GDPR Email Marketing In The UK

Email marketing can be one of the most cost-effective ways to grow your small business in the UK. But it’s also an area where privacy law gets very specific, very quickly.

If you’re collecting emails, sending newsletters, running lead magnets or using abandoned cart reminders, you’ll need to comply with UK GDPR, the Privacy and Electronic Communications Regulations (PECR), and the Data Protection Act 2018.

Don’t stress – once you understand the rules, GDPR email marketing is absolutely doable. This guide breaks down the main legal requirements in plain English and shows you the practical steps to stay compliant from day one.

What Counts As Email Marketing Under UK GDPR And PECR?

“Email marketing” isn’t just big promotional blasts. Under PECR, it covers any electronic message that promotes your products or services, or promotes your brand. That includes:

• Newsletters with offers or updates that encourage sales
• Welcome series, onboarding or nurture sequences for prospects
• Abandoned cart reminders and win-back campaigns
• Cross-sell/upsell messages to existing customers
• Refer-a-friend campaigns and affiliate promotions

Transactional emails (for example, order confirmations, password resets, service notifications you must send to deliver what the customer bought) are usually outside PECR’s “marketing” rules, but they still involve personal data – so GDPR applies. If you include promotional content inside a transactional message, PECR rules can bite.

As a UK business, you must comply with:

• UK GDPR and the Data Protection Act 2018 – sets the general data protection framework (lawful basis, transparency, rights, security, accountability).
• PECR – adds specific rules for direct marketing by email, SMS and cookies/online tracking.
• ICO guidance – the regulator’s interpretation of GDPR/PECR that informs enforcement.

Lawful Bases For GDPR Email Marketing: Consent, Legitimate Interests And Soft Opt-In

Every email you send must have a lawful basis under GDPR, and if it’s marketing, you also need to satisfy PECR. For most small businesses, that typically means one of the following routes.

1) Consent (The Gold Standard For Cold Prospects)

Consent must be freely given, specific, informed and unambiguous – usually captured through a clear opt-in checkbox (not pre-ticked) with concise wording explaining what the subscriber will receive. If you rely on consent:

• Keep records (who consented, when, how, and what they were told).
• Make withdrawing consent as easy as giving it (one-click unsubscribe).
• Don’t bundle consent with other terms or make it a condition of buying unless necessary.

2) Legitimate Interests (Limited, Fact-Specific Use)

In some cases, marketing to existing contacts may be justified under legitimate interests – but because PECR imposes stricter rules for email marketing, legitimate interests alone won’t allow you to email individuals for promotional purposes unless the PECR “soft opt-in” applies (see below). If you consider legitimate interests, carry out and document a Legitimate Interests Assessment (LIA) to balance your interests against the individual’s privacy rights.

3) The PECR Soft Opt-In (Existing Customer Exception)

PECR allows you to send email marketing to existing customers without fresh consent if all of the following are true:

• You obtained the recipient’s email during a sale (or negotiations to sell) a product or service to them.
• You’re marketing similar products or services to your own (not a partner’s).
• You gave the person a clear opportunity to opt out at the point of data collection and in every subsequent email.

Handled properly, the soft opt-in is very useful for SMEs. But it’s easy to misapply – for instance, it won’t cover cold prospecting or emailing people who downloaded a free eBook unless you clearly negotiated a sale.

For cold leads or when in doubt, stick to consent. If you’re still deciding which route fits, it can help to review your approach against the broader email marketing laws that sit alongside GDPR and PECR.

Practical Requirements For Sign-Ups, Emails And Unsubscribes

Once you’ve picked a lawful basis, the next step is getting the execution right – from your sign-up forms to the footer of every message.

Sign-Up Forms And Transparency

• Explain what people are signing up for (e.g. “Weekly emails with tips, offers and product updates”).
• Link to your Privacy Policy and keep it consistent with how you use data for marketing (sources, purposes, lawful bases, retention, rights, and contact details).
• Use unticked checkboxes for consent and separate marketing consent from other consents (e.g. terms acceptance).
• Avoid making consent a condition for buying unless strictly necessary for the service.

Email Content Requirements

• Identify your business clearly (trading name, contact details).
• Include a clear, functioning unsubscribe link in every marketing email.
• Respect opt-outs without delay (you should action them as soon as possible).
• Don’t disguise or mislead in subject lines or From fields.

Unsubscribes And Preference Centres

Make opting out easy. A single-click unsubscribe meets expectations; forcing login or multiple steps does not. If you use a preference centre, ensure that total opt-out is obvious – and if someone opts out, you can keep a minimal “suppression list” to avoid future sends.

B2B vs B2C, Purchased Lists And Common Pitfalls

B2B email marketing has slightly different PECR rules, but GDPR still applies. The safe approach is to assume the same standards of transparency and respect for rights.

B2B Emails (Corporate Subscribers)

PECR distinguishes between “corporate subscribers” (e.g., info@company.com or named employees at corporate entities) and “individual subscribers” (consumers/sole traders/partnerships). You can generally send marketing to corporate subscribers without prior consent, provided you identify yourself and offer an opt-out in every message. However:

• GDPR still applies if a message identifies a living person (most B2B emails do), so you need a lawful basis and a clear privacy notice.
• Cold B2B outreach requires careful legitimate interests balancing and tight targeting aligned to the recipient’s role and expectations.

Purchased Or “Rented” Lists

Buying email lists is very high risk. You’re unlikely to have valid consent for your specific marketing, and you can’t rely on third-party assurances if the original notice didn’t clearly cover your use. Avoid purchased lists – build your own with compliant opt-ins.

Lead Magnets And Competitions

If you run a downloadable guide or giveaway, make sure entry is not conditional on unrelated marketing unless you clearly obtain consent for marketing. Keep the messaging honest: entering a prize draw isn’t the same as agreeing to ongoing promotional emails.

Affiliate And Refer-A-Friend Campaigns

If you encourage customers to refer friends by entering their emails, don’t email those friends unless you can lawfully do so (e.g., consent or applicable soft opt-in). Consider structuring campaigns so the friend signs up themselves through your compliant form.

Managing Data, Vendors And Tracking: Retention, Rights, Cookies And Transfers

GDPR compliance isn’t just about opt-ins. You also need to manage personal data responsibly across your tools and processes.

Data Retention And Minimisation

Keep personal data only for as long as you need it. Set a retention schedule for marketing lists (for example, remove inactive subscribers after a defined period) and document your approach. If you’re reviewing your policy, this guide to data retention can help you shape practical timelines.

Data Subject Rights (Access, Erasure, Objection)

People have rights to access their data, ask for corrections, object to direct marketing and request deletion. You must respond within one month. Train your team on spotting requests (even if they arrive via social or a simple email) and keep a clear process – including how you’ll meet subject access request deadlines.

Third-Party Email Platforms And Processors

If you use an email service provider or CRM, they are your data “processors”. You must have a compliant Data Processing Agreement in place that sets out instructions, security, sub-processing, audits and breach assistance. Review your vendor’s locations – if data is transferred outside the UK, you may need safeguards such as the UK IDTA or Addendum to the EU SCCs and assess the transfer risks.

Tracking Pixels, Analytics And Cookies

PECR requires consent for non-essential cookies and similar technologies – which commonly includes marketing pixels, tracking for open rates, click-throughs and website analytics. In practice, that means:

• Deploy a compliant banner and consent mechanism before setting non-essential cookies.
• Offer a clear choice to accept or reject non-essential cookies.
• Explain your use in a transparent Cookie Policy and keep it aligned with your banner.

If you’re updating your website controls, a step-by-step on cookie banners that comply is a helpful place to start.

Security And Accountability

Apply appropriate technical and organisational measures: role-based access, two-factor authentication for your email platform, suppression lists for opt-outs, and periodic list hygiene. Keep records of consent and legitimate interests assessments. If you suffer a breach that risks people’s rights, you may need to notify the ICO and affected individuals.

Essential Documents To Put In Place

Getting your paperwork right isn’t about red tape – it’s how you prove compliance if the ICO asks questions and how you earn trust with your audience.

Privacy Policy

Your Privacy Policy should clearly cover your marketing activity: what you collect, how you use it, your lawful bases (consent, legitimate interests, soft opt-in conditions), retention, rights, vendors, and international transfers. Make it accessible from every sign-up form and in your email footer. If you need a robust, tailored version, we can prepare a GDPR-compliant Privacy Policy for your business.

Cookie Policy And Consent Controls

Explain the cookies and tracking technologies you use (including email pixels and analytics) and provide a way to change preferences at any time through your Cookie Policy and consent tools.

Data Processing Agreement (DPA)

Put a strong Data Processing Agreement in place with your email service provider, CRM and any other marketing vendors handling personal data on your behalf.

Internal Playbook For Marketing Compliance

Document how you collect consent, handle unsubscribes, perform LIAs, respond to rights requests, and manage suppression lists. This can sit alongside your privacy notice and cookie documentation to show accountability in practice.

Optional: Data Sharing Agreement

If you lawfully share marketing data with a partner (for example, co-branded webinars where you both contact sign-ups), clarify roles, purposes and responsibilities in a Data Sharing Agreement. Make sure your sign-up notice clearly tells people who will contact them and gives separate consent options if needed.

Training And Audits

Train your team on opt-ins, PECR rules, unsubscribes and spotting rights requests. Schedule periodic audits to check templates, banners and automations still match your notices and lawful bases.

Key Takeaways

• PECR and UK GDPR apply together: PECR sets stricter rules for email marketing, while GDPR covers the broader data protection framework.
• For cold prospects, use valid consent. For existing customers, the PECR soft opt-in may apply if you meet all conditions and always offer an opt-out.
• Make your sign-up forms crystal clear, link to a GDPR-compliant Privacy Policy, and keep records of consent and legitimate interests assessments.
• Include your identity and a one-click unsubscribe in every marketing email, and act on opt-outs promptly.
• Be cautious with B2B outreach: PECR is more permissive for corporate subscribers, but GDPR still applies and you must honour opt-outs.
• Avoid purchased lists. Build your own compliant database through transparent sign-ups and honest value exchanges.
• Manage the full lifecycle: set sensible data retention periods, respond to rights requests within the one-month deadline, and have a DPA with your email/CRM vendor.
• Don’t forget cookies and pixels: use a compliant banner, get consent for non-essential tracking, and keep your Cookie Policy up to date.

If this all feels like a lot to juggle, that’s completely normal – and it’s exactly where we can help. Our team can draft or update your Privacy Policy, set up DPAs, and review your sign-up flows and email templates so your GDPR email marketing is both compliant and effective.

If you’d like help with your email marketing compliance, you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.