PECR Compliance: Navigating E‑Marketing Rules with Ease

If you're running a business in the UK, the opportunities for reaching potential customers through emails, texts and calls have never been greater. From new online shops and consulting firms to tech startups and traditional service businesses, e-marketing is often a crucial growth driver. But before you hit 'send' on your next marketing campaign, it’s vital to know that UK law closely regulates how you contact people electronically. The Privacy and Electronic Communications Regulations (PECR) set down specific rules you can’t afford to ignore. Non-compliance can lead to complaints, legal risks and hefty fines – not to mention harm your brand’s reputation. Luckily, with the right knowledge, following the rules isn’t as hard as it might seem. In this guide, we’ll break down what PECR really means, how it works alongside the UK GDPR, which rules apply to different types of recipients, and what practical steps you can take to confidently run compliant e-marketing campaigns. Let’s get your marketing set up for success – and peace of mind – from day one.

What Is The Privacy and Electronic Communications Regulations (PECR)?

The Privacy and Electronic Communications Regulations (PECR) are a set of UK laws that govern how businesses carry out direct marketing using electronic means – such as emails, texts, phone calls and certain cookies or device tracking. They work alongside the UK GDPR and Data Protection Act 2018, but focus specifically on the methods and rules for marketing communications. PECR aims to protect individuals’ privacy by restricting how businesses can promote their products or services directly to people through digital channels. This applies to any business – big or small – that sends promotional emails or texts, or makes live or automated marketing calls.

How Does PECR Relate To The UK GDPR?

It’s easy to get PECR and GDPR mixed up, but they do different jobs:

• PECR sets out the rules on how you can contact people for marketing via electronic means.
• GDPR governs what you can do with people’s personal data in general, including collection, storage and processing.

In practice, when you send a marketing email, you must comply with both:

• Follow PECR’s rules (for example, have consent where required).
• Ensure you have a lawful basis for using their data (GDPR) and are transparent about how you’ll use it (usually via a clear Privacy Policy).

This double requirement is why it’s easy to feel overwhelmed – but don’t worry, we’ll break it down step by step in the following sections.

Who Needs To Comply With PECR?

If any part of your business involves direct marketing outreach via:

• Emails (including newsletters, offers or promotions to a mailing list)
• Text messages (SMS)
• Phone calls (either live or automated recordings)
• Certain website cookies or tracking technologies

Then PECR applies to you. It covers limited companies, sole traders, partnerships and even charities or clubs. Compliance is not optional; the rules are universal for UK-based electronic marketers. It also applies whether you handle marketing yourself, use a digital agency or buy lead lists from another source. In short: if your business is hitting send, ringing phones, or tracking users for promotional purposes, PECR is squarely in play.

What Counts As “Direct Marketing” Under PECR?

Under PECR, direct marketing means any advertising or promotional material directed at particular people. This includes:

• Informing existing customers of new products, offers or services
• Promoting special events, discount codes or competitions
• Requesting customer feedback if linked to buying more products or services

What doesn’t count as direct marketing? Transactional messages like service notices, order confirmations or essential service updates usually don’t fall under PECR’s marketing restrictions – as long as they’re strictly necessary for delivering your contracted services.

The Key PECR E-Marketing Rules For Most Businesses

The main rules focus on how (and to whom) you can send marketing messages electronically.

Marketing To Individuals: Consent Is King

If you’re sending marketing emails or texts to individuals, sole traders or non-incorporated partnerships, you’ll generally need:

• Their explicit, advance consent (opt-in permission), except where the “soft opt-in” applies.
• Clear information on who you are and a straightforward means to opt out (unsubscribe) in every message.

What Is The “Soft Opt-In”?

The soft opt-in is a helpful exception for many small businesses. You don’t need fresh consent to send marketing emails or texts to former or existing customers, but only if:

• You obtained their contact details during a previous sale (or negotiations for a sale) of a product or service.
• You’re marketing similar products or services to what they bought from you before.
• You provided a clear opportunity to opt out both at the time you collected their details and in every subsequent marketing message.
• The person hasn’t unsubscribed or objected.

For example, if someone buys a pair of trainers from your online shop and you collected their email as part of the purchase, you can email them about upcoming shoe sales – unless they opt out. But you can’t use this method to market unrelated services or sell their details to a third party.

Marketing To Businesses (B2B): Different Rules Apply

If you’re marketing to companies or LLPs (limited liability partnerships), the rules are less strict:

• You don’t need prior consent to send marketing emails or texts to generic business addresses such as info@company.com or joe.bloggs@bigfirm.co.uk.
• However, you must include the business’s contact details and – crucially – a clear option to unsubscribe in every message.

Be careful when using list databases: named individuals at companies may still be covered by GDPR if you’re using identifiable personal information. So always combine good PECR practice with robust data protection practices.

Marketing Calls: Live And Automated

Phone marketing has its own set of rules:

• Live marketing calls are generally fine to businesses and individuals, unless the recipient has objected or is on the Telephone Preference Service (TPS).
• Automated/pre-recorded calls always require prior consent from the recipient.
• You must always identify yourself and offer an opt-out.

It’s wise to check the TPS register before making calls and ensure your scripts are compliant.

Website Cookies And Tracking

Cookies that track user behaviour for marketing, analytics or profiling purposes also fall under PECR. You must:

• Inform users that your site uses cookies (ideally via a clear banner or popup).
• Obtain consent before placing most non-essential cookies (except for cookies strictly necessary for website operation).

A tailored Cookie Policy and opt-in controls are an important part of your compliance.

How Do You Get Valid Consent Under PECR?

Consent under PECR must be a positive, informed choice. That means:

• No pre-ticked consent boxes
• No default “opted-in” settings
• Separate agreement for marketing communications, not hidden in T&Cs

You need to clearly state who you are, what types of messages you’ll send and let people choose – “Would you like to receive exclusive offers by email? Yes / No”. Keep proper records of all consents, as you may be required to prove them.

Unsubscribing: Your Ongoing Obligation

Every marketing message must include a simple way to unsubscribe – whether a clickable link in an email or a “STOP” reply for SMS. If someone asks you to stop, you must act immediately. No more emails, no delays, no loopholes. Failure to respect opt-outs can land you in serious hot water with regulators and damage your reputation fast.

How Does PECR Interact With Your GDPR Legal Basis?

Before you process someone’s personal data for marketing, you need a lawful basis under the UK GDPR. For most direct marketing, consent is the preferred option. But sometimes another basis might apply (like “legitimate interests”), provided you can show you’ve balanced your interests with the individual’s rights. The takeaway here is consistency: make sure your GDPR basis matches your PECR compliance. For example, don’t rely on “legitimate interests” for B2C emails if you haven’t also got valid PECR consent (unless the soft opt-in applies). And always set out your marketing practices clearly in your Privacy Policy.

Common Pitfalls And How To Avoid Them

• Sending marketing to people without consent (except where the soft opt-in applies)
• Burying consent in terms & conditions instead of a clear, separate choice
• Not including an unsubscribe option in every marketing message
• Collecting emails via competitions or downloads but failing to get explicit marketing consent
• Assuming B2B lists are always exempt – be careful when contacting sole traders and partnerships!
• Overlooking GDPR obligations, such as documenting your legal basis or updating your Privacy Policy to explain your marketing
• Ignoring opt-out requests (even one complaint can lead to enforcement action)

The best way to avoid these pitfalls? Consult a legal professional who can consider your specific marketing setup and help you put the right policies, consent records, and compliance procedures in place. And remember, cookie-cutter templates often fail to protect your business properly – get tailored legal documents whenever possible.

Practical Tips For PECR And GDPR Compliance

• Keep a clear consent log for all individuals you contact for marketing
• Offer a soft opt-in only to genuine existing customers, for products/services closely related to prior purchases
• Ensure unsubscribe links are in every email and process unsubscribe requests promptly
• Use a robust set of terms and conditions on your website or app
• Maintain an up-to-date Privacy Policy explaining your marketing and data use
• Review the ICO’s PECR guidance whenever your business or marketing approach changes
• Seek advice before buying or using third-party marketing lists
• Provide regular staff training on recognising and recording customer consent and handling opt-outs

How Can Sprintlaw Help?

At Sprintlaw, we specialise in helping UK startups and small businesses navigate the legalities of e-marketing. Our services include:

• Drafting and reviewing Privacy Policies, Cookie Policies, and Website Terms and Conditions
• Advising on compliant consent mechanisms and unsubscribe processes
• Helping integrate PECR and GDPR requirements in your marketing workflows
• Delivering compliance checklists and staff training tailored to your business

With our team of approachable, business-minded lawyers, you can be confident you’re protected from day one.

Key Takeaways

• PECR compliance is mandatory for any business carrying out electronic direct marketing in the UK.
• Get proper consent for marketing to individuals – with limited exceptions (like “soft opt-in” for existing customers).
• B2B marketing is less restricted, but always offer a clear unsubscribe option and follow GDPR when processing contact data.
• Make sure your marketing emails, texts and calls or cookies meet all PECR (and relevant GDPR) requirements.
• Keep your Privacy Policy, consent records and staff training up to date – and act quickly on all unsubscribe requests.
• When in doubt, seek expert advice to ensure full legal protection and avoid costly mistakes.

If you’d like support navigating PECR, GDPR or any area of e-marketing compliance, get in touch for a free, no-obligations chat at team@sprintlaw.co.uk or call us on 08081347754. We’re here to help you build a business that’s not just successful – but confidently compliant from day one.