A question we hear from marketers: if a visitor rejects our cookie banner, do we lose them from the email list? No. You don't. The confusion is understandable, because both involve the word consent, but they're two separate legal regimes with different rules, different standards, and different triggers. Mixing them up leads to real mistakes, like gating your newsletter behind the cookie banner or assuming a cookie rejection kills a subscriber you're perfectly allowed to email.
Two different laws, two different acts
Cookie consent governs storing or reading information on someone's device. In the EU that's the ePrivacy Directive; in the UK it's PECR regulation 6. The regulated act is the technical one: dropping a cookie, reading local storage, firing a pixel. That's what your banner is for.
Email marketing consent governs sending a marketing message to a person. In the UK the rule is PECR regulation 22. In the EU it's ePrivacy plus a lawful basis under the GDPR, because an email address is personal data. The regulated act here is the outreach, not the device storage. Different act, different rule, different consent record.
So a visitor can reject every cookie and still be a valid, emailable subscriber, because they consented to the email at signup and that consent lives in your ESP, untouched by the banner. The reverse is also true: consenting to cookies is not consenting to marketing email.
The soft opt-in: an email rule with no cookie equivalent
PECR regulation 22 carries an exception that has no parallel in cookie law, the soft opt-in. You can email marketing to your own existing customers without fresh consent when all of these hold:
- You obtained the contact details in the course of a sale or negotiation for a sale of a product or service.
- You're marketing your own similar products or services.
- You gave a simple way to opt out when you collected the details, and in every message since.
The soft opt-in doesn't stretch to prospects, bought-in lists, or unrelated products, and it's a UK and EU concept, not a US one. The point for this discussion: nothing like it exists for cookies. You can't soft-opt-in someone to analytics tracking. The two regimes really are built differently.
The standard of consent, where it applies
When email marketing does need consent rather than the soft opt-in, PECR borrows the GDPR definition: freely given, specific, informed, and an unambiguous affirmative action. That's the same high bar as valid cookie consent, so a pre-ticked newsletter box fails for the same reason a pre-ticked cookie category does. Often a single consent event can satisfy both PECR and the GDPR at once, because one clear opt-in covers both the act of sending marketing and the processing of the personal data behind it. You don't need two checkboxes. You do need the language to cover both.
The US works on opt-out
Cross the Atlantic and the model flips. CAN-SPAM, the US email law, doesn't require prior consent to send commercial email. It requires honest headers and subject lines, a physical postal address, and a working unsubscribe that you honor promptly. It's an opt-out regime. Text messages are stricter: the TCPA requires prior express written consent before marketing SMS, closer to the EU opt-in bar. So a US marketer's cookie banner and email practice sit under entirely different frameworks than a UK marketer's, and neither one is downstream of the other.
Where the two regimes actually touch
They're separate, but they meet in one place worth flagging. When you use a cookie or a pixel to identify a known contact and track their on-site behavior, say, to trigger an abandoned-cart email or personalize a campaign, that tracking is a device-storage act. It needs cookie consent even though the email itself is fine. So the email send is governed by PECR regulation 22 or CAN-SPAM, while the behavioral tracking that feeds it is governed by cookie law. You can legally email the customer and still be blocked from tracking their session without consent. For the e-commerce version of this, with abandoned-cart flows and onsite tracking, see our guide to Klaviyo, onsite tracking, and cart emails.
Keep two records, never one
The practical rule is simple. Maintain two independent consent records:
- Cookie consent in your consent management platform, timestamped and versioned, as proof for the device-storage side.
- Email consent in your ESP or CRM, capturing when and how each subscriber opted in or qualified for the soft opt-in.
For the email record, double opt-in is the strongest evidence you can hold. A confirmation click captured in your ESP proves the address was real and the person actively agreed, which is precisely the freely-given, unambiguous standard the GDPR asks for. It's not legally mandatory in most cases, but if a regulator or a complaint ever tests your list, a logged confirmation is far easier to defend than an unticked box you can't reconstruct. B2B marketers get a little more room here: in some EU states and under UK guidance, legitimate interest can support email to corporate contacts, though the rules are fiddly and the safe default is still consent.
Don't let one gate the other. A visitor who rejects cookies stays on your list. A subscriber who unsubscribes from email keeps whatever cookie preferences they set. CookieBeam handles the cookie side, logging each consent choice with a timestamp and the banner version shown, so you have defensible proof of the device-storage consent, while your email platform owns the marketing-consent record. Keeping them separate isn't just tidy. It's what the two laws actually require.
To go deeper on the legal bases behind consent, read GDPR legal bases and consent explained. For the UK cookie rules specifically, see PECR and UK cookie law after Brexit. And for building an audit-ready consent trail, see proof of consent documentation.