Email marketing remains one of the most effective digital marketing channels — but in the UK it is regulated tightly. Sending promotional emails without understanding the law exposes businesses to legal risk, fines, and reputational damage. To stay compliant and protect your brand, it’s essential to understand email marketing laws UK, how consent must be collected, and when you can legally send marketing messages to individuals and businesses.
The key rules come from the Privacy and Electronic Communications Regulations (PECR), which sit alongside the UK GDPR. Email marketing compliance involves satisfying both sets of rules. In practical terms, most direct marketing emails to individuals require explicit consent, with a narrow exception for existing customers under what is commonly called the “soft opt-in” rule.
For more info check: ICO official guidance on electronic mail marketing.
What Law Applies to Email Marketing in the UK?
Privacy and Electronic Communications Regulations (PECR)
PECR is the primary law governing email marketing in the UK. It applies to “electronic mail” marketing and sets out strict rules on sending marketing messages by email, text, or similar technologies
UK GDPR
UK GDPR sets out broader data protection principles, including lawful bases for processing personal data (such as email addresses) and rights for data subjects. Although UK GDPR does not directly control email marketing, it defines the consent standard that PECR references. ICO
Together, these laws protect recipients from spam and ensure that marketers respect privacy and data rights.
When You Need Consent to Email Individuals
Under PECR, you must NOT send marketing emails to an individual person unless one of the following applies:
-
Explicit consent has been obtained from them; or
-
A soft opt-in applies for existing customers.
What Counts as Consent?
Consent must be:
-
Freely given — it must not be a condition of a purchase or anything else;
-
Specific and informed — individuals must know they are agreeing to receive marketing by email;
-
Unambiguous and affirmative — they must indicate consent through a positive action (e.g., ticking a box). ICO
Pre-ticked boxes, silence, or inactivity do not count as consent.
You should also record consent (who, when, how) so you can demonstrate compliance if challenged.
What Is the “Soft Opt-In”?
The “soft opt-in” is a limited exception recognised under PECR. It allows a business to send emails to its own existing customers without fresh consent, provided:
-
The individual’s details were obtained during the course of a sale or contract negotiation;
-
The emails are about similar products or services; and
-
They were given a clear opportunity to opt out both when their details were first collected and in every marketing message sent. ICO
This does not apply to:
-
Prospective customers who have never bought from you
-
Contacts obtained from third-party lists
-
Non-commercial or political campaigning messages
The soft opt-in helps reduce friction for ongoing customer marketing, but it is not a loophole to bypass consent for new subscribers.
Consent vs Legitimate Interest
Under UK GDPR you can process personal data on several lawful bases, including legitimate interest. However, PECR still generally requires prior consent for direct marketing emails to individuals under UK law. Legitimate interest alone is not enough to send direct marketing by email to consumers unless the soft opt-in conditions also apply. ICO
This is a frequent area of confusion, and mixing the two legal regimes incorrectly can lead to non-compliance.
Read also- B2C marketing strategies
Email Marketing to Businesses (B2B)
PECR makes a distinction between individuals and corporate subscribers:
-
Corporate bodies (e.g., limited companies) can be emailed without consent under PECR;
-
Sole traders, freelancers, and some partnerships are treated as individuals and require consent or soft opt-in. ICO
When emailing business contacts using personal email addresses. Remember that UK GDPR treats these as personal data and that PECR consent rules still usually apply unless a soft opt-in exists.
What Must Each Email Include?
Compliant marketing emails must always include the following:
-
The identity of the sender clearly stated;
-
A valid contact address (physical or electronic);
-
A simple and free opt-out mechanism in every message
Providing an unsubscribe link that is difficult to find, or failing to honour opt-outs promptly, breaches PECR and harms trust.
Using Purchased or Third-Party Lists
Sending marketing emails to purchased or rented lists is risky. Under PECR:
-
The “soft opt-in” does not apply to contacts obtained from third parties;
-
Consent must have been obtained explicitly for your organisation and the specific use you intend;
-
You are responsible for checking the validity of any third-party consent claims.
If in doubt, avoid using purchased lists — developing your own opt-in list is safer and more compliant.
Handling Opt-Outs and Withdrawals
Individuals can opt out of email marketing at any time, and you must stop sending them emails once they request it. PECR guidance emphasises that opt-outs must be respected immediately, and unsubscribed contacts must be added to a suppression list so they are not contacted again in future campaigns. ICO
If someone unsubscribes, you cannot treat that as only a temporary change — the law views opt-outs as enduring until the person consents again.
Misunderstandings and Common Mistakes
Thinking that publicly available emails are okay
Just because an email address is publicly visible does not mean you can email it for marketing without consent. PECR explicitly requires consent or soft opt-in for individuals even if the address was obtained publicly.
Bundling consent in terms and conditions
Consent for marketing must be separate from other conditions, clear, and specific. Bundling it with checkout terms is not compliant.
Assuming silent opt-in is valid
Silence, inactivity, or pre-ticked boxes are not valid indications of consent.
Consequences of Non-Compliance
Failing to comply with PECR and UK GDPR can lead to:
-
Enforcement action by the ICO;
-
Fines (historically under PECR up to £500,000 and potentially higher as legislation evolves);
-
Reputational damage and loss of customer trust.
Even a single breach — such as sending marketing to someone who has withdrawn consent — can trigger regulatory scrutiny.
Read also- b2b email marketing agency
Conclusion
Understanding email marketing laws UK is essential for any organisation using email to communicate with customers or prospects. The key principles are:
-
Obtain explicit consent from individual subscribers;
-
Use the soft opt-in carefully for existing customers;
-
Respect opt-outs promptly;
-
Never rely on silence or pre-ticked boxes;
-
Separate GDPR requirements from PECR rules, even though they work together.
By aligning your email strategies with the ICO’s guidance and legal requirements, you not only avoid fines but also build trust and improve engagement.
FAQs
1. Do I need consent to send marketing emails in the UK?
Yes, under PECR you generally need explicit consent from individuals unless the soft opt-in applies.
2. Can I email business addresses without consent?
You can email corporate subscribers (e.g., limited companies) without consent under PECR, but personal data is still governed by GDPR if identifiable
3. What happens if someone unsubscribes?
You must stop sending email marketing immediately and ensure they are not contacted again unless they opt in later.