Email marketing in the UK is regulated by two overlapping laws: the Privacy and Electronic Communications Regulations 2003 (PECR) and UK GDPR. Getting either wrong can result in substantial fines from the Information Commissioner's Office (ICO).

This guide explains what marketing teams need to know to send compliant email campaigns, including when you need consent, when you can rely on soft opt-in, how to handle B2B marketing, and what every email must include.

How PECR and UK GDPR work together

PECR (Regulation 22)

Controls WHEN you can send marketing emails - consent or soft opt-in required for individuals

UK GDPR

Controls HOW you handle personal data - lawful basis, privacy notices, data subject rights

Which takes priority

PECR's consent requirements apply first; UK GDPR applies to all underlying data processing

Enforcer for both

Information Commissioner's Office (ICO)

Consent requirements

Under PECR, you must have consent before sending marketing emails to individual subscribers. This includes personal email addresses (work or home), sole traders, ordinary partnerships (2-20 partners), and unincorporated organisations. The only exception is the soft opt-in (see next section).

What counts as valid consent

Consent for marketing must meet the UK GDPR standard:

Freely given

The person must have a genuine choice. Do not bundle marketing consent with other terms or make it a condition of service.

Specific

Be clear about what you are asking permission for. Separate consent for email, SMS, and third-party marketing.

Informed

Tell people who will be sending messages and what type of marketing to expect.

Unambiguous

Use a clear affirmative action. Pre-ticked boxes, silence, or inactivity do not count.

How to capture and record consent

1

Use unticked opt-in boxes

Require people to actively tick a box to consent. Pre-ticked boxes are unlawful. Silence or inactivity does not constitute consent.
2

Separate marketing consent from terms

Do not bundle marketing consent with acceptance of terms and conditions. Marketing consent must be a separate, active choice.
3

Be specific about who and what

Tell people exactly who will send emails and what type of content to expect. Vague phrases like "we may contact you" are not specific enough.
4

Keep consent records

Record when consent was given, how it was given, what the person was told, and exactly what they consented to. You need this evidence if challenged.

UK GDPR lawful basis for marketing

If you rely on PECR consent, this also serves as your UK GDPR lawful basis. If you use soft opt-in or market to corporate subscribers, legitimate interests is typically your lawful basis - you must conduct a Legitimate Interest Assessment (LIA) to document the balancing test.

UK GDPR lawful bases for processing personal data

The 6 (now 7) lawful bases under UK GDPR Article 6 for processing personal data.

Under UK GDPR Article 6, you must have a valid lawful basis to process personal data. You cannot process personal data without identifying at least one lawful basis that applies to each processing activity.

1. Consent (Article 6(1)(a)): The individual has given clear, specific, informed consent for you to process their personal data for a specific purpose
2. Contract (Article 6(1)(b)): Processing is necessary to fulfil a contract with the individual, or to take steps at their request before entering a contract
3. Legal obligation (Article 6(1)(c)): Processing is necessary to comply with a common law or statutory obligation under UK law
4. Vital interests (Article 6(1)(d)): Processing is necessary to protect someone's life
5. Public task (Article 6(1)(e)): Processing is necessary for performing a task in the public interest or for official functions that have a clear basis in law
6. Legitimate interests (Article 6(1)(f)): Processing is necessary for your legitimate interests or those of a third party, unless overridden by the individual's interests, rights, or freedoms

Consent requirements: Must be freely given, specific, informed, and unambiguous. Must be as easy to withdraw as to give.

Legitimate interests: Requires a documented Legitimate Interest Assessment (LIA) balancing test. Not available to public authorities for their core tasks.

7. Recognised legitimate interests (NEW - from February 2026): Processing necessary for certain pre-approved purposes without requiring a balancing test (Data (Use and Access) Act 2025)
Recognised purposes include: National/public security, defence, emergencies, crime prevention/detection, safeguarding vulnerable individuals
Effective date: 5 February 2026

Note: Direct marketing and intra-group data sharing still require a Legitimate Interest Assessment even under recognised legitimate interests.

ICO guide to lawful basis

The soft opt-in exception

You can send marketing emails to existing customers without fresh consent if you meet all four conditions of the soft opt-in. This is PECR's most useful provision for marketing teams, but all conditions must be met - if any fails, you need consent.

PECR electronic marketing rules

Core rules for email, SMS, and telephone marketing under the Privacy and Electronic Communications Regulations 2003. Common cause of ICO enforcement actions.

The Privacy and Electronic Communications Regulations 2003 (PECR) set specific rules for electronic marketing. Non-compliance is a common cause of ICO enforcement action, with fines now aligned with UK GDPR levels following the Data (Use and Access) Act 2025.

Email marketing (B2C): Consent required unless soft opt-in applies
SMS/text marketing: Same rules as email - consent required unless soft opt-in applies
Email to corporate subscribers: Consent not required for companies, LLPs, or government bodies
Live telephone calls: Must screen against TPS/CTPS; cannot call if person has objected
Automated calls (robocalls): Prior consent always required - no exceptions
TPS screening frequency: At least every 28 days
Legislation: Privacy and Electronic Communications Regulations 2003

Soft opt-in exception (4 conditions)

You can email existing customers without consent if ALL four conditions are met:

Contact details obtained during a sale or negotiations for a sale
Marketing is for YOUR similar products or services only
Opt-out opportunity given when details were collected
Easy opt-out provided in every subsequent message

Soft opt-in does NOT apply to: third-party marketing lists, details obtained outside sale context, or dissimilar products/services.

Electronic mail definition: Email, SMS, video messages, picture messages, voicemails, in-app messages, and direct messages over social media
Individual subscribers: Includes sole traders and ordinary partnerships (2-20 partners)
Corporate subscribers: Limited companies, LLPs, Scottish partnerships, government bodies
B2B email marketing: Consent rules do not apply to corporate subscribers - but respect objections

Telephone marketing requirements

Live calls: You can make live marketing calls without consent if the number is not on TPS/CTPS and the person has not objected to your calls. You must display caller ID and provide contact details if asked.

TPS/CTPS screening: Before making any marketing calls, screen your call list against both the Telephone Preference Service (TPS) and Corporate TPS (CTPS) registers. Screening must be done at least every 28 days.

Automated calls: Always require prior consent. General marketing consent is not sufficient - you need specific consent for automated calls.

Claims management cold calls: Banned without prior consent (since September 2018)
Pension cold calls: Banned except for FCA-authorised firms with existing relationship (since January 2019)
Fax marketing to individuals: Consent required; must screen against FPS
Fax marketing to businesses: No consent required but must screen against FPS and respect objections

Required information in marketing communications

Sender identity must not be disguised or concealed
Valid contact address for opt-out requests must be provided
Simple and effective unsubscribe mechanism in every message

When soft opt-in does NOT apply

Common mistakes that invalidate soft opt-in:

Purchased or rented lists: Soft opt-in only works with YOUR customers. Third-party lists always require consent.
Newsletter-only sign-ups: Signing up for a free newsletter is not a "sale or negotiation" unless it leads to an actual purchase discussion.
Competition entries: Entering a prize draw is not a sale context.
Different product categories: Marketing unrelated products fails the "similar" test.
No opt-out at collection: If you did not offer an opt-out when you first collected their details, soft opt-in cannot apply.

B2B email marketing

PECR's consent rules do not apply to emails sent to corporate subscribers:

Corporate subscribers exempt from PECR consent

Limited companies, LLPs, Scottish partnerships, government bodies

Generic business emails

Addresses like info@company.co.uk, sales@company.co.uk are corporate

Named individuals at companies

john.smith@company.co.uk is an individual subscriber - consent rules apply

Sole traders

NOT corporate subscribers - consent rules apply

Important caveats for B2B marketing

While PECR consent is not required for corporate subscribers, UK GDPR still applies - you are processing personal data (the recipient's name) and need a lawful basis (usually legitimate interests). You must respect objections: if someone asks you to stop emailing them, add them to your suppression list. Best practice is to include an unsubscribe mechanism in all marketing emails, even B2B.

Practical tip: Many B2B email lists contain a mix of corporate and individual addresses. Unless you can reliably distinguish them, treat all addresses as requiring consent or soft opt-in.

Required email content and unsubscribe

PECR Regulations 23 and 24 require specific information in all marketing emails:

Sender identity

You must not conceal or disguise your identity. The recipient must be able to tell who sent the email.

Valid contact address

Include a working postal or email address where the recipient can contact you.

Unsubscribe mechanism

Every marketing email must include a simple, free way to opt out. Must work immediately, not require login or multiple steps.

1

Use a clear "from" name

Use your business name, not a generic "noreply" address. The recipient should instantly recognise who is contacting them.
2

Include visible unsubscribe link

Place the unsubscribe link where recipients can easily find it - typically in the footer. Do not hide it in tiny text.
3

Make unsubscribe simple

One click to unsubscribe is best practice. Do not require login, multiple confirmations, or reason selection. Complex processes breach PECR.
4

Maintain a suppression list

Keep a permanent list of everyone who has opted out. Screen every campaign against this list before sending. Never delete suppression records.

Penalties and compliance checklist

From June 2025, PECR penalties have been significantly increased under the Data Use and Access Act 2025:

PECR maximum penalties 2025

Increased maximum fines for PECR breaches following Data (Use and Access) Act 2025.

From 19 June 2025, maximum penalties for PECR breaches have been aligned with UK GDPR levels under the Data (Use and Access) Act 2025.

Previous maximum fine: £500,000
New maximum fine (from June 2025): £17.5 million or 4% of global annual turnover, whichever is higher
Effective date: 19 June 2025
Legal basis: Data (Use and Access) Act 2025
Applies to: Unlawful email/SMS marketing, telemarketing, cookies/tracking breaches
Regulator: Information Commissioner's Office (ICO)

Common PECR breaches: Unsolicited marketing, ignoring opt-outs, manipulative cookie consent
ICO enforcement (2022-2025): 49 PECR fines totalling £4.63 million
Average fine (pre-2025): £94,490
Expected focus areas: Mass unsolicited communications, TPS/CTPS violations, deceptive consent flows

ICO PECR enforcement guidance

Common enforcement triggers

The ICO prioritises cases involving high volume complaints, marketing without valid consent, missing or broken unsubscribe mechanisms, ignoring opt-outs, and concealed sender identity. Directors may be personally liable for serious breaches.

Compliance checklist

1

Audit your email lists

For each list segment, document how addresses were obtained, what consent or soft opt-in basis applies, and when it was captured. Remove any addresses without clear legal basis.
2

Check consent quality

Review how consent is captured. Ensure opt-in boxes are unticked by default, marketing consent is separate from terms, and wording is specific about who and what.
3

Verify soft opt-in conditions

If relying on soft opt-in, confirm all four conditions are met for each contact. Document your reasoning for audit purposes.
4

Include required information

Every marketing email must identify the sender clearly and include a simple, working unsubscribe mechanism.
5

Maintain suppression list

Keep a permanent list of everyone who has opted out. Screen every campaign against this list before sending.
6

Document legitimate interests

If marketing to corporate subscribers or using soft opt-in, complete a Legitimate Interest Assessment to document your balancing test.
7

Review third-party data carefully

If you buy or rent email lists, verify how consent was obtained. You are responsible if consent was invalid.

Official guidance

Direct marketing guidance (ICO) (opens in a new tab) ico
Marketing and advertising law (GOV.UK) (opens in a new tab) gov.uk
Privacy and Electronic Communications Regulations 2003 (opens in a new tab) legislation.gov.uk

Email marketing: PECR and UK GDPR requirements

Electronic marketing rules (PECR)

Cookie consent: comply with PECR requirements

Data protection for businesses

Write a privacy notice that meets UK GDPR requirements

Write a GDPR-compliant privacy notice

How PECR and UK GDPR work together

Consent requirements

What counts as valid consent

How to capture and record consent

Use unticked opt-in boxes

Separate marketing consent from terms

Be specific about who and what

Keep consent records

UK GDPR lawful basis for marketing

The soft opt-in exception

When soft opt-in does NOT apply

B2B email marketing

Important caveats for B2B marketing

Required email content and unsubscribe

Use a clear "from" name

Include visible unsubscribe link

Make unsubscribe simple

Maintain a suppression list

Penalties and compliance checklist

Common enforcement triggers

Compliance checklist

Audit your email lists

Check consent quality

Verify soft opt-in conditions

Include required information

Maintain suppression list

Document legitimate interests

Review third-party data carefully

Official guidance

Related guides in Growth & Strategy

How PECR and UK GDPR work together

Consent requirements

What counts as valid consent

How to capture and record consent

Use unticked opt-in boxes

Separate marketing consent from terms

Be specific about who and what

Keep consent records

UK GDPR lawful basis for marketing

The soft opt-in exception

When soft opt-in does NOT apply

B2B email marketing

Important caveats for B2B marketing

Required email content and unsubscribe

Use a clear "from" name

Include visible unsubscribe link

Make unsubscribe simple

Maintain a suppression list

Penalties and compliance checklist

Common enforcement triggers

Compliance checklist

Audit your email lists

Check consent quality

Verify soft opt-in conditions

Include required information

Maintain suppression list

Document legitimate interests

Review third-party data carefully

Official guidance