What’s the difference between “soft opt-in” and “legitimate interest”?

Soft opt-in is a specific provision under UK and EU electronic marketing rules (PECR/ePrivacy) that allows businesses to send marketing emails to existing customers without explicit opt-in consent, provided certain conditions are met. The customer's details must have been obtained in the context of a sale or negotiation for sale, the marketing must be about similar products or services to those originally purchased, and the customer must have been given a clear opportunity to opt out both when their details were collected and in every subsequent message. Soft opt-in is essentially a carve-out from the general consent requirement specifically for customer marketing.

Legitimate interest is one of six lawful bases for processing personal data under GDPR, separate from consent. To rely on legitimate interest, you must identify a legitimate interest (such as marketing your products), demonstrate that processing is necessary to achieve that interest, and balance your interest against the individual's rights and expectations. Legitimate interest requires a documented Legitimate Interest Assessment (LIA) and gives individuals the right to object to processing. Unlike soft opt-in, legitimate interest is a general GDPR concept applicable to many types of processing, not specifically designed for electronic marketing.

The key distinction is that soft opt-in operates under ePrivacy/PECR rules governing electronic communications, while legitimate interest is a GDPR concept governing data processing. For email marketing, you typically need a lawful basis under both frameworks-GDPR for processing the personal data and ePrivacy/PECR for sending the electronic communication. Soft opt-in satisfies the ePrivacy requirement for customer marketing, while legitimate interest (or consent) satisfies the GDPR requirement. They work together but address different legal questions. Soft opt-in lets you send the email; legitimate interest lets you process the data. You umay need both to be fully compliant.