Compliance · 6 min read

Emailing into France and Italy? The consent rules just got stricter

By The Selllution Team · Data & compliance 7 July 2026
France & Italy · Email consent

If your sales team emails prospects in France or Italy, the rules you are working under are among the strictest in Europe — and the two regulators enforcing them, France's CNIL and Italy's Garante, are also two of the most active on the continent. A UK "we bought a list and started emailing" approach is not just risky in these markets. It is a fine waiting to happen.

Opt-inthe default legal standard for B2C email prospecting in both France and Italy
CNIL + Garantetwo of Europe's most active enforcers of marketing-consent rules
€ millionsin fines issued across the EU for marketing without valid consent

Why France and Italy are different

Every EU country works from the same two rulebooks — the GDPR and the ePrivacy Directive — but they do not enforce them with the same energy. France and Italy stand out. France's data authority, the CNIL, and Italy's Garante per la protezione dei dati personali have both built long records of pursuing companies that send marketing emails without a proper legal basis, and both have shown they will fine firms that treat consent as a formality rather than a genuine, documented choice by the recipient.

For a UK firm, the trap is assuming that the relatively relaxed "soft opt-in" culture around B2B email in Britain travels across the Channel. It does not. Emailing individuals in France or Italy without their prior consent — or without fitting a narrow, specific exception — exposes your firm to complaints, investigations and financial penalties from a regulator that has every incentive to make an example of a foreign company ignoring local law.

Same GDPR, very different enforcement. France and Italy are where "we'll sort the consent later" turns from a bad habit into a regulatory liability. The safest assumption for both markets: no prior consent, no marketing email.

What "consent" actually has to look like

Under both regimes, valid consent for marketing email is not a pre-ticked box, a buried line in your terms, or an assumption drawn from someone downloading a brochure. It has to be a clear, affirmative action by the recipient, freely given, specific to marketing, and — critically — something you can later prove you obtained. If a regulator asks when and how a given recipient consented and you cannot show it, you do not have consent as far as the law is concerned.

RequirementFrance (CNIL)Italy (Garante)
B2C marketing emailPrior opt-in requiredPrior opt-in required
Existing-customer exceptionAllowed, similar products onlyAllowed, narrowly applied
Proof of consentMust be demonstrableMust be demonstrable
Opt-out in every messageRequired, honoured promptlyRequired, honoured promptly

There is one narrow escape hatch in both countries: the "soft opt-in" for existing customers. If someone has already bought from you, you may email them about your own similar products or services, provided you gave them a clear chance to decline at the point of sale and in every message since. It does not cover cold prospects, purchased lists, or anyone who merely enquired without buying — and it is interpreted narrowly by both regulators.

The record is the whole point

The recurring theme in both CNIL and Garante enforcement is not that firms had no consent policy — it is that they could not evidence consent when asked. A marketing operation that cannot answer "show me exactly when this person opted in, and to what" is, in practical terms, operating without consent, no matter what its privacy policy says.

That makes the systems behind your sales team as important as the policy. You need, per recipient: a time-stamped record of when and how they consented, what they consented to, and a complete history of the unsubscribe requests you have honoured. Screenshots of a form and a vague "they signed up somewhere" are not that. An auditable, per-contact consent trail is — and it is the difference between a defensible position and an indefensible one when a complaint lands.

What a compliant setup looks like in practice

You do not need a legal department to email France and Italy safely. You need a CRM and marketing system that make the right thing the default and make the wrong thing hard. Concretely, that means:

  • Consent captured and stamped at source — every contact carries a record of when, how and to what they opted in, held against their profile automatically.
  • Country-aware sending rules so contacts in strict jurisdictions can't be swept into a bulk send without a valid legal basis.
  • One-click unsubscribe that is instantly and permanently honoured, with the opt-out logged as evidence you acted promptly.
  • A demonstrable audit trail you can export on request — the single thing CNIL and the Garante ask for most and firms most often cannot produce.
  • Sales-team guardrails so an individual rep can't quietly import a bought list and start emailing prospects who never consented.

Selllution is built with this reality in mind. Its CRM captures and time-stamps consent against every contact, its marketing tools respect per-contact and per-jurisdiction sending rules, unsubscribes are honoured and logged automatically, and the whole thing sits on an immutable audit trail you can produce for a regulator. For a UK sales team expanding into France, Italy or the wider EU, that is the difference between growth and a fine — and it is designed in, not bolted on.

Email the EU without the compliance headache

See how Selllution captures consent, respects per-jurisdiction sending rules and keeps an immutable audit trail — so your team can prospect into France, Italy and beyond with confidence.

Sources: EU GDPR (Regulation 2016/679); ePrivacy Directive 2002/58/EC; CNIL guidance on commercial prospecting (France); Garante per la protezione dei dati personali enforcement on marketing consent (Italy). This article is general information, not legal advice.