GDPR Marketing In The UK: Key Rules And Tips

byAlex Solo22 November 20259 min read

eCommerce Digital Marketing & Advertising Regulatory Compliance Data & Privacy

If you’re using email lists, SMS, social media pixels, or CRM tools to find and keep customers, GDPR marketing rules apply to you. The good news? With a clear plan around consent, transparency and record‑keeping, you can run effective campaigns while staying compliant.

In this guide, we break down what UK GDPR and the Privacy and Electronic Communications Regulations (PECR) mean for small businesses doing marketing in the UK. We’ll cover consent (including the soft opt‑in), legitimate interests, cookies and remarketing, working with agencies and SaaS tools, and a step‑by‑step compliance checklist you can action today.

“GDPR marketing” is short‑hand for applying UK data protection law to promotional activity that involves personal data. In the UK, the key legal pillars are the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and PECR for electronic marketing (emails, texts, calls and cookies).

These laws apply to most day‑to‑day small business marketing, including:

Building email lists and sending newsletters or promotions
Running referral programs and competitions that collect names and emails
Using analytics, tracking pixels, and cookies for retargeting and measurement
Uploading customer lists to platforms for custom audiences and lookalikes
SMS campaigns and sales or marketing calls

Two questions help you decide which rules bite and how:

Are you “processing personal data”? If you can identify a person (directly or indirectly), you are. That includes email addresses, phone numbers, cookie identifiers and device IDs.
Is your channel electronic (email, SMS, cookies, calls)? If so, PECR sits alongside GDPR and adds extra consent rules and opt‑out rights.

From a compliance perspective, you’ll usually need to do three things well:

Be transparent about what you’re doing and why (through clear notices and a robust Privacy Policy).
Pick the correct lawful basis for each marketing activity (consent or legitimate interests are the common options).
Make opt‑outs easy, honour preferences promptly, and keep records to prove what you did.

If you’re unsure whether a campaign is covered, assume the rules apply. Setting up good privacy and marketing practices from day one will protect your brand and build customer trust as you grow.

Consent is one of the core lawful bases for marketing, but it must meet a high bar under UK GDPR. “Good” consent is:

Freely given – no bundling with terms or making a service conditional on marketing consent unless strictly necessary.
Specific – separate consents for different channels (e.g. email vs SMS).
Informed – short, plain‑English explanations of what people are consenting to.
Unambiguous – an active opt‑in (e.g. unticked box). No pre‑ticked boxes or silence.
Easy to withdraw – simple unsubscribe links and opt‑out options that actually work.

In practical terms, that means:

Use separate checkboxes for each marketing channel.
Label consent clearly (e.g. “Send me occasional product updates and offers by email”).
Link to your privacy notice at the point of collection.
Record when, how and what someone consented to, so you can demonstrate compliance later.

How The Soft Opt‑In Works (B2C Email/SMS)

PECR allows a limited “soft opt‑in” for email and SMS marketing to existing customers, even without explicit consent. You can rely on the soft opt‑in if all of the following are true:

You obtained the customer’s contact details during a sale or close negotiations for a sale.
You’re marketing your own similar products or services.
You gave a clear chance to opt out at the time you collected the details.
You include a clear opt‑out in every message and honour it promptly.

If you want a deeper dive into the boundary lines and practical examples, it’s worth reading about the soft opt‑in and how it interacts with your GDPR obligations.

There are many scenarios where consent is the safest (or only) option, for example:

Sending B2C emails or SMS to people who aren’t customers and don’t meet the soft opt‑in conditions
Setting non‑essential cookies, analytics and retargeting pixels
Building custom audiences using customer lists on platforms like Facebook or Google
Using sensitive or special category data for segmentation or personalised ads

If in doubt, collect consent in a way that’s easy to manage and audit across your systems. It can be tempting to “just add people to the list,” but the reputational and regulatory risks are not worth it.

Do Legitimate Interests Work For Marketing?

Yes-sometimes. Legitimate interests can be a lawful basis for certain marketing activities, but only after you do a balancing test to show your interests are not overridden by the individual’s rights and expectations. This is often called a Legitimate Interests Assessment (LIA).

As a rule of thumb, legitimate interests may be appropriate for:

B2B marketing to corporate subscribers (work emails like jane@company.com), provided people can easily opt out
Direct mail (postal marketing), where intrusion is lower and opt‑outs are honoured
Minimal‑impact analytics that improve your service without tracking across sites

However, PECR still layers on top for electronic channels. For example, even if your LIA supports legitimate interests for B2B emails, you must still include opt‑outs and stop contacting anyone who unsubscribes. If you use cookies or pixels, you’ll also need consent for those non‑essential trackers regardless of your LIA.

If you’re exploring legitimate interests for email or SMS, read up on the channel‑specific email marketing laws so you don’t miss a PECR requirement.

PECR Rules For Email, SMS, Cookies And Calls

PECR is where most small businesses trip up. It sets rules for electronic marketing and cookies, with different requirements depending on the channel and who you’re contacting.

Email And SMS

B2C: Consent or soft opt‑in, plus an unsubscribe in every message.
B2B: You can generally contact corporate subscribers without consent, but you must include an opt‑out and stop if someone unsubscribes. Be careful with sole traders and partnerships as they’re treated more like consumers.

Telephone Marketing

Screen numbers against the TPS/CTPS registers before calling.
Don’t call anyone who has asked you not to call again.
Be clear about who you are and display your number when possible.

For practicalities around recorded and live calls, it helps to understand the data protection implications of business calls, including when you need consent and how to handle recordings.

Cookies, Pixels And Analytics

Consent is required for non‑essential cookies (ads, analytics, personalisation).
Only strictly necessary cookies (to make the site work) can be set without consent.
Provide clear information and equal‑weight choices (accept/reject). Don’t hide the reject option.

Your cookie banner and preference centre need to be transparent and easy to use. Dark patterns or “consent walls” risk non‑compliance. If you’re reviewing your approach, start with practical guidance on compliant cookie banners and whether your buttons make it easy to reject all cookies.

Working With Agencies, Tools And International Transfers

Most small businesses don’t do everything in‑house. You might use an email service provider, marketing automation platform, analytics tool, or a specialist agency. That’s all fine-just make sure you’ve covered the data protection basics.

Data Processor Contracts

If a vendor processes personal data on your behalf (a “processor”), you must have a written contract with specific GDPR clauses. This is commonly called a Data Processing Agreement. It sets out how data will be handled, security standards, sub‑processors, and what happens if there’s a breach.

Don’t rely on a quick sign‑up click‑through to cover your obligations. Put a proper Data Processing Agreement in place with agencies and SaaS tools that touch your customer data.

International Data Transfers

If your tools host data outside the UK (for example, in the US), check whether there’s an adequacy regulation, or whether you need the UK Addendum to the EU Standard Contractual Clauses (SCCs) or the UK International Data Transfer Agreement (IDTA). You should also assess the transfer risks and implement appropriate safeguards.

Transparency And Opt‑Outs Across Your Stack

Your transparency obligations don’t stop at your signup form. Make sure your Privacy Policy clearly explains what tools you use for marketing and analytics, what data you share, and how people can opt out (e.g. unsubscribe links, cookie settings, platform ad preferences). Keep your policy and cookie disclosures in sync with your actual setup.

Breach Response And Subject Rights

If something goes wrong-a list is sent to the wrong segment, an account is compromised, or a CSV is uploaded to the wrong audience-you’ll want a clear playbook. Preparing a data breach response plan and training your team will save time and stress.

And when individuals exercise their rights (access, deletion, objection to marketing), you must respond within statutory timeframes. It helps to have a simple workflow for handling a subject access request, objections and unsubscribe requests so nothing slips through the cracks.

Prefer a straightforward action list? Here’s a practical checklist to get your marketing house in order. Tackle it step by step-each one reduces risk and boosts trust.

1) Map Your Marketing Data

List each channel (email, SMS, ads, analytics, calls) and the tools you use.
For each, log what personal data you collect, why, where it’s stored, and who can access it.
Note your lawful basis for each activity (consent, legitimate interests, soft opt‑in).

Refresh sign‑up forms with separate, unticked boxes per channel.
Add short, clear consent wording and link to your Privacy Policy.
Implement double opt‑in where appropriate (useful for proof and list quality).
Ensure every message includes an easy unsubscribe and that it works reliably.

3) Review PECR For Your Channels

Decide when you’ll rely on consent vs the soft opt‑in for email/SMS.
Set up TPS/CTPS screening for calling lists and honour do‑not‑call requests.
Audit cookie use, ensure non‑essential cookies only drop after consent, and provide a clear reject option in your banner.

4) Put The Right Contracts In Place

Sign a Data Processing Agreement with agencies and SaaS providers that process data for you.
Check international transfer mechanisms (IDTA/UK Addendum to SCCs) if data leaves the UK.
Document your sub‑processor list and keep it updated.

5) Establish Rights And Retention Processes

Set a policy for how long you keep marketing data (e.g. remove inactive subscribers after X months). For guidance, see practical tips on data retention.
Create simple workflows for unsubscribe, objection, access and deletion requests.
Maintain a suppression list so you don’t accidentally re‑add opted‑out contacts.

6) Train Your Team And Test Your Setup

Run short training on consent, PECR rules and handling objections.
Test your forms, consent logs, unsubscribe links and cookie banner regularly.
Prepare and rehearse your data breach response plan so you know who does what.

7) Keep An Eye On Compliance Basics

Pay your ICO fee unless exempt and keep your register details current. If you think you might qualify for an exemption, review the rules around ICO fee exemptions.
Document your decisions: LIAs for legitimate interests, DPIAs for higher‑risk profiling or large‑scale tracking, and cookie audits.
Re‑permission campaigns: if consent is old, unclear or you can’t evidence it, refresh it.

Key Takeaways

UK GDPR and PECR both shape how you do marketing-understand which applies to each channel and build compliance into your workflow.
Consent must be freely given, specific, informed and recorded. Use opt‑in boxes per channel and make unsubscribing effortless.
The soft opt‑in can help with B2C emails and texts to existing customers, but it has strict conditions and doesn’t cover cookies or third‑party advertising.
Legitimate interests can work for some B2B and lower‑impact activities, but you must do and file an LIA and always honour opt‑outs.
Cookies and pixels require clear information and consent for anything non‑essential-your banner must let users reject as easily as accept.
Put proper contracts in place with agencies and SaaS vendors, manage international transfers, and align your Privacy Policy with what you actually do.
Build simple processes for rights requests, retention and breach response-then train your team and test them regularly.

If you’d like help setting up GDPR‑compliant marketing foundations-from a tailored Privacy Policy to a Data Processing Agreement and channel‑specific advice-reach us on 08081347754 or team@sprintlaw.co.uk for a free, no‑obligations chat.

Alex Solo

Alex is Sprintlaw’s co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.

Need legal help?

Get in touch with our team

Tell us what you need and we'll come back with a fixed-fee quote - no obligation, no surprises.

Proceeding confirms you agree to our Privacy Policy

Need support?

Need help with your business legals?

Speak with Sprintlaw to get practical legal support and fixed-fee options tailored to your business.

Get Started Book A Call