Unsolicited Emails In The UK: What Businesses Can Send And Stay Compliant

If you run a small business, email marketing can feel like the obvious way to grow. It’s fast, cost-effective, and (when done well) genuinely helpful for customers.

But there’s a big catch: the rules on unsolicited emails in the UK are tightly regulated. If you email the wrong people, in the wrong way, or without the right consents, you can end up with complaints to the ICO, damaged customer trust, and serious compliance headaches.

The good news is you don’t need to avoid email marketing altogether. You just need to understand what counts as “unsolicited”, what the law requires, and how to build your list and campaigns in a compliant way from day one.

Why Unsolicited Emails Matter For Your Business

“Unsolicited” basically means the recipient didn’t ask for your email and hasn’t clearly agreed to receive that kind of marketing from you.

From a small business perspective, the risks aren’t just theoretical. Unlawful marketing emails can lead to:

• ICO complaints (and an investigation if there’s a pattern of issues)
• Fines under the UK’s marketing and data protection laws (serious cases can be expensive)
• Lower deliverability (your emails start landing in spam, even to people who want them)
• Brand harm (people remember spammy behaviour)
• Wasted marketing spend on lists and campaigns you can’t lawfully use

On the flip side, compliant email marketing is a competitive advantage. When you collect consent properly and communicate clearly, you can build a list that’s genuinely engaged (and far more likely to buy).

What UK Laws Apply To Unsolicited Emails?

When we talk about the UK rules on unsolicited marketing emails, two main legal frameworks matter:

1) PECR (Privacy And Electronic Communications Regulations)

PECR is the key set of rules covering electronic marketing (including email and SMS). PECR sets out when you need consent to send marketing, what information must be included, and how opt-outs must work.

Most of the “can I email them?” questions come back to PECR.

2) UK GDPR And The Data Protection Act 2018

Even if an email is allowed under PECR, you still need to comply with data protection law when you collect, store, and use personal data like:

• names
• email addresses
• job titles
• information about a person’s preferences and behaviour (e.g. tracking opens/clicks)

That means you need a lawful basis for processing, transparency about what you’re doing, appropriate security, and clear retention practices.

In practice, most small businesses will need to get their privacy foundations right early (including a clear Privacy Policy), because email marketing touches personal data from the first sign-up form.

3) The “Practical Reality”: ICO Expectations

The ICO (Information Commissioner’s Office) regulates and enforces these rules. Even if you think you’ve found a workaround, the ICO typically focuses on whether your approach is fair, transparent, and what people would reasonably expect.

If your marketing feels sneaky, unclear, or difficult to opt out of, you’re taking on risk.

When Can You Email Someone Without Prior Consent?

This is the question most business owners are really asking. The answer depends on:

• whether your email is marketing or not
• whether you’re emailing an individual consumer or a business
• whether you can rely on the soft opt-in

Marketing Vs Service Emails (Not Everything Is “Marketing”)

PECR’s strictest rules apply to direct marketing. That includes emails promoting your products/services, special offers, upsells, and even some “brand awareness” messages.

By contrast, you can usually send service emails that are necessary to deliver what someone asked for, for example:

• order confirmations and invoices
• delivery updates
• password resets
• security notices
• important changes to a service someone is already using

Be careful though: if you add promotional content into a service email, it may be treated as marketing (or at least partly marketing). If you want to promote in those emails, it’s safer to do it only where you’ve got valid marketing permission.

B2C Emails: Consent Is Usually Required

For emails sent to individuals (for example: name@gmail.com, name@icloud.com), the default position is:

• you need consent to send marketing emails

There is a major exception: the soft opt-in (covered below).

B2B Emails: You May Not Need Consent, But You Still Need To Be Careful

Many small businesses market to other businesses. Under PECR, there’s an important distinction between:

• corporate subscribers (e.g. limited companies, LLPs, some public bodies)
• individual subscribers (including sole traders and many partnerships)

In practice, that means:

• If you email a corporate subscriber (for example, an employee at a limited company using a work address like j.smith@company.co.uk, or a generic address like sales@company.co.uk), you generally don’t need prior consent under PECR - but you must still identify yourself and provide an easy opt-out.
• If you email a sole trader or partnership (who may be treated as an “individual subscriber”), you’ll usually need consent unless you can rely on the soft opt-in.

So yes, some B2B outbound emailing can be lawful without explicit opt-in consent. But it’s not a free-for-all. You still need to handle the personal data lawfully under UK GDPR and keep your messaging reasonable and relevant.

The Soft Opt-In: The Key Exception Many Small Businesses Can Use

The soft opt-in is often the most practical lawful route for small businesses doing email marketing.

Broadly, you may be able to email someone marketing messages without an explicit opt-in where:

• you got their email address during a sale or negotiations for a sale (e.g. checkout process, enquiry that’s genuinely about buying)
• you’re marketing your own similar products or services
• you gave them a clear chance to opt out at the point you collected the email address (and in every marketing email after that)

This is where many businesses trip up - they rely on the soft opt-in but forget that the opt-out has to be offered properly at the time of collection, not buried later.

If you want a more detailed view of how to use it in a compliant way, the rules are closely aligned with soft opt-in email marketing requirements.

How To Get Consent The Right Way (So It Actually Counts)

If you do need consent (and in many cases you will), it’s worth doing it properly. Bad consent isn’t just “a bit risky” - it’s often treated as no consent at all.

What “Valid Consent” Usually Looks Like

As a general rule, marketing consent should be:

• active (e.g. the person ticks an unticked box, or signs up through a clear form)
• informed (they know what they’re signing up to receive)
• specific (not a vague “we may contact you”)
• separate from other terms where possible (not bundled into acceptance of general terms)
• recorded (you can show what they agreed to and when)

Practical examples of good consent language include:

• “Tick this box to receive email offers and updates from [Your Business Name]. You can unsubscribe at any time.”
• “Yes, send me marketing emails about [category/product line].”

What To Avoid (Common Consent Mistakes)

These are the patterns that commonly cause problems:

• Pre-ticked boxes for marketing sign-up
• Consent buried in terms that people have to accept to buy (especially if it’s not clearly optional)
• “Consent” obtained by a third party but unclear whether it covered your business specifically
• Inconsistent messaging (sign-up form says “newsletters” but you send discounts every day)
• No proof (you can’t show when/how the email address was collected and what the person saw)

From a risk perspective, one of the most important things you can do is build a simple compliance trail: a record of the wording used, the date/time of sign-up, and the source of consent.

Do You Need Double Opt-In In The UK?

Double opt-in (where the subscriber confirms via a link sent to their inbox) isn’t always legally required in the UK, but it’s often a smart business practice because it:

• helps prove the email address belongs to the person who signed up
• reduces spam complaints
• improves list quality and engagement

If you operate in higher-risk sectors, run frequent campaigns, or plan to scale quickly, double opt-in can be a strong “from day one” compliance habit.

Buying Lists, Scraping Emails, And “Introductions”: Where Businesses Get Caught Out

When small businesses are trying to grow quickly, it’s tempting to:

• buy a list
• use a directory
• scrape emails from websites
• get “leads” from a partner

This is also where compliance risks spike.

Can You Buy An Email List And Use It?

Sometimes businesses are sold lists with promises like “GDPR compliant” or “permission-based”. Even if the seller has done something to collect those addresses, that doesn’t automatically mean you can email those people.

Key issues include:

• Was consent actually obtained for marketing by your specific business?
• Was the consent properly informed and recorded?
• Was the person told their data would be shared with third parties?
• Can you demonstrate compliance if someone complains?

In many cases, bought lists create more problems than they solve. It can be safer (and more effective long-term) to invest in building your own list using proper sign-up forms, lead magnets, and customer onboarding.

Is Web Scraping Email Addresses Allowed?

Scraping email addresses from websites and then sending marketing emails is high-risk in the UK. Even where an email address is publicly visible, that doesn’t automatically mean the person has consented to marketing.

There can also be broader legal issues around how data is accessed and used. If you’re considering this approach, it’s worth getting advice first - especially if you’re using automated tools or scraping at scale.

What If A Partner “Introduces” You To Leads?

Introducer and referral arrangements can work well, but the data protection and marketing permissions need to be structured properly.

If another business collects leads and passes them to you, you may need a clear written arrangement covering responsibilities and compliance-especially if personal data is being shared. Depending on the setup, a Data Processing Agreement (or another data-sharing contract) may be appropriate.

It’s also wise to set the commercial relationship out clearly so expectations and liability are managed, often through a Referral Agreement.

Practical Compliance Checklist (And Common Mistakes)

If you want your email marketing to be effective and compliant, it helps to treat compliance like part of your growth engine - not an afterthought.

A Simple Checklist For Unsolicited Emails In The UK

• Decide whether the email is marketing (if it promotes, it probably is).
• Identify who you’re emailing (consumer vs corporate; generic address vs named individual).
• Choose the lawful route: explicit consent or the soft opt-in (if available).
• Use clear sign-up wording and keep records of consent.
• Include proper sender details in every marketing email (your business name and contact info).
• Make unsubscribing easy and actually action opt-outs quickly.
• Keep your privacy messaging consistent (your forms, emails, and Privacy Policy should align).
• Train your team (especially sales and marketing) so they don’t go “off-script”.
• Review your templates and processes as you scale (what worked at 100 subscribers may not work at 10,000).

Common Mistakes Small Businesses Make

Here are the issues we most often see when a business is trying to do the right thing, but misses key details:

• No opt-out at the point of collection (which can break the soft opt-in).
• “Similar products” stretched too far (e.g. someone bought a yoga class and you start emailing them about unrelated third-party supplements).
• Unsubscribe links that don’t work (or force the customer to log in).
• Using personal data longer than necessary (no retention plan).
• Not documenting consent (you can’t prove it later).

What About Cold Outreach To Business Emails?

Cold outreach is a common growth tactic, especially for service businesses and B2B providers. The key is to do it in a controlled, compliant way:

• keep outreach relevant to the recipient’s role/business
• avoid blanket “spray and pray” campaigns
• include a clear opt-out in every message
• don’t keep emailing someone who has opted out

And remember: even if PECR consent rules are more flexible for corporate subscribers, UK GDPR principles like fairness and transparency still apply. You should be able to justify why you’re contacting that person and why they’d reasonably expect it.

If your team uses work systems to prospect, it can help to set internal rules about acceptable marketing conduct and data handling through a clear Acceptable Use Policy.

Key Takeaways

• Unsolicited emails in the UK are mainly regulated by PECR (marketing rules) and UK GDPR/Data Protection Act 2018 (personal data rules).
• If you’re emailing individuals with marketing, you’ll usually need clear consent, unless you can rely on the soft opt-in.
• B2B emails can be more flexible in some cases, but you still need to comply with transparency, fairness, and opt-out requirements.
• Consent should be active, informed, and recorded - and it’s worth avoiding “DIY” consent collection that you can’t prove later.
• Buying lists and scraping emails are high-risk strategies and often create compliance issues (and spam complaints) that can damage your brand.
• Set strong legal foundations early (including a clear Privacy Policy and appropriate data sharing contracts) so you can scale marketing confidently.

If you’d like help setting up compliant marketing practices, reviewing consent wording, or putting the right privacy documents in place, you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.