Alex is Sprintlaw's co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.
Contents
Email is one of the quickest ways to reach your customers. It’s affordable, measurable and can deliver an impressive return when done well.
But when it comes to advertising by email in the UK, the legal rules are strict. Get them wrong and you risk complaints, fines and damaged trust with your audience.
The good news? With a clear plan and the right legal foundations, you can run effective, compliant email campaigns from day one. In this guide, we break down the essentials in plain English so you can market confidently and stay on the right side of the law.
What Counts As Advertising By Email?
“Advertising by email” (often called email marketing) covers any email that promotes your goods, services or brand. This includes obvious sales emails (discounts, product launches) and softer promotional messages (newsletters that link to your latest products or upsell content).
It also captures:
- Direct offers, promotions or discounts sent to prospects or customers
- Newsletters with promotional content or links to your shop
- Refer-a-friend and loyalty emails if they encourage purchases
- Automated sequences (welcome, abandoned cart, win-back)
Transactional emails (e.g. order confirmations, shipping updates, service outages) are not “marketing” if they only provide information necessary for a purchase or service. However, if you add promotional content to a transactional email, PECR’s marketing rules can apply.
The UK Laws That Govern Email Marketing
Three core frameworks regulate advertising by email in the UK:
- Privacy and Electronic Communications Regulations 2003 (PECR)
- UK GDPR
- Data Protection Act 2018 (which sits alongside UK GDPR)
PECR sets the specific rules for sending “electronic mail” marketing, including when you need consent and what must be in each message. UK GDPR and the Data Protection Act set broader rules for any personal data you collect or use (for example, building your mailing list, profiling, analytics, and honouring data subject rights).
At a high level, you must be able to show a lawful basis for sending marketing emails and you need to follow strict consent and opt-out requirements for individuals. You also need to be transparent about what you’re doing and keep good records.
If you’re new to this area, it can help to get across the core email marketing laws before you set up your campaigns.
Consent, Soft Opt-In And B2B vs B2C Explained
This is where most businesses get tripped up, so let’s unpack the rules you’ll rely on most.
When Do You Need Consent?
For individual subscribers (for example, a consumer’s personal email, or a sole trader’s address), PECR generally requires prior consent before you can send marketing emails. Consent must be:
- Freely given, specific, informed and unambiguous
- Given by a clear affirmative action (no pre-ticked boxes)
- Recorded so you can show who consented, when and how
What Is The Soft Opt-In?
PECR allows a limited exception called the “soft opt-in”. You can market by email without fresh consent if all of the following are true:
- You obtained the person’s details during a sale (or negotiations for a sale) of a product or service
- You are marketing your own similar products or services
- You gave a clear, free opt-out at the time you collected the details
- You include a clear, free opt-out in every subsequent email
Used properly, the Soft Opt-In can power post-purchase and newsletter growth without friction. However, it’s easy to misapply (for example, using it with third-party lists, or for unrelated products), so document how you meet each requirement.
What About B2B Emails?
For “corporate subscribers” (e.g. limited companies and most LLPs), PECR’s consent rules are more flexible. You can generally send marketing emails to corporate addresses without consent, provided you:
- Identify yourself clearly
- Include a simple way to opt out in every message
- Respect opt-outs promptly
Two important caveats: UK GDPR still applies (for example, if an email address includes a person’s name, it’s personal data), and PECR consent rules do apply to sole traders and some partnerships because they’re treated like individuals. When in doubt, treat “named” business contacts with the same respect as consumers: be transparent, give easy opt-outs and avoid unsolicited messages without a clear lawful basis.
What Your Emails Must Include (And How To Capture Consent Properly)
Every marketing email should contain the basics required by law and best practice. This isn’t just a legal box-tick - it builds trust with your audience.
The Mandatory Elements
- Clear sender identity: Your trading name and a valid contact address
- Unsubscribe mechanism: A simple, free way to opt out (ideally a one-click link)
- Truthful subject lines and content: Avoid misleading claims or “clickbait”
- Privacy transparency: Link to your up-to-date Privacy Policy explaining how you use data for marketing
Collecting Consent The Right Way
- Use unticked checkboxes with clear wording (what they’ll receive, frequency, channel)
- Separate consent from terms acceptance or checkout (no “bundling”)
- Record consent logs (who, when, method, wording shown)
- Offer granular choices (email, SMS, profiling) and a preference centre
- Consider “double opt-in” to reduce risk of mistyped or fake sign-ups
If you collect consent via your website, ensure your Cookie Policy and consent tools are aligned with what you say about analytics and tracking. If you use tracking pixels in emails, treat them like “similar technologies” to cookies - get clear permission where required and be transparent about how they work. If you’re updating your interface, practical guidance on compliant cookie banners can help you get it right.
A Practical Compliance Checklist For Small Businesses
Use this checklist before you hit send on an email campaign. It’s not exhaustive, but it covers the most common compliance gaps we see.
1) Map Your Audience And Lawful Basis
- Split lists by audience type: consumers, sole traders, corporate contacts
- Confirm your lawful basis per segment: consent or soft opt-in for individuals; legitimate interests with opt-out for most corporates
- Keep suppression lists to ensure you do not email anyone who has opted out
2) Tidy Up Your Notices And Records
- Make sure your sign-up forms match your messaging (what and how often you’ll send)
- Link to your Privacy Policy wherever you collect details
- Keep audit-friendly logs of consent and opt-outs
- Set sensible retention rules for inactive contacts to avoid holding data longer than needed, in line with data retention principles
3) Build Compliant Templates
- Add your business identity and physical contact details
- Insert a clear unsubscribe link in a prominent place
- Avoid misleading subject lines or “from” names
- Consider an email footer that links to your privacy information and preferences
4) Manage Vendors And Data Flows
- Put in place a Data Processing Agreement with your email service provider (ESP)
- Check where data is stored/processed and ensure appropriate transfer safeguards if outside the UK
- Set clear instructions for your ESP to limit use of your list to your purposes only
5) Respect Data Subject Rights
- Offer easy opt-outs and act on them quickly (ideally immediately)
- Prepare a simple playbook to respond to Subject Access Requests, deletion requests and objections to marketing
- If you share data with partners for joint campaigns, put a proper Data Sharing Agreement in place and explain this to your subscribers
6) Avoid These Common Pitfalls
- Buying or renting lists: These rarely come with valid consent you can rely on - high risk for spam complaints and ICO action
- Pre-ticked boxes: They are not valid consent
- Hiding unsubscribe links: Make it obvious, simple and free
- Mixing transactional and promotional content: Keep receipts and updates free from marketing unless you have consent
- Unclear tracking: Be upfront about pixels and link tracking, and provide choices
7) Document, Review, Improve
- Write down your basis for each list segment (including soft opt-in logic)
- Run periodic list hygiene and suppression checks
- Audit templates, automations and sign-up flows at least annually
- Train your team so everyone knows the do’s and don’ts
Key Takeaways
- PECR sets the rules for advertising by email; UK GDPR governs how you collect, use and store the personal data behind your lists.
- For individuals, you’ll usually need consent - the soft opt-in is a narrow exception when you’ve collected details during a sale and you’re promoting similar products or services with clear opt-outs.
- B2B marketing to corporate addresses is more flexible, but you must always identify yourself, include an easy opt-out and respect data protection rules.
- Every email should include clear sender identity, a simple unsubscribe link, truthful content and a link to your current Privacy Policy.
- Put contracts and processes around your tools and partners - a robust Data Processing Agreement, aligned consent wording, compliant forms and transparent Cookie Policy will protect you as you scale.
- Avoid high-risk tactics like buying lists, pre-ticked boxes or hidden tracking; handle opt-outs and data rights requests quickly and consistently.
If you’d like tailored help setting up compliant email advertising - from consent wording and templates to vendor contracts and risk reviews - our team can help. You can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.
