Resources / Compliance
UK PECR and UK GDPR for email marketing
UK email marketing runs on two laws at once - PECR for the consent rules and UK GDPR for the data underneath. Marketing to individuals is opt-in (with a narrow soft opt-in for existing customers), while corporate bodies can be emailed without prior consent. We describe the ICO's enforcement powers qualitatively because the specific PECR penalty ceiling is not confirmed from a primary source.
Last checked: June 21, 2026
The UK governs marketing email with two laws working together. The Privacy and Electronic Communications Regulations 2003 (PECR, SI 2003/2426) set the rules for sending the message; UK GDPR (with the Data Protection Act 2018) governs the personal data the message depends on. The Information Commissioner’s Office (ICO) enforces both. You cannot satisfy one and ignore the other.
This is general information, not legal advice. Consult UK counsel for your situation. The obligations below come from the ICO’s PECR guidance and the regulations themselves.
The 60-second version
- Marketing to individuals is opt-in. You need specific consent before sending electronic-mail marketing to an individual.
- A narrow soft opt-in lets you email your own existing customers without fresh consent, on three conditions.
- Corporate bodies (companies, LLPs, Scottish partnerships, government bodies) may be emailed without prior consent - the sharpest B2B/B2C split of any regime here.
- You must not conceal your identity and must give a valid contact/opt-out address.
- Act on opt-outs promptly (PECR sets no specific number of days) and maintain a do-not-contact list.
- UK GDPR’s accountability principle means you must be able to demonstrate valid consent.
- We do not print a PECR penalty figure here - see the enforcement note.
Consent for individuals
PECR requires specific consent before you send electronic-mail marketing to an individual subscriber. Consent under UK GDPR is a high bar: a freely given, specific, informed, and unambiguous indication - which in practice means an affirmative opt-in, not a pre-ticked box or silence.
The soft opt-in
You may email an existing customer without separate consent if all three hold:
- They bought, or negotiated to buy, a similar product or service from you.
- You gave them a clear chance to opt out when you collected their details.
- You offer an opt-out in every subsequent message.
The soft opt-in is deliberately narrow. It applies only to your own previous customers. It does not cover prospective customers, bought-in lists, or non-commercial promotions such as charity or political messages.
The B2B / B2C distinction
| Audience | Rule |
|---|---|
| Individuals (including sole traders and some partnerships) | Consent or soft opt-in required |
| Corporate bodies (companies, LLPs, Scottish partnerships, government bodies) | May be emailed without prior consent; good practice to keep and screen against a “do not email” list |
| Employees at corporate addresses | Consider data-protection implications for the individual behind the address |
This is the practical headline of UK law: the consent rule that stops you cold for consumers often does not apply to a registered company - but the UK GDPR data obligations still sit underneath.
Sender identification
- You must not disguise or conceal your identity as the sender.
- You must provide a valid contact address so recipients can opt out or unsubscribe.
Unsubscribe and do-not-contact
| Requirement | Detail |
|---|---|
| Opt-out mechanism | Offer an opt-out (a reply path or unsubscribe link). |
| Timing | Act on opt-out requests promptly. PECR specifies no fixed number of days - contrast CAN-SPAM’s 10 business days. |
| Suppression list | Maintain and screen against a “do not contact” list of everyone who opts out. |
A trap: viral and forwarded marketing
If you encourage recipients to forward a marketing message to others, the ICO treats you as “instigating” that send - which means you must comply with PECR for the forwarded message. “Tell a friend” mechanics do not move the obligation onto the friend.
Records under UK GDPR
PECR itself sets no specific record-keeping period, but UK GDPR’s accountability principle means you must be able to demonstrate valid consent where consent is your basis. In practice that means retaining evidence of who consented, when, how, and to what.
Enforcement: the ICO’s powers (no figure printed)
The ICO is the UK regulator for PECR and UK GDPR. It can investigate, issue enforcement notices requiring a sender to stop or change a practice, and impose monetary penalties for serious contraventions, alongside other regulatory action.
We do not print a specific PECR penalty ceiling on this page. The maximum figure in wide circulation was not confirmed against an ICO primary source at author time, and serious data-protection failures connected to marketing can additionally be pursued under UK GDPR on a separate footing. Rather than state a number we could not verify, we describe the powers qualitatively and recommend checking the ICO’s current enforcement guidance for the applicable maxima.
Watch item: the Data (Use and Access) Act 2026 received Royal Assent on 19 June 2026, with provisions coming into force. It may amend PECR’s marketing rules. Senders should verify whether the amendments have taken effect for their use case.
Common confusion
- “PECR has a 10-day rule like the US.” No - it requires acting promptly, with no statutory day count.
- “Soft opt-in covers any existing contact.” Only your own customers who bought or negotiated a similar product, with opt-out offered at collection and in every message.
- “B2B is always fine in the UK.” Corporate bodies can be emailed without consent, but UK GDPR data duties still apply, and individuals/sole traders are not “corporate bodies.”
- “PECR is all I need to worry about.” PECR and UK GDPR apply together.
What Egressif does, and what stays with you
Egressif supplies the enforcement plumbing PECR cares about: authenticated, non-concealed sender identity (SPF/DKIM/DMARC), a valid opt-out path, a suppression list applied on receipt so a “do not contact” request is honored promptly rather than on a vague timeline, and durable consent and unsubscribe records that feed the UK GDPR accountability principle. What stays with you is the lawful basis itself - holding genuine opt-in consent or a valid soft opt-in, deciding whether a recipient is an individual or a corporate body, and confirming any post-2026 PECR amendments with counsel. We make your handling provable; we do not decide your legal basis for you.
Related references
- Email marketing laws by country (2026) Anti-spam laws look alike until you sort them by consent. The US (and, for B2B, Turkey) let you mail first and honor opt-outs; Canada, the UK, the EU, and Australia want permission before the first message. This page lines all six up on consent, sender identity, unsubscribe timeframe, who enforces, and the penalties we could verify.
- CAN-SPAM Act: what US email law requires CAN-SPAM is an opt-out law: you may email someone who never asked, as long as the message is honest, names you, carries a physical address, and offers an unsubscribe you honor within 10 business days. There is no B2B exemption, and each non-compliant email is a separate violation.
- CASL: Canada's anti-spam law for senders CASL is an express opt-in law with a narrow, time-limited implied-consent exception. Every commercial electronic message must identify you and carry a working unsubscribe honored within 10 business days, and the burden of proving consent is on the sender. Penalties reach CAD $1M for individuals and CAD $10M for businesses per violation.
- EU email marketing: GDPR and ePrivacy In the EU, marketing email is governed by the ePrivacy Directive (the consent rule) layered over the GDPR (the data rule). ePrivacy Article 13 generally requires prior opt-in for individuals; GDPR supplies the lawful basis, the right to object, and the accountability that turns consent into something you must be able to prove. Because the directive is transposed by each member state, the specifics vary by country.
- Australia's Spam Act 2003 for senders Australia's Spam Act 2003 is an opt-in law built on three rules - consent, identify, unsubscribe. Consent is express or (narrowly) inferred, the burden of proving it sits on the sender, and an unsubscribe must work and be honored within 5 working days. ACMA enforces; we describe its role without a penalty figure because the current amounts were not confirmed from a primary source.
- Turkey's ETK, KVKK and IYS for email Turkey requires prior consent (onay) to send commercial electronic messages to consumers, allows B2B sends to merchants and traders without consent, and routes consent and opt-outs through a central government registry, the IYS. Unsubscribe must be honored within 3 business days. The ETK obligations below come from the official law text; the KVKK data-protection layer is flagged where we could not verify it.
Tell us what you run today.
Domains, rough volume, current providers, and what hurts. You will get a straight answer on fit, and a real number, in one conversation.