Direct marketing and data protection: key developments in 2025

One of the most significant Belgian developments in 2025 was the publication of Draft Recommendation 01/2025 on direct marketing by the Belgian Data Protection Authority (BDPA). This draft recommendation is intended to replace the 2020 guidance and reflects five (5) years of GDPR practice, enforcement decisions, case law and EDPB guidance, resulting in a much more detailed and operational framework for direct marketing activities. [1]

The draft recommendation also provides extensive clarification on legal bases. In particular, it addresses:

• the stricter conditions for relying on legitimate interest, especially for prospecting activities;
• reinforced requirements regarding consent, including proof of consent, consent duration, withdrawal mechanisms and “consent-or-pay” models; and
• clearer guidance on the interaction between the GDPR and e-Privacy rules, including the soft opt-in exception.

Finally, the BDPA places strong emphasis on accountability, transparency and the effective exercise of data subject rights, in particular the right to object.

In short, the BDPA’s draft recommendation 01/2025 significantly raises the compliance bar and positions direct marketing as a front-line GDPR risk area for Belgian businesses.

In its decision of 13 November 2025, the Court of Justice of the European Union (CJEU) clarified when newsletters and “informational” emails fall under direct marketing rules.

The case concerned a legal news platform offering users a free account providing access to limited content and a daily email newsletter containing links to paid articles. The Court held that such newsletters may qualify as direct marketing, even where their content is largely editorial, if they promote paid services or encourage subscription.

Importantly, the Court confirmed that:

• emails with an indirect commercial purpose may constitute direct marketing;
• email addresses collected in the context of a free service may still be considered as obtained “in the context of the sale of a service” where the free offering forms part of a broader commercial model; and
• where the soft opt-in [2] applies, the Court made clear that Article 13(2) of the e-Privacy Directive constitutes a complete legal framework, and there is no need to identify a separate legal basis under Article 6 of the GDPR.

The Inteligo Media ruling serves as a clear reminder that newsletters and content-driven emails constitute a high-risk area for compliance.

In December 2025, the European Data Protection Board (EDPB) adopted draft recommendations 2/2025 on the legal basis for requiring the creation of user accounts on e-commerce websites. This text is subject to public consultation until 12 February 2026.

The EDPB takes a restrictive approach: mandatory account creation is lawful only in limited scenarios, such as genuine subscription services or access to exclusive offers. In most cases, including one-off purchases, controllers should offer a guest checkout option, in line with the principles of data protection by design and by default.

While the draft recommendations focus on account creation, they are highly relevant for direct marketing. The EDPB explicitly warns against using mandatory accounts as a means to:

• retain customer data longer than necessary;
• build customer profiles; or
• facilitate marketing or loyalty initiatives in the absence of a valid legal basis.

In particular, the EDPB stresses that customer loyalty programmes, personalised offers and direct marketing purposes generally require consent and cannot serve to justify mandatory account creation on the basis of contractual necessity or legitimate interest.

These recommendations confirm that account creation is not a neutral technical choice, but rather a key compliance consideration in direct marketing strategies.

In November 2025, the European Commission published the Digital Omnibus proposal, introducing targeted amendments to the e-Privacy Directive aimed at simplifying the digital regulatory framework, particularly with respect to cookies and online tracking.

The proposal aims to reduce consent fatigue and clarify the interaction between the e-Privacy Directive and the GDPR by consolidating most rules on access to terminal equipment under the GDPR, while maintaining consent as a core safeguard. It also opens the door to automated, machine-readable consent signals (e.g., browser or device settings) that websites may be required to respect in the future.

These changes are directly relevant to online direct marketing, as they affect the tracking technologies used for targeted advertising, retargeting and performance measurement.

In October 2025, a draft law was introduced to amend the Belgian Code of Economic Law with the aim of combating unsolicited telemarketing calls more effectively.

The proposal responds to persistent consumer complaints, despite the existence of the “Do Not Call Me” opt-out list. According to the legislator, the high number of complaints demonstrates that the current system does not offer sufficient protection in practice.

Drawing on recent French legislation, the draft law introduces a general prohibition on unsolicited telemarketing calls to private individuals, unless the individual concerned has given prior explicit consent. Such consent must be freely given, specific, informed and unambiguous, and the calling party must be able to demonstrate that it was validly obtained.

The prohibition would apply across all sectors, covering both direct calls by companies and calls made through intermediaries. A transitional period until August 2026 is foreseen to allow businesses to adapt their practices and implement appropriate consent collection mechanisms.

The Belgian Institute for Postal Services and Telecommunications and the BDPA were consulted on the draft law and have both recently issued an opinion. Both authorities welcomed the proposal but invited the Belgian legislator to make certain modifications to the text. The text may therefore still evolve.

Preparation is essential: businesses should review their telemarketing strategies, consent collection mechanisms and record-keeping practices ahead of the August 2026 deadline.

This draft law marks a fundamental shift for telephone-based direct marketing in Belgium, transitioning from an opt-out regime to a strict opt-in model.

The 2025 developments confirm that direct marketing has become a core data protection risk area. Regulators and courts have tightened the regulatory framework, placing clear emphasis on consent, accountability and user choice.
 

For businesses, this means that direct marketing strategies must be reviewed, documented and designed with data protection in mind. Getting it right is no longer just about compliance — it is key to maintaining trust and sustainable customer relationships.

Our Lydian Information & Communication Technology (ICT) and Information Governance and Data Protection (Privacy) teams are available to assist you with any questions regarding these developments. Please do not hesitate to contact us for further assistance.