack the competence to do so, unless the respective Member State law explicitly grants them such powers.
Key takeaways
The CJEU’s decision is a welcome clarification in the realm of direct marketing. It results in a few key takeaways generally in favour of organisations aiming to promote their services by email marketing:
- Newsletters qualify as direct marketing: Free newsletters can be considered direct marketing if they pursue a commercial purpose. Businesses offering newsletters with mixed content to attract paying customers can now more confidently rely on the soft opt-in exception under the ePrivacy Directive regime for their email marketing.
- Broad understanding of “sale”: The concept of a “sale” is not limited to transactions involving direct payment. Organisations that collect email addresses in connection with a free service and sending newsletters to users may rely on the exception where that service is used to promote paid offerings and is financed through revenue from those offerings (indirect remuneration).
- ePrivacy Directive as a sufficient legal basis: The ruling confirms that compliance with the soft opt-in requirements under Article 13(2) of the ePrivacy Directive (as implemented in Member State law) is a distinct and viable legal basis for electronic direct marketing. Where these conditions are fulfilled, organisations are not required to rely on an additional legal basis under Article 6 of the EU GDPR for the same email communications. This provides significant relief for companies by removing the burden of establishing and documenting a separate legal basis under the GDPR, such as consent.
