If your sales team emails prospects in France or Italy, the rules you are working under are among the strictest in Europe — and the two regulators enforcing them, France's CNIL and Italy's Garante, are also two of the most active on the continent. A UK "we bought a list and started emailing" approach is not just risky in these markets. It is a fine waiting to happen.
Why France and Italy are different
Every EU country works from the same two rulebooks — the GDPR and the ePrivacy Directive — but they do not enforce them with the same energy. France and Italy stand out. France's data authority, the CNIL, and Italy's Garante per la protezione dei dati personali have both built long records of pursuing companies that send marketing emails without a proper legal basis, and both have shown they will fine firms that treat consent as a formality rather than a genuine, documented choice by the recipient.
For a UK firm, the trap is assuming that the relatively relaxed "soft opt-in" culture around B2B email in Britain travels across the Channel. It does not. Emailing individuals in France or Italy without their prior consent — or without fitting a narrow, specific exception — exposes your firm to complaints, investigations and financial penalties from a regulator that has every incentive to make an example of a foreign company ignoring local law.
What "consent" actually has to look like
Under both regimes, valid consent for marketing email is not a pre-ticked box, a buried line in your terms, or an assumption drawn from someone downloading a brochure. It has to be a clear, affirmative action by the recipient, freely given, specific to marketing, and — critically — something you can later prove you obtained. If a regulator asks when and how a given recipient consented and you cannot show it, you do not have consent as far as the law is concerned.
| Requirement | France (CNIL) | Italy (Garante) |
|---|---|---|
| B2C marketing email | Prior opt-in required | Prior opt-in required |
| Existing-customer exception | Allowed, similar products only | Allowed, narrowly applied |
| Proof of consent | Must be demonstrable | Must be demonstrable |
| Opt-out in every message | Required, honoured promptly | Required, honoured promptly |
There is one narrow escape hatch in both countries: the "soft opt-in" for existing customers. If someone has already bought from you, you may email them about your own similar products or services, provided you gave them a clear chance to decline at the point of sale and in every message since. It does not cover cold prospects, purchased lists, or anyone who merely enquired without buying — and it is interpreted narrowly by both regulators.
The record is the whole point
The recurring theme in both CNIL and Garante enforcement is not that firms had no consent policy — it is that they could not evidence consent when asked. A marketing operation that cannot answer "show me exactly when this person opted in, and to what" is, in practical terms, operating without consent, no matter what its privacy policy says.
That makes the systems behind your sales team as important as the policy. You need, per recipient: a time-stamped record of when and how they consented, what they consented to, and a complete history of the unsubscribe requests you have honoured. Screenshots of a form and a vague "they signed up somewhere" are not that. An auditable, per-contact consent trail is — and it is the difference between a defensible position and an indefensible one when a complaint lands.
What a compliant setup looks like in practice
You do not need a legal department to email France and Italy safely. You need a CRM and marketing system that make the right thing the default and make the wrong thing hard. Concretely, that means:
- Consent captured and stamped at source — every contact carries a record of when, how and to what they opted in, held against their profile automatically.
- Country-aware sending rules so contacts in strict jurisdictions can't be swept into a bulk send without a valid legal basis.
- One-click unsubscribe that is instantly and permanently honoured, with the opt-out logged as evidence you acted promptly.
- A demonstrable audit trail you can export on request — the single thing CNIL and the Garante ask for most and firms most often cannot produce.
- Sales-team guardrails so an individual rep can't quietly import a bought list and start emailing prospects who never consented.
Selllution is built with this reality in mind. Its CRM captures and time-stamps consent against every contact, its marketing tools respect per-contact and per-jurisdiction sending rules, unsubscribes are honoured and logged automatically, and the whole thing sits on an immutable audit trail you can produce for a regulator. For a UK sales team expanding into France, Italy or the wider EU, that is the difference between growth and a fine — and it is designed in, not bolted on.
Email the EU without the compliance headache
See how Selllution captures consent, respects per-jurisdiction sending rules and keeps an immutable audit trail — so your team can prospect into France, Italy and beyond with confidence.
Keep reading
Sources: EU GDPR (Regulation 2016/679); ePrivacy Directive 2002/58/EC; CNIL guidance on commercial prospecting (France); Garante per la protezione dei dati personali enforcement on marketing consent (Italy). This article is general information, not legal advice.