Marketing compliance

Electronic marketing rules (PECR)

How to comply with the Privacy and Electronic Communications Regulations 2003 when sending marketing emails, texts, and making marketing calls. Covers consent requirements, the soft opt-in exception for existing customers, telephone preference screening, and ICO enforcement powers.

UK-wide
Guide summary

Get consent before sending marketing emails, texts, or calls. Use the 'soft opt-in' rule for existing customers only if all conditions are met. Screen calls against TPS and provide an easy opt-out in every message.

  • Get consent before sending marketing messages
  • Use soft opt-in only if all 4 conditions are met
  • Screen calls against TPS and CTPS lists
  • Include clear sender identity and contact details
  • Provide an easy opt-out in every message
  • Honour opt-outs immediately (same day best)
  • Keep records of consent and opt-outs
  • ICO can fine up to £17.5 million for breaches
On this page
UK-wide

Related guides in Growth & Strategy

The Privacy and Electronic Communications Regulations 2003 (PECR) set the rules for electronic marketing in the UK. They work alongside UK GDPR and the Data Protection Act 2018.

PECR covers:

  • Marketing emails and text messages
  • Live and automated marketing calls
  • Fax marketing
  • Cookies and similar technologies

The Information Commissioner's Office (ICO) enforces these rules. Fines can reach up to 17.5 million pounds or 4% of annual worldwide turnover (whichever is higher) following the Data Use and Access Act 2025.

Email and text message marketing

PECR Regulation 22 covers all 'electronic mail' - this includes:

  • Emails
  • Text messages (SMS)
  • Picture and video messages (MMS)
  • Voicemails left by automated systems
  • In-app messages
  • Direct messages on social media platforms

The basic rule is simple: you need consent before sending marketing messages to individuals. There is one key exception - the 'soft opt-in' for existing customers.

Who counts as an individual

PECR's consent rules apply to messages sent to:

  • Named individuals (even at their work email)
  • Sole traders
  • Ordinary partnerships (2-20 partners)
  • Unincorporated bodies

Corporate subscribers are not covered by the consent requirement. These include limited companies, LLPs, Scottish partnerships, and government bodies. However, best practice is to still honour opt-out requests from any business.

Getting valid consent

Consent for marketing must meet the UK GDPR standard. It must be:

Freely given
The person must have a genuine choice. Do not bundle marketing consent with other terms or make it a condition of service.
Specific
Be clear about what you are asking permission for. General consent to 'contact you' is not enough.
Informed
Tell people who will be sending messages and what type of marketing to expect.
Unambiguous
Use a clear affirmative action. Pre-ticked boxes do not count as consent.
  1. 1

    Use unticked opt-in boxes

    Require people to actively tick a box to consent. Pre-ticked boxes or silence do not count as valid consent.

  2. 2

    Keep consent records

    Record when consent was given, how it was given, what the person was told, and what they consented to.

  3. 3

    Make it easy to withdraw

    Allow people to withdraw consent at any time. The process for withdrawing should be as easy as the process for giving consent.

  4. 4

    Refresh consent if stale

    If you have not contacted someone for a long time, consider whether their consent is still valid and specific enough.

The soft opt-in exception

You can send marketing messages to existing customers without fresh consent if you meet all four conditions of the 'soft opt-in' (Regulation 22(3)).

All four conditions must be met. If any condition is missing, you need proper consent.

Condition 1: Sale or negotiation
You collected their contact details during a sale or in the course of negotiations for a sale of your products or services.
Condition 2: Your similar products
The marketing is only for YOUR similar products or services. Ask yourself - would the recipient reasonably expect this marketing from you?
Condition 3: Opt-out at collection
You gave them a simple, free way to opt out when you first collected their details.
Condition 4: Opt-out in every message
Every subsequent marketing message includes an easy way to opt out.

When soft opt-in does NOT apply

  • Third-party lists: You cannot use soft opt-in for contacts you bought or obtained from another business. It must be YOUR sale.
  • Newsletter sign-ups alone: Signing up for a free newsletter is not a 'sale or negotiation' unless it leads to an actual sale discussion.
  • Competition entries: Entering a competition is not a sale context.
  • Unrelated products: An insurance company cannot use soft opt-in to market completely different financial products.
  • Third-party marketing: You cannot use soft opt-in to market other companies' products.

Charity soft opt-in (from 2026)

The Data Use and Access Act 2025 extends soft opt-in to charities. From January 2026, charities can use soft opt-in for marketing about their charitable purposes to people who have previously shown interest or support.

This does not apply retrospectively to contacts collected before the new rules take effect.

What every marketing message must include

PECR Regulations 23 and 24 require specific information in all marketing messages:

Sender identity
You must not conceal or disguise your identity. The recipient must be able to tell who sent the message.
Contact address
You must provide a valid address where the recipient can contact you.
Unsubscribe mechanism
Every message must include a simple, free way to opt out of future messages. Honour opt-outs promptly.
  1. 1

    Include clear sender name

    Use your business name, not a generic 'noreply' address. The recipient should instantly recognise who is contacting them.

  2. 2

    Provide working unsubscribe link

    Test your unsubscribe mechanism regularly. Broken or complicated opt-out processes breach PECR.

  3. 3

    Honour opt-outs immediately

    Remove people from your marketing list as soon as they opt out. Best practice is same day; maximum 28 days.

  4. 4

    Maintain a suppression list

    Keep a permanent list of everyone who has opted out. Screen all campaigns against this list before sending.

Live telephone marketing

PECR Regulation 21 allows live marketing calls without consent, but with important restrictions. You must screen your call lists against preference services and respect individual objections.

TPS screening required
You must not call numbers registered with the Telephone Preference Service (TPS) unless the person has specifically consented to receive calls from you.
CTPS screening required
For business numbers, screen against the Corporate Telephone Preference Service (CTPS) as well.
Screening frequency
Screen your call lists at least every 28 days. TPS registrations take effect 28 days after registration.
Display caller ID
You must display your telephone number or an alternative contact number. Withholding your number is a breach.
Provide contact details
If asked, you must provide your name, address, and telephone number.
  1. 1

    Subscribe to TPS and CTPS

    Register at tpsonline.org.uk and ctps.org.uk to access the suppression files you need for screening.

  2. 2

    Screen before every campaign

    Run your call lists against both TPS and CTPS registers, plus your own internal do-not-call list.

  3. 3

    Respect individual objections

    If someone asks you not to call again, add them to your internal suppression list immediately - even if they are not on TPS.

  4. 4

    Never withhold your number

    Always display a valid caller ID. Using number spoofing or withholding your number breaches PECR.

Automated calling systems

PECR Regulation 19 imposes strict rules on automated calls (robocalls) - recorded messages or systems that play pre-recorded content.

Prior consent required
You must have specific consent for automated calls. General marketing consent or consent for live calls is NOT enough.
Consent must be specific
The person must have agreed specifically to receive automated calls, not just marketing in general.
Identity and contact required
All automated calls must identify the caller and provide a Freephone number or valid contact address.
Display caller ID
You must display your telephone number on automated calls.

Cold calling bans

Some types of cold calling are banned entirely unless you have specific consent:

Claims management services
Cold calls about compensation claims, PPI, personal injury, or financial mis-selling are prohibited without prior GDPR-compliant consent (since September 2018).
Pensions
Cold calls about pensions are banned except for FCA-authorised firms or pension trustees with an existing relationship and consent (since January 2019).

ICO enforcement powers

The Information Commissioner's Office actively enforces PECR. Between 2019 and September 2025, the ICO issued 119 monetary penalty notices for PECR breaches, totalling approximately 10.5 million pounds.

Enforcement notices
The ICO can order you to stop unlawful marketing activities immediately.
Assessment notices
The ICO can conduct compulsory audits of your marketing practices.
Director liability
Directors may be personally liable for penalties in serious cases.

The ICO regularly publishes enforcement action on its website. Common triggers for investigation include:

  • High volumes of complaints about nuisance calls or texts
  • Marketing without valid consent or soft opt-in
  • Failing to screen against TPS/CTPS
  • No or broken unsubscribe mechanisms
  • Using third-party marketing lists without proper consent

Compliance checklist

Use this checklist to ensure your electronic marketing complies with PECR:

  1. 1

    Audit your marketing lists

    For each list, document how contacts were obtained, what consent was given, and whether soft opt-in applies.

  2. 2

    Check consent is valid

    Ensure consent is freely given, specific, informed, and unambiguous. Pre-ticked boxes and bundled consent do not count.

  3. 3

    Verify soft opt-in conditions

    If relying on soft opt-in, confirm all four conditions are met. Document your reasoning.

  4. 4

    Include required information

    Every marketing message must identify the sender and include a simple unsubscribe mechanism.

  5. 5

    Screen telephone lists

    For live calls, screen against TPS, CTPS, and your internal suppression list at least every 28 days.

  6. 6

    Maintain suppression lists

    Keep permanent records of everyone who has opted out. Screen all campaigns against this list.

  7. 7

    Train your staff

    Ensure everyone involved in marketing understands PECR requirements and consent rules.

  8. 8

    Review third-party lists carefully

    If you buy or rent marketing lists, verify how consent was obtained. You are responsible if consent was invalid.