UK Email Marketing Law: PECR, UK GDPR, and What They Mean for You

GDPR gets all the attention. But for the actual mechanics of sending commercial email, the Privacy and Electronic Communications Regulations 2003 - PECR - is the one that matters most. Get it wrong on either and the ICO can come for you. Get it wrong on PECR specifically and fines can hit £500,000.

Most UK businesses focus on their privacy policy and consent banners, then assume they're covered. They're often not. PECR has specific rules about commercial electronic communications that go beyond what UK GDPR requires on its own.

PECR covers direct marketing by electronic means. The core rule for email: you need prior consent before sending marketing messages to individuals, including sole traders. Prior consent means a genuine opt-in - specific, informed, not pre-ticked, not buried in the terms of service.

There's one important exception called the soft opt-in. If you collected someone's email address during a transaction, you can keep emailing them about similar things without asking for fresh consent - as long as you gave them an obvious opt-out at the time and in every message since. This only applies to existing customers though. It doesn't stretch to bought lists or cold prospecting.

UK GDPR sits on top of PECR. Even where PECR says you can send, UK GDPR governs how you collected the data, how long you keep it, and what rights people have over it.

You need a documented lawful basis - and not just on paper. You need to be able to show what that basis was, when consent was given, and how. Switching basis after someone complains isn't allowed. The ICO views that as retroactive justification and it doesn't help you.

For B2C marketing the lawful basis under UK GDPR is almost always consent, which has to match the PECR standard anyway. For transactional email it's contract. For B2B it's typically legitimate interests - but again, you have to document it.

The ICO has been pretty explicit about this. A compliant opt-in needs:

• An unticked checkbox - pre-ticked doesn't count as consent under either law
• Separation from your terms of service acceptance - bundling is not allowed
• A specific statement naming who'll be sending emails
• Granularity - separate consent for different types of marketing if you send both

And you need records. Timestamp, source, what was consented to. If someone complains and you can't demonstrate consent was properly obtained, you're already in a weak position even if you believe you did everything right.

Every marketing email needs a working opt-out. Not hidden, not complicated - just there and functional. When someone uses it, you stop sending. Continuing to email after an unsubscribe is a PECR breach and it's one of the most common reasons the ICO gets complaints. Process unsubscribes same-day where possible.

This sounds obvious but the failure mode is usually technical - an unsubscribe link that works on the platform but doesn't sync back to the CRM, or a suppression list that isn't checked before a manual send. Test it. Actually go through the process yourself.

The UK GDPR accuracy principle says you're supposed to keep personal data accurate and up to date. For email lists, sending repeatedly to addresses that bounce hard is an indication you're holding inaccurate data. The ICO can take the view that you're failing that principle.

Verifying addresses at sign-up stops bad data getting in. Running hygiene checks before big sends cleans up what's already there. It's useful protection if your practices are ever looked at - you can show you were actively maintaining data quality.

ICO PECR fines currently max at £500,000. There's ongoing talk of aligning them with UK GDPR levels - which would put them up to £17.5 million or 4% of global turnover - though as of 2026 that reform hasn't happened yet.

Recent enforcement has targeted businesses that were sending without valid consent, ignoring opt-outs, and using purchased lists without proper due diligence. It's not only large organisations that get hit - the ICO has fined companies of all sizes.

• PECR governs the mechanics of sending - UK GDPR governs the data - both apply at the same time
• B2C marketing requires genuine opt-in consent; soft opt-in only covers existing customers
• B2B to corporate addresses needs a documented lawful basis under UK GDPR, usually legitimate interests
• Consent records need timestamps, source, and specifics - vague records don't protect you
• Unsubscribes have to work end-to-end - test the full flow, don't assume
• Hard-bouncing addresses on your list are a data accuracy problem, not just a deliverability one
• PECR fines can reach £500,000 today and may go higher