Email Soft Opt-In for Ecommerce

Why You Can’t Easily Use the Consent Route UK Law Allows

There’s a genuine oddity at the heart of UK ecommerce email marketing. The law gives you a legitimate way to email your existing customers without them ticking a consent box – the “soft opt-in” – yet the email platforms most stores use, Klaviyo and Shopify chief among them, are built in a way that quietly makes it very difficult to actually use that right.

The result is that a lot of UK ecommerce businesses are either unknowingly breaking the rules, or leaving legitimate marketing on the table because their tools funnel them towards a stricter consent model than the law requires. This guide explains the soft opt-in, why your platform fights against it, and the five ways UK ecommerce stores actually handle consent at checkout – from the non-compliant approaches to avoid, through to the sophisticated setup used by some of the UK’s biggest retailers. Email is one of the highest-return channels in ecommerce, so getting this right matters, and it connects directly to the wider ecommerce marketing picture.

An important note before we start: this article explains how the rules and the platforms work, based on our practical experience. It is not legal advice and does not constitute legal advice. Data protection law is fact-specific and the penalties for getting it wrong are significant, so for your own situation you should check with a relevantly qualified lawyer.

What is the Soft Opt-In?

What does soft opt-in mean in UK email marketing?

The soft opt-in is a rule under the UK’s Privacy and Electronic Communications Regulations (PECR) that lets you send marketing emails to existing customers without their explicit prior consent – provided a specific set of conditions is met. It’s the reason a shop you bought from can email you about similar products even if you don’t remember ticking a box to allow it.

The Information Commissioner’s Office (ICO) sets out the soft opt-in clearly. To rely on it, all three of these conditions must be satisfied:

  1. You obtained the contact details in the course of a sale or negotiations for a sale. The person must have actually bought from you, or genuinely negotiated to buy – for example, by requesting a quote. Someone who merely browsed your site, or signed up to a newsletter without purchasing, does not qualify. Nor does an abandoned cart where no purchase was made.
  2. You are marketing your own similar products or services only. You can’t use the soft opt-in to promote unrelated products, and you certainly can’t use it for third-party offers or a bought-in list. The test the ICO applies is essentially what a reasonable customer would expect to hear from you about, given what they bought.
  3. You gave a simple opt-out at collection, and give one in every message. The customer must have been offered an easy, free way to refuse marketing at the point their details were collected, and must be given that option in every subsequent email.

Get all three right and you have a lawful basis to email that customer. Miss any one of them and you don’t – and the ICO has enforced this, making clear the soft opt-in is not, in their words, an easy way to sidestep consent.

Does the soft opt-in still apply in 2026?

Yes. The Data (Use and Access) Act 2025 – the most significant update to UK data law in years – left the commercial soft opt-in intact, and actually extended a version of it to registered charities. It also sharply increased the penalties for getting electronic marketing wrong: the maximum fine under PECR rose from £500,000 to £17.5 million, or 4% of global annual turnover, bringing it into line with UK GDPR. In other words, the soft opt-in is still available – and the cost of misusing it, or of ignoring consent rules altogether, is now far higher.

What about B2B ecommerce?

There’s a useful nuance for businesses selling to other businesses. Marketing emails to corporate subscribers – limited companies, PLCs, and LLPs – don’t require consent or the soft opt-in in the same way, though you must still identify yourself and offer an opt-out. However, sole traders and most partnerships are treated as individuals under PECR, so they get the full consumer-level protections. And emailing a named individual at a company address can still bring individual-subscriber rules into play. If you’re unsure which applies, the safer course is to treat the contact as an individual.

Why Your Email Platform Won’t Let You Use It Easily

Why do Klaviyo and Shopify make the soft opt-in difficult?

Here’s the frustrating part. Having established that you have a legal right to email customers under the soft opt-in, you’ll find that the systems most UK stores use are built around a stricter model – explicit opt-in – and quietly steer you away from the soft opt-in at every turn.

Klaviyo is the clearest example. It distinguishes between a profile simply existing in your account and a profile being subscribed to marketing. A customer who buys from your Shopify store but doesn’t tick a marketing checkbox at checkout lands in Klaviyo as “Never Subscribed” – and while Klaviyo’s own documentation acknowledges that, depending on your local regulations, you may be permitted to email these profiles where you believe there’s implied consent, its entire interface and guidance nudge you towards only ever emailing people who explicitly opted in. The connection between Shopify and Klaviyo, by default, only syncs customers as subscribers when they actively consent at checkout.

This isn’t a bug, and it isn’t specific to Klaviyo. It’s a deliberate design choice across the major platforms, for three understandable reasons. First, these platforms serve customers globally, and building everything around explicit opt-in is the simplest way to satisfy the strictest rules in every country at once – including the US, which has different requirements. Second, deliverability: mailbox providers like Gmail judge senders on engagement and complaints, so platforms discourage emailing anyone who didn’t clearly ask for it, because it risks spam complaints that damage your sender reputation. Third, the platforms’ own anti-spam policies often contractually require permission-based lists, regardless of what UK law happens to allow.

The upshot is that UK ecommerce stores are caught between a law that grants them the soft opt-in and a set of tools designed around a stricter standard. Understanding that tension is the key to making an informed choice about how you handle consent – which brings us to the five approaches we see in practice.

How the Major Platforms Handle Consent: A Quick Reference

How do Klaviyo, Mailchimp, Shopify and WooCommerce handle email consent?

Before the practical approaches, it’s worth understanding how each of the main platforms treats consent, because their defaults shape what’s easy and what’s hard. The common thread: all of them are built around explicit opt-in, and none offers a simple “switch on soft opt-in” setting.

  • Klaviyo separates a profile existing from a profile being subscribed. Customers who buy without ticking a marketing box are recorded as “Never Subscribed”. Klaviyo’s documentation acknowledges you may be permitted to email these profiles where local regulations allow implied consent, but recommends emailing only those with express consent to protect deliverability. Its Shopify sync only adds customers as subscribers when they actively consent, and its WooCommerce plugin adds a checkout consent checkbox that can’t be pre-ticked by default.
  • Mailchimp is the strictest on paper. Its Acceptable Use Policy prohibits emailing purchased, rented or non-consented lists, and it defaults EU-based accounts towards double opt-in. Mailchimp frames explicit permission as mandatory and offers no soft opt-in setting. Its Shopify integration syncs subscription status and recommends turning off any pre-selected sign-up option at checkout.
  • Omnisend, being ecommerce-focused, is explicit about the split: only customers who tick the marketing opt-in at checkout or submit a signup form become subscribers. Those who buy without opting in are synced as “non-subscribed” and can only receive transactional or automated messages, not campaigns.
  • HubSpot manages sending through “subscription types” and, with its GDPR features enabled, generally requires a contact to opt in to a subscription type before receiving marketing. Consent checkboxes on its forms can’t be pre-selected. It supports “legitimate interest” as a basis in its tooling, but that’s a UK GDPR concept rather than the PECR soft opt-in.
  • Brevo (formerly Sendinblue) requires consent that is active, explicit and unbundled under its anti-spam policy, with no pre-checked boxes. Like the others, it assumes recorded explicit consent and provides no dedicated soft opt-in route. However, we found it easy to set up the Brevo app in WooCommerce and automatically add profiles to mailing lists without active consent.
  • Shopify itself has a proper checkout marketing opt-in setting. You can leave it unticked everywhere, or preselect it for regions Shopify recommends. Importantly, Shopify treats the checkout state as the customer’s latest preference – so a customer who leaves the box unticked is recorded as not consented, and a previously subscribed customer who later leaves it unticked can even be unsubscribed. That’s a real hazard worth watching if you’re relying on the soft opt-in.
  • WooCommerce doesn’t include a marketing consent checkbox natively – the checkbox is added by whichever email plugin you install (Klaviyo, Omnisend, Mailchimp, MailPoet and others), and the behaviour varies by plugin. This actually gives WooCommerce stores more flexibility to configure consent the way they want, but it also means the responsibility for getting it right sits with you and your chosen plugin’s settings.

The pattern across all of them is the same: the tools are designed for explicit opt-in, and using the soft opt-in means working deliberately against their defaults. That’s the backdrop to the five approaches below.

The Five Ways UK Ecommerce Stores Handle Consent at Checkout

How should an ecommerce store collect email consent at checkout?

Across the UK ecommerce stores we work with and observe, consent at checkout is handled in one of five ways. They range from the outright non-compliant to the genuinely sophisticated. Here they are, from worst to best:

Approach 1: Ignore consent rules entirely

Some stores simply email everyone who ever bought from them, with no consideration of consent at all. This is not advised, and with the maximum PECR fine now at £17.5 million, it’s a growing risk as well as being unfair to customers. We mention it only because it’s more common than it should be. Don’t do this.

Approach 2: A pre-ticked consent box at checkout

Some stores present a marketing consent box at checkout that’s already ticked, so the customer has to actively untick it to avoid being signed up. This feels compliant, but it isn’t. Under UK data protection rules, a pre-ticked box does not constitute valid consent – consent has to be a positive, active choice. Relying on pre-ticked boxes leaves you exposed, so this isn’t an approach we’d recommend either.

Approach 3: An unticked consent box at checkout

This is the straightforward, fully compliant approach: a marketing consent box at checkout that starts unticked, which the customer actively ticks if they want to hear from you. It’s clean, it’s unambiguous, and it satisfies the explicit-consent standard that both the law and your email platform are happy with.

The trade-off is that it can significantly reduce your subscriber numbers, because many customers simply won’t tick the box. If that happens, it’s worth thinking about how to counteract it – most effectively by offering an incentive to subscribe, such as 10% off in exchange for signing up. You can even build this into the checkout process itself, making it easy and appealing for a customer to consent and claim the discount in one step. The UK retailer heatandplumb.com does exactly this.

Whether an incentive is worth it comes down to the numbers. If you’d lose more in margin by offering everyone a discount than you’d make back from marketing to them by email, it isn’t worth it. So this decision should be grounded in how much revenue email marketing genuinely generates for your store – which is precisely why measuring the value of your email channel matters before making the call.

Approach 4: Become soft opt-in compliant

If you want to use the soft opt-in that UK law allows – emailing your existing customers about similar products without requiring them to tick a box – you can, but it takes deliberate setup and ongoing management. In practice it involves three things working together:

Change the checkout box to opt-out rather than opt-in. Instead of asking customers to tick to consent, you give them a clear, simple option to tick if they don’t want marketing – satisfying the soft opt-in’s requirement to offer a means of refusal at the point of collection.

Manually sync subscription status between your systems. Because platforms like Klaviyo and Shopify default to only treating explicit opt-ins as subscribers, relying on the soft opt-in means managing the subscription status between your ecommerce platform and your email platform yourself, rather than letting the default integration decide who you can and can’t email. This is the fiddly part, and it needs care to get right and to keep right.

Segment customers by what they bought. The soft opt-in only permits marketing about similar products. So you need to add customers to segments based on what they actually purchased, and split your email marketing so that each segment only receives messages about genuinely similar products. This isn’t just a compliance requirement – it’s good practice anyway, because relevant emails perform better.

This approach genuinely opens up the soft opt-in, but it’s more involved than simply switching on a checkbox, and the integration work between systems needs proper investigation for your specific setup. It’s an area we’re actively working through, because the platforms don’t make it simple.

Approach 5: Offer both options at checkout (the complete approach)

The most thorough approach – used by some of the UK’s largest retailers – is to offer both consent routes at checkout and make it mandatory for the customer to choose one. lookfantastic.com, part of The Hut Group, does this. At checkout the customer must actively select one of two options:

  • Opt in – for example, “Opt in to our newsletter to be the first to know about exclusive offers and the latest arrivals” (standard explicit-consent compliance), or
  • Opt out – for example, “I do not consent to receiving marketing updates” (which, combined with the fact of purchase, supports the soft opt-in route)

This covers all bases: customers who actively opt in give you the strongest, most portable consent, while those who don’t are handled compliantly on a soft opt-in basis, because they’ve been given a clear means of refusal at the point of sale. It’s the most complete solution, but also the most complex to implement – it needs careful investigation of how to make the two options work across your particular ecommerce and email systems, and it inherits the same manual-sync and segmentation requirements as approach 4.

Which Approach is Right for Your Store?

How do I decide how to handle email consent?

There’s no single right answer – it depends on your store, your customers, and how much email marketing is worth to you. But a few principles help:

Rule out approaches 1 and 2 immediately – ignoring consent and pre-ticked boxes are not compliant and expose you to real risk. That leaves the genuine choices: the simple compliant route (approach 3), the soft opt-in route (approach 4), or the complete dual-option route (approach 5).

If email marketing is a modest part of your revenue and you want simplicity, the unticked box with a well-judged subscription incentive (approach 3) is clean, compliant, and easy to run. If email is a significant revenue driver and you want to reach the customers who don’t actively opt in, the soft opt-in approaches (4 and 5) let you do that lawfully – at the cost of more setup and ongoing management.

The starting point for the decision is knowing what your email channel is actually worth. If you’re not measuring the revenue email generates for your store, that’s the first thing to fix, because it’s what tells you how much effort the more complex approaches justify.

The Greyturtle View

The honest position is this: UK ecommerce businesses have a legitimate legal right – the soft opt-in – that their own tools make surprisingly hard to use. There’s nothing wrong with choosing the simple, fully compliant explicit-opt-in route, and for many stores that’s the sensible choice. But businesses that rely heavily on email marketing shouldn’t assume the explicit-opt-in model their platform pushes is their only option, because it isn’t. The soft opt-in is available if you’re willing to set it up properly.

What matters most is making an informed, compliant choice rather than drifting into whatever your platform defaults to – or worse, ignoring consent altogether. Get the foundations right, measure what email is worth to you, and choose the approach that fits.

This is an area we’re continuing to work through, particularly the integration detail between systems like Klaviyo and Shopify. If you’d like help thinking it through for your store, we’re happy to talk it over honestly.

About the Author:

Ready to Get Your Ecommerce Email Marketing Right?

Email is one of the most profitable channels in ecommerce, but only if your consent foundations are sound and you’re actually reaching the customers you’re entitled to reach. Getting the setup right – compliantly – is often the difference between an email channel that quietly underperforms and one that drives real repeat revenue.

Tell us about your store and we’ll help you work out the right, compliant approach for your situation – no jargon, no pushy sales call.