GDPR Marketing Consent: UK Rules For Compliant Businesses

If you run a small business, marketing is how you grow. But if you’re collecting email addresses, sending newsletters, running SMS campaigns, or using cookies to retarget visitors, you’re also handling personal data.

That’s where GDPR marketing consent becomes a practical, day-to-day compliance issue - not just a legal buzzword. If you get it wrong, you risk complaints, reputational damage, and regulator attention. If you get it right, you can market confidently and build trust with customers.

This guide breaks down what marketing consent means under the UK GDPR and related rules, when you actually need consent (and when you don’t), and what steps you can take to keep your marketing compliant as your business scales.

What Is “Marketing Consent” (And Why Does It Matter For Small Businesses)?

When people talk about “marketing consent”, they’re usually talking about permission to send someone promotional messages - and in the UK, that permission sits across two key areas:

• Data protection rules (UK GDPR and the Data Protection Act 2018), which govern how you collect and use personal data.
• Electronic marketing rules (Privacy and Electronic Communications Regulations 2003, commonly called “PECR”), which govern marketing by email, text, and certain types of phone calls, plus cookies and similar tracking.

For small businesses, the common trap is assuming it’s enough to have a box on a form that says “I agree to marketing”. In reality, consent has to meet a standard. And depending on the channel (email vs SMS vs phone) you might need consent under PECR even if you think you have a lawful basis under GDPR.

Getting marketing consent right matters because it helps you:

• Reduce legal risk (complaints to the ICO, enforcement action, and the cost of fixing things later).
• Improve engagement (people who genuinely opt in are more likely to open and click).
• Protect your brand (spam complaints can hurt reputation and deliverability).
• Build customer trust, which is a competitive advantage for smaller businesses.

Which UK Laws Govern GDPR Marketing Consent?

In the UK, marketing consent is usually a “two-layer” question. You need to think about:

1) UK GDPR (And The Data Protection Act 2018)

The UK GDPR governs how you process personal data. This includes things like:

• email addresses
• phone numbers
• names and contact details
• customer profiles and purchase history
• online identifiers (like cookie IDs)

Under the UK GDPR, you must have a lawful basis for processing personal data for marketing. Consent is one lawful basis, but it’s not the only one (more on this below).

You also need to comply with broader principles like transparency, data minimisation, and storage limitation - typically handled through clear privacy information and internal processes. Many businesses cover the basics through a properly drafted Privacy Policy.

2) PECR (Privacy And Electronic Communications Regulations)

PECR sits alongside the UK GDPR and is especially important for small businesses doing direct marketing.

PECR includes rules about:

• email marketing (including most newsletters)
• SMS/text marketing
• certain phone marketing (including live calls and automated recorded messages)
• cookies and similar technologies used for analytics and advertising

In many cases, you can’t just pick “legitimate interests” under GDPR and assume you’re covered. PECR may still require opt-in consent for electronic marketing to individuals.

So, when you’re thinking about marketing consent under GDPR, you’re really thinking about aligning GDPR and PECR.

When Do You Need Consent For Marketing (And When Can You Use Legitimate Interests)?

This is the part most business owners want clarity on: do we actually need consent every time we send marketing?

The honest answer is: it depends on (1) who you’re messaging and (2) the channel you’re using.

Email And SMS Marketing To Individuals (Consumers, Sole Traders, Some Partnerships)

As a general rule, if you’re sending marketing emails or texts to individuals, you’ll need opt-in consent under PECR, unless an exception applies.

That exception is commonly called the soft opt-in, which can allow you to email existing customers in limited circumstances (covered below).

Even where PECR requires consent, you still need a lawful basis under GDPR for the processing. In practice, where you’re relying on PECR consent, your GDPR lawful basis is often also consent (because it keeps things consistent and clearer).

Marketing To Corporate Subscribers (Most Limited Companies)

For emails to a corporate subscriber (for example, a limited company), PECR is generally less restrictive than marketing to individuals - and opt-in consent is not always required.

But be careful: lots of B2B marketing still involves personal data, for example firstname.lastname@company.co.uk. That’s personal data under the UK GDPR because it identifies an individual.

So even if PECR is less strict for corporate subscribers, GDPR still applies. You may be able to rely on legitimate interests for B2B marketing in many cases, but you must:

• show the marketing is proportionate and expected
• give a clear opt-out (and honour it)
• avoid using misleading or overly intrusive tactics
• document your reasoning (often via a legitimate interests assessment)

Phone Marketing

Phone marketing has its own set of rules, including preference services (like TPS/CTPS), how you handle objections, and separate rules for live calls vs automated recorded messages. If phone outreach is part of your sales process, it’s worth tightening your scripts and processes so your team doesn’t accidentally cross the line.

Many businesses start by aligning their practices with guidance on business calls, especially where staff are collecting details live on the phone.

The Soft Opt-In: A Useful Exception (If You Meet The Conditions)

The soft opt-in is a practical way for small businesses to market to existing customers without needing fresh opt-in consent every time - but only if you tick the right boxes.

In broad terms, the soft opt-in may apply if:

• you got the customer’s contact details during a sale (or negotiations for a sale)
• you’re marketing your own similar products or services
• you gave a clear chance to opt out when you collected the details
• you include an opt-out in every message

If you’re stretching any of these (for example, marketing unrelated services, or emailing people whose details you bought in), it’s time to slow down and get advice - because soft opt-in is not a “free pass”.

How Do You Collect Valid GDPR Marketing Consent?

If you do need consent, the next question is: what does “valid consent” actually look like?

For GDPR marketing consent to be valid, it generally needs to be:

• Freely given (no pressure, no unfair “take it or leave it” where it’s not necessary)
• Specific (not vague or bundled into unrelated terms)
• Informed (people understand what they’re agreeing to)
• Unambiguous (a clear affirmative action - not silence or pre-ticked boxes)
• Easy to withdraw (and you must honour withdrawal promptly)

Practical Ways To Get Compliant Consent

Here are consent collection methods that are usually workable for small businesses:

• Unticked opt-in box on checkout forms and enquiry forms (with clear wording).
• Two-step confirmation for newsletter sign-ups (often called “double opt-in”). It’s not always legally required, but it’s strong evidence of consent.
• Preference centres where subscribers choose the type of marketing they want (promotions, product updates, events, etc.).

What Your Consent Wording Should Cover

Your wording should be simple and specific. You want the person to understand:

• who will be sending marketing (your trading name and/or company name)
• what they’ll receive (newsletter, offers, product updates)
• how you’ll contact them (email, SMS, phone - ideally separate options)
• that they can opt out anytime

For many businesses, the safest approach is to separate consent by channel, for example:

• one tick box for email
• one for SMS
• one for phone

This avoids a common issue where someone thought they were agreeing to emails, but you also start sending texts.

If you’re not sure your wording hits the right standard, getting it checked early can save you headaches later - especially if you’re collecting sign-ups at scale or running paid ad funnels. Many businesses choose to tighten their forms through a consent wording review.

Consent + Transparency: Don’t Forget The Privacy Information

Consent does not replace transparency. Even with a perfectly drafted opt-in box, you still need to tell people what you’re doing with their data, including:

• why you’re collecting it
• how long you’ll keep it
• who you’ll share it with (for example, email marketing platforms)
• their rights (including how to withdraw consent)

This is usually handled by linking to your privacy information at the point you collect data (for example, a link under your sign-up form).

Cookies, Tracking And Retargeting: Do You Need Consent For Marketing Cookies?

If your marketing involves tracking users on your website - for example, retargeting ads, conversion tracking, or behavioural analytics - you need to think about cookie consent too.

Under PECR, you generally need consent for non-essential cookies. “Non-essential” commonly includes:

• advertising and retargeting cookies
• many analytics cookies (depending on how they’re configured)
• personalisation cookies

Essential cookies (like those required to make checkout work or keep users logged in) can usually be used without consent, but you should still explain them.

A practical way to manage this is to implement:

• a cookie banner with genuine choices (accept / reject / manage)
• cookies blocked until consent is given (where required)
• clear website disclosures through a Cookie Policy

For small businesses, the risk isn’t just “having a banner” - it’s whether the banner actually works the way it claims to, and whether your marketing tags fire before consent.

How Do You Manage Marketing Consent Over Time (Records, Opt-Outs, And Third Parties)?

Collecting consent is only step one. Staying compliant means you need systems that keep working after the first sign-up.

Keep Proper Consent Records

If someone complains, you’ll want to be able to show:

• when and how they consented
• what they were told at the time (the wording)
• what exactly they consented to (email/SMS/phone)
• whether and when they withdrew consent

This doesn’t have to be complicated. Many email marketing tools store basic consent logs, but you need to configure them properly and avoid overwriting records when you update contact lists.

Make Opt-Out Easy (And Actually Honour It)

Every marketing email should include a clear unsubscribe link, and the process should be quick and free.

For SMS marketing, provide a simple STOP mechanism.

And importantly: when someone opts out, don’t delete their details entirely if you need to maintain a suppression list (a list of people you must not contact). Keeping minimal details for suppression is often necessary to ensure you don’t re-add them later.

If You Use Agencies Or Marketing Platforms, Get The Contracting Right

Many small businesses outsource marketing - which is completely normal. But if a third party processes personal data on your behalf (like an email marketing provider, CRM, lead capture tool, or marketing agency), you may need a GDPR-compliant contract in place.

In many situations, that contract is a Data Processing Agreement (sometimes handled as part of broader supplier terms).

This matters because if something goes wrong (for example, a data breach, unlawful list usage, or unclear responsibilities), you’ll want the paperwork to clearly set out:

• who does what with the data
• security obligations
• sub-processor rules
• assistance with data subject rights requests
• deletion/return of data at the end of the engagement

Be Careful With Bought Lists And Scraped Data

Buying a list can look like a shortcut when you’re trying to grow quickly - but it’s one of the fastest ways to create GDPR and PECR problems.

Common issues include:

• no valid opt-in consent for your business specifically
• people having no idea who you are (higher complaint rates)
• poor record-keeping, making it hard to prove consent
• inaccurate data (which is itself a GDPR issue)

If you want to scale lead generation, it’s usually safer to invest in compliant list-building strategies (lead magnets, events, referrals, partnerships) and make sure the consent journey is clear from day one.

Train Your Team (So Compliance Is Consistent)

Even with great policies, a lot of compliance comes down to what happens in day-to-day operations:

• what staff say on calls
• how enquiry forms are handled
• how spreadsheets get uploaded to email tools
• how opt-outs are recorded and respected

A short internal process document (and basic training for anyone handling sales/marketing) can prevent accidental breaches that often happen when you’re busy.

Key Takeaways

• GDPR marketing consent isn’t just about a tick box - it’s about meeting the UK GDPR standard for valid consent and following PECR rules for electronic marketing.
• For marketing emails and SMS to individuals, you’ll often need opt-in consent unless the soft opt-in applies (and you meet all its conditions).
• For B2B marketing, you may be able to rely on legitimate interests in some cases, but you still need transparency, a clear opt-out, and good records.
• Consent must be freely given, specific, informed, unambiguous, and easy to withdraw - and you should keep evidence of it.
• Cookies and retargeting are part of marketing compliance too, and non-essential cookies usually require consent under PECR.
• If you use marketing platforms or agencies, make sure the contracts and responsibilities are clear (often through a Data Processing Agreement).
• Getting your consent and privacy set-up right early helps you market confidently and protects your business as it grows.

If you’d like help reviewing your marketing consent flows, privacy wording, cookie compliance, or GDPR contracts, you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.