Guide
Email marketing: PECR and UK GDPR requirements
How to send compliant marketing emails under PECR and UK GDPR. Covers consent requirements, the soft opt-in exception for existing customers, unsubscribe mechanisms, B2B marketing rules, and the increased penalties from June 2025.
Email marketing in the UK is regulated by two overlapping laws: the Privacy and Electronic Communications Regulations 2003 (PECR) and UK GDPR. Getting either wrong can result in substantial fines from the Information Commissioner's Office (ICO).
This guide explains what marketing teams need to know to send compliant email campaigns, including when you need consent, when you can rely on soft opt-in, how to handle B2B marketing, and what every email must include.
How PECR and UK GDPR work together
- PECR (Regulation 22)
- Controls WHEN you can send marketing emails - consent or soft opt-in required for individuals
- UK GDPR
- Controls HOW you handle personal data - lawful basis, privacy notices, data subject rights
- Which takes priority
- PECR's consent requirements apply first; UK GDPR applies to all underlying data processing
- Enforcer for both
- Information Commissioner's Office (ICO)
What this means in practice: You need both PECR compliance (consent or soft opt-in) AND UK GDPR compliance (lawful basis, privacy notice, right to object). Having one without the other is not sufficient.
Consent requirements
Under PECR, you must have consent before sending marketing emails to individual subscribers. This includes personal email addresses (work or home), sole traders, ordinary partnerships (2-20 partners), and unincorporated organisations. The only exception is the soft opt-in (see next section).
What counts as valid consent
Consent for marketing must meet the UK GDPR standard:
- Freely given
- The person must have a genuine choice. Do not bundle marketing consent with other terms or make it a condition of service.
- Specific
- Be clear about what you are asking permission for. Separate consent for email, SMS, and third-party marketing.
- Informed
- Tell people who will be sending messages and what type of marketing to expect.
- Unambiguous
- Use a clear affirmative action. Pre-ticked boxes, silence, or inactivity do not count.
How to capture and record consent
-
Use unticked opt-in boxes
Require people to actively tick a box to consent. Pre-ticked boxes are unlawful. Silence or inactivity does not constitute consent.
-
Separate marketing consent from terms
Do not bundle marketing consent with acceptance of terms and conditions. Marketing consent must be a separate, active choice.
-
Be specific about who and what
Tell people exactly who will send emails and what type of content to expect. Vague phrases like "we may contact you" are not specific enough.
-
Keep consent records
Record when consent was given, how it was given, what the person was told, and exactly what they consented to. You need this evidence if challenged.
UK GDPR lawful basis for marketing
If you rely on PECR consent, this also serves as your UK GDPR lawful basis. If you use soft opt-in or market to corporate subscribers, legitimate interests is typically your lawful basis - you must conduct a Legitimate Interest Assessment (LIA) to document the balancing test.
Right to object: Under UK GDPR Article 21, individuals have an absolute right to object to direct marketing. When someone objects, you must stop processing their data for marketing immediately - there is no balancing test.
The soft opt-in exception
You can send marketing emails to existing customers without fresh consent if you meet all four conditions of the soft opt-in. This is PECR's most useful provision for marketing teams, but all conditions must be met - if any fails, you need consent.
When soft opt-in does NOT apply
Common mistakes that invalidate soft opt-in:
- Purchased or rented lists: Soft opt-in only works with YOUR customers. Third-party lists always require consent.
- Newsletter-only sign-ups: Signing up for a free newsletter is not a "sale or negotiation" unless it leads to an actual purchase discussion.
- Competition entries: Entering a prize draw is not a sale context.
- Different product categories: Marketing unrelated products fails the "similar" test.
- No opt-out at collection: If you did not offer an opt-out when you first collected their details, soft opt-in cannot apply.
B2B email marketing
PECR's consent rules do not apply to emails sent to corporate subscribers:
- Corporate subscribers exempt from PECR consent
- Limited companies, LLPs, Scottish partnerships, government bodies
- Generic business emails
- Addresses like info@company.co.uk, sales@company.co.uk are corporate
- Named individuals at companies
- john.smith@company.co.uk is an individual subscriber - consent rules apply
- Sole traders
- NOT corporate subscribers - consent rules apply
Important caveats for B2B marketing
While PECR consent is not required for corporate subscribers, UK GDPR still applies - you are processing personal data (the recipient's name) and need a lawful basis (usually legitimate interests). You must respect objections: if someone asks you to stop emailing them, add them to your suppression list. Best practice is to include an unsubscribe mechanism in all marketing emails, even B2B.
Practical tip: Many B2B email lists contain a mix of corporate and individual addresses. Unless you can reliably distinguish them, treat all addresses as requiring consent or soft opt-in.
Required email content and unsubscribe
PECR Regulations 23 and 24 require specific information in all marketing emails:
- Sender identity
- You must not conceal or disguise your identity. The recipient must be able to tell who sent the email.
- Valid contact address
- Include a working postal or email address where the recipient can contact you.
- Unsubscribe mechanism
- Every marketing email must include a simple, free way to opt out. Must work immediately, not require login or multiple steps.
-
Use a clear "from" name
Use your business name, not a generic "noreply" address. The recipient should instantly recognise who is contacting them.
-
Include visible unsubscribe link
Place the unsubscribe link where recipients can easily find it - typically in the footer. Do not hide it in tiny text.
-
Make unsubscribe simple
One click to unsubscribe is best practice. Do not require login, multiple confirmations, or reason selection. Complex processes breach PECR.
-
Maintain a suppression list
Keep a permanent list of everyone who has opted out. Screen every campaign against this list before sending. Never delete suppression records.
Penalties and compliance checklist
From June 2025, PECR penalties have been significantly increased under the Data Use and Access Act 2025:
Common enforcement triggers
The ICO prioritises cases involving high volume complaints, marketing without valid consent, missing or broken unsubscribe mechanisms, ignoring opt-outs, and concealed sender identity. Directors may be personally liable for serious breaches.
Compliance checklist
-
Audit your email lists
For each list segment, document how addresses were obtained, what consent or soft opt-in basis applies, and when it was captured. Remove any addresses without clear legal basis.
-
Check consent quality
Review how consent is captured. Ensure opt-in boxes are unticked by default, marketing consent is separate from terms, and wording is specific about who and what.
-
Verify soft opt-in conditions
If relying on soft opt-in, confirm all four conditions are met for each contact. Document your reasoning for audit purposes.
-
Include required information
Every marketing email must identify the sender clearly and include a simple, working unsubscribe mechanism.
-
Maintain suppression list
Keep a permanent list of everyone who has opted out. Screen every campaign against this list before sending.
-
Document legitimate interests
If marketing to corporate subscribers or using soft opt-in, complete a Legitimate Interest Assessment to document your balancing test.
-
Review third-party data carefully
If you buy or rent email lists, verify how consent was obtained. You are responsible if consent was invalid.