Email Marketing Consent Rules in the Netherlands

If you run a Dutch webshop and email customers in Germany, Belgium or France, the rules change at every border. The AVG (Algemene Verordening Gegevensbescherming, the Dutch term for the GDPR) applies across the EU, so you might expect one set of consent rules. In practice, requirements for marketing emails vary sharply from country to country. What is perfectly legal for a Dutch sender reaching Irish inboxes can trigger a cease-and-desist letter the moment the same campaign lands in Germany.

The AVG only sets a baseline. Each country has its own ePrivacy or telecom law that adds extra rules on top. In the Netherlands that layer is Telecommunicatiewet Article 11.7, which transposes Article 13 of the ePrivacy Directive into Dutch law. These national laws cover the specifics: when you need opt-in, whether soft opt-in counts and how strictly regulators enforce the rules.

Before you map the country rules, our free website scan checks whether your own signup form collects consent the way each of these countries expects. It flags pre-checked boxes and missing privacy-policy links in about a minute.

How Dutch law works: ACM, AP and the Telecommunicatiewet

The Netherlands has two regulators who can both act on the same marketing campaign, and understanding the split matters.

The ACM (Autoriteit Consument & Markt) enforces Telecommunicatiewet Article 11.7. This article requires prior consent before you send unsolicited electronic marketing messages. When someone has not bought from you or explicitly opted in, sending that first marketing email is a violation of Article 11.7, and the ACM is the body with enforcement authority over that rule.

The AP (Autoriteit Persoonsgegevens) enforces the AVG consent basis. Processing someone's email address for marketing purposes requires a valid AVG Article 6(1)(a) consent basis. A campaign that violates Article 11.7 can simultaneously lack a valid AVG processing ground, giving the AP independent authority to act.

Both can act on the same campaign. This dual-track is unique to the Netherlands and makes the consent rules here more consequential than a single-regulator country might suggest.

Country-by-country breakdown

The Netherlands is placed first because this guide is written for Dutch senders. The detail per country follows below the table.

Netherlands

Law: Telecommunicatiewet, Article 11.7 Regulators: ACM enforces Article 11.7. AP enforces the AVG consent basis Consent required: Yes, opt-in for marketing email

The Netherlands requires prior opt-in consent before you can send marketing emails to consumers. Your signup forms need clear consent language and a working privacy policy link. Single opt-in with an unchecked checkbox and specific consent wording meets the standard. The AP has not pushed for double opt-in for Dutch-only lists, though it remains best practice if you have German subscribers.

The soft opt-in exception is available. If someone bought from you and you collected their email during that transaction, you can email them about similar products or services. You must offer a clear opt-out at the point of collection and include an unsubscribe link in every email. "Similar" is read broadly in Dutch practice, but do not stretch it to unrelated product lines.

For B2B, the rules are more permissive. Cold email to corporate addresses is permitted provided every message includes a clear opt-out mechanism and you stop sending immediately when someone exercises that right.

Germany

Law: UWG §7 (Unfair Competition Act) + DSGVO Regulators: State data protection authorities + competitors via Abmahnungen Consent required: Double opt-in is the de facto standard

Germany is the strictest country in Europe for email marketing. While no single statute requires double opt-in, German courts have consistently held that you need verifiable proof of consent for every subscriber. Double opt-in is the only method courts reliably accept as sufficient proof.

The real danger in Germany is not regulator fines. It is Abmahnungen. These are formal cease-and-desist letters that competitors or consumer protection groups can send under the UWG. Each one carries legal fees starting around EUR 1,000. Some businesses have received multiple Abmahnungen for the same mailing list.

The soft opt-in exception exists in German law (§7 Abs. 3 UWG) but courts interpret it very narrowly. All four conditions must be met precisely: the email was collected during a sale, you are marketing similar products, the customer could opt out at collection and they can opt out in every subsequent email. Miss one condition and the exception does not apply.

If you have German subscribers, use double opt-in. No exceptions.

United Kingdom

Law: PECR Reg. 22 + UK GDPR Regulator: ICO (Information Commissioner's Office) Consent required: Opt-in, with a generous soft opt-in exception

The UK has among the more practical email marketing rules in Europe. PECR allows soft opt-in for existing customers. If someone bought from you or actively enquired about your products, you can send marketing emails about similar items without separate consent.

For new contacts, you need proper opt-in. A clear unchecked checkbox with specific consent language works. Pre-checked boxes do not count.

The Data (Use and Access) Act 2025 aligned PECR penalty maxima with UK GDPR. The ICO can now fine up to GBP 17.5 million or 4% of global annual turnover under PECR, whichever is higher.

Belgium

Law: WER Art. XII.13 Regulator: GBA (Gegevensbeschermingsautoriteit), FOD Economie Consent required: Opt-in, with soft opt-in available

Belgium requires opt-in consent before you send commercial email. The soft opt-in exception is available for existing customers under the same conditions as the Netherlands. Single opt-in with clear consent language meets the standard. Belgian enforcement on email marketing has been moderate relative to Germany or France, but both the GBA and the FOD Economie can pursue violations.

Ireland

Law: SI 336/2011 Regulator: DPC (Data Protection Commission) Consent required: Yes for B2C, lighter rules for B2B

Ireland is one of the more business-friendly markets for email marketing in Europe. B2B marketing email to corporate addresses is generally allowed without prior consent, provided you include a clear opt-out. For B2C, standard opt-in rules apply and the soft opt-in exception is available for existing customers.

France

Law: Loi Informatique et Libertés + ePrivacy transposition Regulator: CNIL Consent required: Strict opt-in, limited soft opt-in

The CNIL requires clear affirmative opt-in before marketing emails are sent. The soft opt-in exception exists but is interpreted narrowly. You need a genuine prior commercial relationship and the marketing must be about closely similar products. "Similar" in the French reading is tighter than in the Netherlands or UK. The CNIL has been active in enforcement and has issued public decisions against companies for inadequate consent mechanisms.

Spain

Law: LSSI Art. 21 Regulator: AEPD Consent required: Strict opt-in only

Spain requires explicit prior consent for all commercial electronic communications. The AEPD enforces actively. The soft opt-in exception is very limited in Spanish practice. If you are marketing to Spanish recipients, obtain proper consent first.

Nordics (Sweden, Norway, Denmark, Finland)

Law: National telecom acts implementing the ePrivacy Directive Regulators: National data protection authorities Consent required: GDPR baseline, standard ePrivacy rules

The Nordic countries follow the AVG/GDPR baseline without adding heavy extra restrictions. Opt-in is required for marketing emails and the soft opt-in exception is available under standard conditions. Double opt-in is not required in any Nordic country, though many businesses use it voluntarily for list hygiene.

The soft opt-in exception explained

The soft opt-in (also called the "existing customer exemption") lets you send marketing emails to people who have already bought from you, without asking for separate consent. It applies in most European countries, including the Netherlands, but all four conditions must hold.

1. You collected the email during a sale or active negotiation. Someone browsing your site does not qualify. They need to have bought something or taken a concrete step toward buying.
2. You are marketing similar products or services. If someone bought a bike from you, you can email them about new bike models. You cannot email them about an unrelated product line.
3. You offered an opt-out at the point of collection. When you first collected their email, they had a visible and easy way to decline marketing.
4. Every email includes an unsubscribe option. This applies to all marketing emails, not only soft opt-in ones.

What counts as "similar" varies by country. The Netherlands and the UK read it broadly. Germany and France interpret it narrowly. When in doubt, ask for proper consent rather than relying on the exception.

For more detail on how this exception works in practice, read our guide on the soft opt-in exception.

B2B vs B2C: the rules differ

Some countries treat business-to-business email differently from business-to-consumer email.

For Dutch senders doing B2B outreach, the key requirement is a clear opt-out mechanism in every message. Stop sending immediately when someone exercises that right. Keep your emails relevant to the recipient's business.

Germany is the outlier. Do not assume that emailing a German business address softens the rules. Abmahnungen apply regardless of whether the recipient is a company or a consumer.

What this means for your Dutch website

If your signup forms collect email addresses for marketing, the consent mechanism needs to match the strictest country you are marketing to. For Dutch businesses sending across Europe:

• Use a clear, unchecked consent checkbox with specific language about what you will send
• Link to your privacy policy next to the form
• Consider double opt-in for all subscribers (required if you have any German recipients)
• Store consent records with timestamps and IP addresses
• Include a working unsubscribe link in every marketing email

Your newsletter signup form is the foundation. Get that right and most countries' rules are satisfied.

Check your email compliance

Our free website scan checks your newsletter signup forms for missing consent language, pre-checked boxes and privacy policy links. It identifies the specific issues and explains what to fix.

Knowing which country's rules apply to which subscribers is the first step. Making sure your website collects consent correctly is the second.

FAQ

Do I need consent to send marketing emails from the Netherlands?

Yes. Telecommunicatiewet Article 11.7 requires prior opt-in consent before you send marketing emails to consumers. The soft opt-in exception applies when someone has bought from you and you offered a clear opt-out at the time of collection.

Which regulator enforces email marketing rules in the Netherlands?

Two regulators can act. The ACM enforces Telecommunicatiewet Article 11.7 on electronic marketing consent. The AP enforces the AVG consent basis. A single non-compliant campaign can draw action from both.

Can I send B2B cold emails in the Netherlands?

Yes, under conditions. B2B cold email to corporate addresses is permitted when you include a clear opt-out in every message and stop immediately when someone unsubscribes. This permissiveness does not extend to B2C marketing without prior consent.

What happens if I send marketing emails without proper consent in the Netherlands?

The ACM can impose fines for violations of Telecommunicatiewet Article 11.7. The AP can act independently under the AVG. Across Europe, GDPR fines can reach EUR 20 million or 4% of global annual turnover. In Germany, the additional risk is Abmahnungen from competitors costing EUR 1,000 or more per letter. In the UK, the Data (Use and Access) Act 2025 aligned PECR penalties with UK GDPR, so the ICO can now fine up to GBP 17.5 million or 4% of global annual turnover. Beyond fines, your sender reputation suffers when people mark unwanted emails as spam.

Is the soft opt-in exception the same in every country?

No. The basic conditions are similar everywhere: existing customer relationship, similar products, opt-out offered at collection, unsubscribe in every email. How broadly "similar products" is read varies. The Netherlands and UK read it broadly. Germany and France interpret it narrowly. Spain barely applies it at all. When uncertain, ask for proper consent rather than relying on the exception.

Sources

• Telecommunicatiewet, Article 11.7 — Dutch electronic marketing rule (wetten.overheid.nl)
• Regulation (EU) 2016/679 — General Data Protection Regulation (eur-lex.europa.eu)
• Directive 2002/58/EC — ePrivacy Directive (eur-lex.europa.eu)
• Autoriteit Consument & Markt — Article 11.7 enforcement (acm.nl)
• Autoriteit Persoonsgegevens — AVG consent enforcement (autoriteitpersoonsgegevens.nl)