Alex is Sprintlaw's co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.
Contents
- What Laws Regulate Email Marketing In The UK?
- Why Does PECR Exist And Why Should You Care?
- Are There Rules For Marketing To Businesses?
- What Does The UK GDPR Say About Email Marketing?
- What Must You Include In Every Marketing Email?
- Risks Of Non-Compliance: What If You Break Email Marketing Laws?
- Key Steps To Stay Compliant With UK Email Marketing Laws
- What Else Should You Watch Out For?
- Key Takeaways: Your Email Marketing Compliance Checklist
For many small businesses and startups across the United Kingdom, email marketing is one of the most powerful (and cost-effective) ways to reach customers. Whether you’re sending out a monthly newsletter, a one-off promotion, or a regular stream of email advertisements, digital marketing can be a game-changer for your growth. But before you start tapping ‘send all’ on your next campaign, there’s something essential you need to know – UK law has strict rules around how you use emails for marketing.
The good news? With the right understanding of these requirements, you can harness email advertising while protecting your business and your reputation. In this guide, we break down the email marketing laws UK businesses must follow, so you can stay compliant, avoid fines, and build real trust with your audience.
What Laws Regulate Email Marketing In The UK?
If you’re planning to use email marketing (or emails for marketing of any kind) in the UK, there are two key pieces of legislation you need to keep front of mind:
- Privacy and Electronic Communications Regulations (PECR): These rules govern the use of electronic communications (including email, text, and certain other messaging channels) for direct marketing.
- UK General Data Protection Regulation (UK GDPR): This sets wider rules about how you collect, store, use and manage any kind of personal data – including email addresses and other contact details linked to individuals.
Both sets of regulations apply to businesses and organisations of all sizes, not just the big brands. So if you’re sending emails for marketing, whether B2B or B2C, you’ll need to make sure you understand and comply with both PECR and GDPR requirements.
Why Does PECR Exist And Why Should You Care?
At its core, the PECR is all about protecting people (both individuals and businesses) from unwanted and intrusive electronic marketing. It was designed to build trust in digital communications by ensuring companies:
- Don’t bombard people with marketing emails they don’t want to receive
- Are upfront about who they are and the purpose of the communication
- Respect privacy rights and give recipients real control
If you ignore these rules, you risk more than just annoying your contacts – you could face formal complaints, enforcement action, substantial fines from the Information Commissioner’s Office (ICO), and damage to your brand. That’s why it’s so important to get your legal foundations right from day one.
Who Can You Send Email Marketing To?
One of the most common questions we get from business owners is: “Can I just email my mailing list about my new offer or product launch?” The answer depends on who you’re emailing and whether you have the right legal permissions in place. The PECR draws a clear line between two types of recipients:
1. Individual Subscribers
These include:
- Consumers (private individuals)
- Sole traders
- Traditional partnerships (but not limited liability partnerships or companies)
Marketing emails sent to these groups are subject to tougher PECR rules – mainly because individuals are seen as more vulnerable to intrusion or spam. Most of the restrictions and consent requirements in PECR focus on this category.
2. Corporate Subscribers
This refers to:
- Limited companies
- Limited Liability Partnerships (LLPs)
- Incorporated partnerships and trusts
If you’re targeting corporate email addresses (like info@business.co.uk), the PECR rules are much more relaxed. In general, you do not need prior consent to send marketing emails to these addresses. However, your emails still need to clearly identify your business and give a way to opt out (unsubscribe).
What Do The Rules Say About Emailing Individuals?
If your emails are aimed at individual subscribers, you’ll need to tread carefully and have a legitimate legal basis for emailing them. Under PECR, there are two main approaches: obtaining explicit consent or using the ‘soft opt-in’ exemption (if you qualify).
Explicit Consent: What Counts As Proper Permission?
The PECR (and GDPR) require that you have clear, unambiguous consent before sending marketing emails to individuals. In other words, the person must have knowingly and actively agreed to receive your marketing. This means:
- Freely given: The customer must choose to sign up (no pre-ticked boxes or bundled consent allowed).
- Specific: The consent must relate to a particular type of marketing. “Tick to receive relevant emails from us” is clearer than just “I agree to terms.”
- Informed: You must explain what they’re signing up for, who you are, and how you’ll use their data.
- Unambiguous: There is no doubt the individual intended to give permission (active opt-in, not silence or inactivity).
Examples of valid consent mechanisms (as recommended by the ICO) include:
- A tick box (unticked by default) on your website or sign-up form
- Requesting an email confirmation (double opt-in)
- Explicit wording beside the consent box (e.g. “Yes, sign me up for marketing emails about your offers and updates”)
Remember: Pre-ticked boxes, implied consent, or including consent hidden in your terms and conditions are not acceptable under the current law. If challenged, you will need to prove how and when you obtained consent, so always keep proper records (such as logs of user sign-ups or consents).
If you're unsure about how to draft clear, compliant consent wording, our Privacy Consent Wording Review service can help ensure your forms and policies are up to standard.
What About The ‘Soft Opt-In’ Exemption?
There’s one important exception to the consent rule: the soft opt-in exemption. This allows you to send email marketing to existing or recent customers without having gathered explicit tick-box consent, as long as:
- You obtained their email address in the course of a sale (or negotiations for a sale) of a product or service
- You are marketing your own similar products or services
- You gave the person a chance to refuse (opt out) at the time you collected their details and in every subsequent message
- The person has not opted out of receiving such emails
In other words, if someone recently bought from you and didn’t say no to marketing, you can email them about similar products – but you must give them an easy way to unsubscribe each time. If your relationship with a contact is old or uncertain, you should err on the side of caution and seek fresh consent.
This soft opt-in only works for existing customers – not new leads, competition entrants, or people who have simply enquired about your business. The scope is fairly narrow and should not be relied on as a catch-all solution for email marketing compliance.
Are There Rules For Marketing To Businesses?
If you’re emailing corporate subscribers (like limited companies and LLPs), the law is much less restrictive. Here’s what you need to remember:
- No consent required: You can email generic business contacts for marketing, unless they ask you to stop.
- Opt out still applies: Every email must include a clear and free option to unsubscribe from future emails (such as an unsubscribe link or a reply instruction).
- Transparency is essential: Identify who you are in your email and provide contact details.
- Personal contacts: If you’re sending marketing to employees at their personal email addresses (e.g. {name}@gmail.com), that falls back under the stricter individual subscriber rules.
Even with B2B marketing, respect recipients’ wishes; pestering people who have opted out can still lead to reputational issues or complaints to the ICO.
What Does The UK GDPR Say About Email Marketing?
The PECR works hand-in-hand with the UK GDPR, which governs how any personal data (including emails, names, or any identifiers) must be handled. Whether you’re collecting addresses for an email newsletter, tracking who opens your email advertisements, or storing customer details, you’re subject to GDPR obligations as well as PECR. These include:
- Collecting and processing data lawfully, fairly, and transparently
- Only collecting what you need for legitimate marketing purposes
- Providing a clear Privacy Policy explaining what data you’re collecting and how you’ll use it
- Respecting people’s rights to access, correct, or erase their information
- Keeping data safe from unauthorised access or breaches
Every marketing list, CRM, or database you use should meet GDPR standards. This also applies to email platforms and marketing automation tools – make sure they’re secure and compliant.
If you need tailored GDPR documents, Sprintlaw can help with GDPR compliance packages including Privacy Policies and Data Processing Agreements.
What Must You Include In Every Marketing Email?
Whether you’re sending an email advertisement to individuals or businesses, every marketing email must:
- Clearly identify who you are as the sender (not just a generic or hidden address)
- Include a valid company address or registered office
- Tell recipients how they can opt out of future marketing (such as an easy-to-use unsubscribe link)
Emails that disguise your identity or make it hard to unsubscribe not only annoy recipients but are also in breach of the law. Repeat offenders can face escalating penalties and even a ban on sending marketing communications.
Want to be certain your templates and disclaimers tick all legal boxes? We offer a Disclaimer review service for peace of mind.
Risks Of Non-Compliance: What If You Break Email Marketing Laws?
Failing to follow email marketing laws can have serious consequences for your business, including:
- Fines: The ICO can issue fines up to £500,000 for serious PECR breaches, and GDPR penalties can be even higher depending on the data involved.
- Investigations: Recipients can complain to the ICO, triggering an investigation into your business practices.
- Reputational damage: Angry customers or partners may go public with complaints or negative reviews, hurting your credibility.
- Enforcement action: Persistent non-compliance can lead to legal orders banning you from sending further marketing emails.
It’s always best to get your processes right – trying to fix things after a complaint or breach can be a lot more costly (and stressful) than setting up correctly.
For more on the risks and practical steps to mitigate them, you can read our guide on managing compliance risk in small business.
Key Steps To Stay Compliant With UK Email Marketing Laws
Here’s a handy checklist for staying on the right side of both PECR and GDPR for your email marketing campaigns:
- Distinguish between individual and corporate recipients before sending any emails.
- Ensure you have explicit, recorded consent for individual subscribers – or that you meet the precise conditions of the soft opt-in exemption.
- Always offer an unsubscribe option and action opt-out requests promptly. No exceptions.
- Clearly identify your business and include a registered address in every marketing email.
- Only send emails for marketing that are relevant (and expected) by your recipients – avoid spammy tactics.
- Regularly review your procedures, policies, and templates to ensure they remain compliant as laws evolve.
- Keep a record of how and when you obtained each contact's consent (or evidence the soft opt-in applies).
- Have an up-to-date Privacy Policy that explains who you are and how you use personal data for marketing.
Unsure if your marketing setup is compliant? Our team can carry out a review or help set up the documents you need. Learn more about essential legal documents for your business on our site.
What Else Should You Watch Out For?
Email marketing continues to evolve as new platforms, technologies, and tools emerge. Some extra pitfalls to stay aware of include:
- Using tracking pixels: These can fall under GDPR as personal data if they monitor recipient behaviour. Be transparent about their use in your Privacy Policy.
- Emailing purchased lists: Buying lists from third parties is very risky and almost always non-compliant unless every contact on the list has given explicit (provable) consent to receive your emails.
- Using marketing automation: Automated tools must still follow all the legal requirements above – technology does not override your obligations.
- Sensitive content: If your marketing contains health, financial, or special category data, extra rules (and care) will apply.
To stay protected, keep up-to-date with legal changes in online marketing and make sure to review your setup regularly. Laws can and do change!
Key Takeaways: Your Email Marketing Compliance Checklist
- The UK’s PECR and UK GDPR set strict rules for email marketing and email advertisement to both individuals and companies.
- You usually need explicit consent to market to individuals, but may rely on the soft opt-in for recent customers (subject to specific conditions).
- Corporate recipients can be emailed without prior consent, but must have an easy way to opt out and know who you are.
- Every marketing email should include sender identification, an unsubscribe method, and a clear company address.
- Breaching email marketing laws can lead to significant fines, regulatory action, and reputational harm.
- Aligning your practices with both PECR and GDPR is essential for risk management and credible growth.
- Professional help can ensure your forms, processes, and templates are genuinely compliant as your business scales.
Taking the time to get your email marketing right isn’t just about avoiding legal issues – it’s also the foundation of building loyal customer relationships and a trustworthy brand.
If you’d like tailored advice or help reviewing your email marketing compliance, reach out to Sprintlaw at team@sprintlaw.co.uk or call us on 08081347754 for a free, no-obligations chat.
