On 13 November 2025, the Court of Justice of the European Union (“CJEU”) issued an important judgment in Inteligo Media SA v ANSPDCP (c-654/23), which clarifies the rules on direct marketing to customers.
The default rule under the ePrivacy Directive (Directive 2002/58/EC) is that an organisation needs to obtain an individual’s consent before they can send them direct marketing emails. An exception (i.e. a ‘soft opt-in’) applies under Article 13(2) of the ePrivacy Directive (2002/58/EC), in circumstances where:
- an organisation obtains an individual’s email address “in the context of the sale of a product or a service”;
- the direct marketing is used to market the organisation’s similar products or services; and
- the customer is given the opportunity to object, easily and free of charge, to such direct marketing, both at the time of collection of their data and with each message.
However, there has been some ambiguity to date as to whether an offer to access services for “free” meets the ”in the context of the sale of a product or service” requirement and benefits from this exception. The CJEU’s decision helpfully confirms that the term “sale” does not necessarily require direct remuneration for a good or a service, and that indirect remuneration may suffice. Accordingly, in certain circumstances, such as those arising in this case, “free” services may benefit from the exception in Article 13(2).
The CJEU also confirmed that a separate legal basis under Article 6 GDPR is not required when personal data is processed under the ePrivacy Directive. This is due to the fact that Article 95 GDPR provides that the GDPR does not impose additional obligations where the ePrivacy Directive already contains specific rules for the same activity.
Background
Inteligo Media is the publisher of a Romanian online legal news publication avocatnet.ro. Users could read up to six articles per month, free of charge. To read more, users had to create a free account on the online platform, which meant that the user accepted the contractual terms and conditions for the provision of the Premium Service (i.e. the paid subscription service). By registering for an online account, the user obtained the right to access, free of charge, two additional articles per month, and to receive, free of charge, via email, a daily newsletter. The newsletter contains editorial-style legal summaries, and links to free articles, but also includes links to paid content, and is designed to encourage users to pay to access the full version of the newsletter. Users are given the choice to opt-out of receiving the newsletter when creating an account, by ticking an opt-out box. Similarly, users can unsubscribe any time they receive the newsletter, by clicking an ‘unsubscribe’ option included in each email.
The Romanian Data Protection Authority imposed a €9,000 fine on Inteligo for sending the free newsletters without valid consent under the GDPR. Inteligo challenged this fine, arguing that it was relying on the soft opt-in exception under the ePrivacy Directive, and therefore did not need a separate legal basis for sending direct marketing communications under the GDPR.
The Romanian Court asked the CJEU to clarify whether Inteligo’s practice of sending the free newsletters to subscribers fell within the soft opt-in exception and, if so, whether an additional legal basis under Article 6(1) GDPR was also required.
CJEU’s Findings
Free Newsletter Qualifies as “Direct Marketing”
The CJEU noted that there is no indication in the ePrivacy Directive as to when a communication constitutes “direct marketing”. The CJEU held, however, that it is clear from EU case-law that direct marketing communications are those which pursue a commercial purpose and are addressed directly and individually to a consumer (following case C-102/20).
The CJEU therefore found that although the communication at issue in the proceedings, namely the newsletter, is informative in nature, its underlying purpose is commercial (i.e. to encourage users to reach their monthly quota for free articles, and to subscribe to the paid service). Accordingly, the electronic mail containing the newsletter qualifies as “direct marketing”, in circumstances where it was sent directly to individual subscribers.
Creation of a Free Account may constitute a “Sale”
The CJEU interpreted the wording “in the context of the sale of a product or a service” broadly. It held that the creation of a free account that grants limited content and a free newsletter may constitute a “sale” within the meaning of Article 13(2) of the ePrivacy Directive. The Court accepted that a “sale’” does not require direct monetary payment by a user, and that indirect remuneration will suffice. In this case, the sale consisted of providing a service (i.e. free access to articles) in exchange for indirect remuneration (the promotion of paid content).
The crucial point is that the free account is part of a broader commercial strategy, in particular that users receive a free service that is designed to guide them towards a paid offering. In this context, the email address collected at the point of account creation was obtained “in the context of the sale of a product or a service” for the purposes of the soft opt-in.
No Separate GDPR Legal Basis Required Where ePrivacy Rules Apply
The CJEU considered the interplay between the ePrivacy Directive and the GDPR. It confirmed that the ePrivacy Directive is a special law (lex specialis) in the area of electronic communications, and that Article 13(2) of the Directive is a specific rule that deals with when marketing emails may be sent without prior consent.
Relying on Article 95 of the GDPR, the CJEU held that where the conditions for the ‘soft opt-in’ in Article 13(2) are met, Article 6(1) GDPR does not apply. In other words, the soft opt-in under the ePrivacy Directive is a stand-alone legal basis for sending electronic marketing communications. Companies are not required to identify an additional legal basis under the GDPR (such as consent or legitimate interests) for that specific practice. However, the general GDPR obligations still apply in respect of the surrounding processing, such as the transparency, data minimisation, security and accountability obligations.
The finding contradicts the position taken by several national Data Protection Authorities, who had previously recommended that a separate GDPR legal basis is necessary, in addition to compliance with the ePrivacy rules.
Broader Legal Context
The Inteligo judgment provides legal certainty for operators of free and tiered subscription models. It confirms that separate GDPR consent is not required for the sending of direct electronic marketing communications to customers, provided all conditions for the ‘soft opt-in’ exception are met.
What is less certain is how far the ruling extends. In its reasoning, the CJEU clearly linked the concept of a “sale” to the existence of some sort of economic gain. It remains to be seen whether the exception in Article 13(2) of the ePrivacy Directive would apply where a company offers a truly free service, without any paid tier, upselling, or economic advantage. The CJEU also reiterated that the soft opt-in must be interpreted strictly, meaning that not every free service will benefit.
Comment
Companies can take comfort in the fact that where a free service forms part of a commercial offering and indirect remuneration to the company, a free user may be treated as a customer for the purposes of the ‘soft opt-in’. That being said, the decision does not give a blanket exemption for all free accounts.
Furthermore, companies whose free services are linked to paid offerings and who wish to rely on this CJEU decision must ensure that their marketing practices are in strict compliance with the Article 13(2) ‘soft opt-in’ exception. In practice, the following checklist may assist:
- Is a “sale” of a product or service taking place (including a free service intended to promote paid content)?
- Can the user properly be described as a “customer” of that product or service?
- Was the user’s email address collected “in the context” of that sale?
- Are the marketing emails only being used to promote the company’s own “similar products or services”?
- Was the user given a clear opportunity to object, both when their electronic contact details were collected and in every marketing email?
Contact Us
For more information, please contact any member of our Technology and Innovation Group or your usual Matheson contact.
Thanks to Lucy Mockler for her contribution to this article