Guide
Electronic marketing rules (PECR)
How to comply with the Privacy and Electronic Communications Regulations 2003 when sending marketing emails, texts, and making marketing calls. Covers consent requirements, the soft opt-in exception for existing customers, telephone preference screening, and ICO enforcement powers.
The Privacy and Electronic Communications Regulations 2003 (PECR) set the rules for electronic marketing in the UK. They work alongside UK GDPR and the Data Protection Act 2018.
PECR covers:
- Marketing emails and text messages
- Live and automated marketing calls
- Fax marketing
- Cookies and similar technologies
The Information Commissioner's Office (ICO) enforces these rules. Fines can reach up to 17.5 million pounds or 4% of annual worldwide turnover (whichever is higher) following the Data Use and Access Act 2025.
Email and text message marketing
PECR Regulation 22 covers all 'electronic mail' - this includes:
- Emails
- Text messages (SMS)
- Picture and video messages (MMS)
- Voicemails left by automated systems
- In-app messages
- Direct messages on social media platforms
The basic rule is simple: you need consent before sending marketing messages to individuals. There is one key exception - the 'soft opt-in' for existing customers.
Who counts as an individual
PECR's consent rules apply to messages sent to:
- Named individuals (even at their work email)
- Sole traders
- Ordinary partnerships (2-20 partners)
- Unincorporated bodies
Corporate subscribers are not covered by the consent requirement. These include limited companies, LLPs, Scottish partnerships, and government bodies. However, best practice is to still honour opt-out requests from any business.
Getting valid consent
Consent for marketing must meet the UK GDPR standard. It must be:
- Freely given
- The person must have a genuine choice. Do not bundle marketing consent with other terms or make it a condition of service.
- Specific
- Be clear about what you are asking permission for. General consent to 'contact you' is not enough.
- Informed
- Tell people who will be sending messages and what type of marketing to expect.
- Unambiguous
- Use a clear affirmative action. Pre-ticked boxes do not count as consent.
-
Use unticked opt-in boxes
Require people to actively tick a box to consent. Pre-ticked boxes or silence do not count as valid consent.
-
Keep consent records
Record when consent was given, how it was given, what the person was told, and what they consented to.
-
Make it easy to withdraw
Allow people to withdraw consent at any time. The process for withdrawing should be as easy as the process for giving consent.
-
Refresh consent if stale
If you have not contacted someone for a long time, consider whether their consent is still valid and specific enough.
The soft opt-in exception
You can send marketing messages to existing customers without fresh consent if you meet all four conditions of the 'soft opt-in' (Regulation 22(3)).
All four conditions must be met. If any condition is missing, you need proper consent.
- Condition 1: Sale or negotiation
- You collected their contact details during a sale or in the course of negotiations for a sale of your products or services.
- Condition 2: Your similar products
- The marketing is only for YOUR similar products or services. Ask yourself - would the recipient reasonably expect this marketing from you?
- Condition 3: Opt-out at collection
- You gave them a simple, free way to opt out when you first collected their details.
- Condition 4: Opt-out in every message
- Every subsequent marketing message includes an easy way to opt out.
When soft opt-in does NOT apply
- Third-party lists: You cannot use soft opt-in for contacts you bought or obtained from another business. It must be YOUR sale.
- Newsletter sign-ups alone: Signing up for a free newsletter is not a 'sale or negotiation' unless it leads to an actual sale discussion.
- Competition entries: Entering a competition is not a sale context.
- Unrelated products: An insurance company cannot use soft opt-in to market completely different financial products.
- Third-party marketing: You cannot use soft opt-in to market other companies' products.
Charity soft opt-in (from 2026)
The Data Use and Access Act 2025 extends soft opt-in to charities. From January 2026, charities can use soft opt-in for marketing about their charitable purposes to people who have previously shown interest or support.
This does not apply retrospectively to contacts collected before the new rules take effect.
What every marketing message must include
PECR Regulations 23 and 24 require specific information in all marketing messages:
- Sender identity
- You must not conceal or disguise your identity. The recipient must be able to tell who sent the message.
- Contact address
- You must provide a valid address where the recipient can contact you.
- Unsubscribe mechanism
- Every message must include a simple, free way to opt out of future messages. Honour opt-outs promptly.
-
Include clear sender name
Use your business name, not a generic 'noreply' address. The recipient should instantly recognise who is contacting them.
-
Provide working unsubscribe link
Test your unsubscribe mechanism regularly. Broken or complicated opt-out processes breach PECR.
-
Honour opt-outs immediately
Remove people from your marketing list as soon as they opt out. Best practice is same day; maximum 28 days.
-
Maintain a suppression list
Keep a permanent list of everyone who has opted out. Screen all campaigns against this list before sending.
Live telephone marketing
PECR Regulation 21 allows live marketing calls without consent, but with important restrictions. You must screen your call lists against preference services and respect individual objections.
- TPS screening required
- You must not call numbers registered with the Telephone Preference Service (TPS) unless the person has specifically consented to receive calls from you.
- CTPS screening required
- For business numbers, screen against the Corporate Telephone Preference Service (CTPS) as well.
- Screening frequency
- Screen your call lists at least every 28 days. TPS registrations take effect 28 days after registration.
- Display caller ID
- You must display your telephone number or an alternative contact number. Withholding your number is a breach.
- Provide contact details
- If asked, you must provide your name, address, and telephone number.
-
Subscribe to TPS and CTPS
Register at tpsonline.org.uk and ctps.org.uk to access the suppression files you need for screening.
-
Screen before every campaign
Run your call lists against both TPS and CTPS registers, plus your own internal do-not-call list.
-
Respect individual objections
If someone asks you not to call again, add them to your internal suppression list immediately - even if they are not on TPS.
-
Never withhold your number
Always display a valid caller ID. Using number spoofing or withholding your number breaches PECR.
Automated calling systems
PECR Regulation 19 imposes strict rules on automated calls (robocalls) - recorded messages or systems that play pre-recorded content.
- Prior consent required
- You must have specific consent for automated calls. General marketing consent or consent for live calls is NOT enough.
- Consent must be specific
- The person must have agreed specifically to receive automated calls, not just marketing in general.
- Identity and contact required
- All automated calls must identify the caller and provide a Freephone number or valid contact address.
- Display caller ID
- You must display your telephone number on automated calls.
Cold calling bans
Some types of cold calling are banned entirely unless you have specific consent:
- Claims management services
- Cold calls about compensation claims, PPI, personal injury, or financial mis-selling are prohibited without prior GDPR-compliant consent (since September 2018).
- Pensions
- Cold calls about pensions are banned except for FCA-authorised firms or pension trustees with an existing relationship and consent (since January 2019).
ICO enforcement powers
The Information Commissioner's Office actively enforces PECR. Between 2019 and September 2025, the ICO issued 119 monetary penalty notices for PECR breaches, totalling approximately 10.5 million pounds.
- Enforcement notices
- The ICO can order you to stop unlawful marketing activities immediately.
- Assessment notices
- The ICO can conduct compulsory audits of your marketing practices.
- Director liability
- Directors may be personally liable for penalties in serious cases.
The ICO regularly publishes enforcement action on its website. Common triggers for investigation include:
- High volumes of complaints about nuisance calls or texts
- Marketing without valid consent or soft opt-in
- Failing to screen against TPS/CTPS
- No or broken unsubscribe mechanisms
- Using third-party marketing lists without proper consent
Compliance checklist
Use this checklist to ensure your electronic marketing complies with PECR:
-
Audit your marketing lists
For each list, document how contacts were obtained, what consent was given, and whether soft opt-in applies.
-
Check consent is valid
Ensure consent is freely given, specific, informed, and unambiguous. Pre-ticked boxes and bundled consent do not count.
-
Verify soft opt-in conditions
If relying on soft opt-in, confirm all four conditions are met. Document your reasoning.
-
Include required information
Every marketing message must identify the sender and include a simple unsubscribe mechanism.
-
Screen telephone lists
For live calls, screen against TPS, CTPS, and your internal suppression list at least every 28 days.
-
Maintain suppression lists
Keep permanent records of everyone who has opted out. Screen all campaigns against this list.
-
Train your staff
Ensure everyone involved in marketing understands PECR requirements and consent rules.
-
Review third-party lists carefully
If you buy or rent marketing lists, verify how consent was obtained. You are responsible if consent was invalid.