What’s the difference between “soft opt-in” and “legitimate interest”?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

These two terms get mixed up constantly, and the confusion is understandable. They both let you send email without explicit consent. But they're different legal instruments, and using the wrong one is a compliance problem.

Soft opt-in is a rule from PECR (the UK's electronic communications law) and the EU's ePrivacy Directive. It allows businesses to send marketing emails to existing customers without getting fresh consent, as long as:

  • The person is an existing customer who bought or inquired about similar products or services
  • The marketing relates to those similar products or services
  • They were given a clear chance to opt out when their contact details were first collected
  • They can opt out in every subsequent message

Soft opt-in is product-category specific. You can't use it to add a customer to an unrelated mailing list. Someone who bought your accounting software can receive emails about your new accounting features. But not about your new HR product unless they've also engaged with that.

Legitimate interest is a lawful basis under GDPR for processing personal data. It's broader. It doesn't just apply to marketing, it applies to any data processing where your interest in using the data outweighs the individual's interest in having it protected. For marketing email, it's often used in B2B contexts (prospecting, cold outreach to business contacts).

Using legitimate interest requires a documented Legitimate Interest Assessment (LIA). A balancing test where you weigh your purpose against the individual's privacy rights. "We have legitimate interest" without the supporting documentation doesn't satisfy GDPR.

The key difference: soft opt-in is a consent exception for existing customers in electronic marketing law. Legitimate interest is a data processing lawful basis under data protection law. They operate in different legal frameworks and can apply simultaneously to the same email send. If you're not sure which applies to your situation, our SOS line can walk through it with you.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Get personalized compliance advice.

I'm trying to figure out which legal basis to use for emailing [describe your contacts: existing customers, B2B prospects, event attendees]. My setup: [describe your business location, audience location, and applicable laws]. Can I use soft opt-in or legitimate interest for this contact segment, or do I need explicit consent? What documentation do I need for the approach I choose?

Edit the yellow boxes, then send to the AI of your choice.