How To Send Marketing Emails Legally In The UK

Email is still one of the most effective ways to reach customers. But in the UK, there are clear rules about when you can send marketing emails, what you must include, and how you handle customer data.

If you get it right, email marketing can drive growth while keeping you compliant and trusted. If you get it wrong, you risk fines, complaints and reputational damage.

In this guide, we’ll walk through the essentials of sending marketing emails legally in the UK, from the laws that apply to opt‑ins, opt‑outs, cookies, and the documents you need in place to be protected from day one.

What Counts As Marketing Emails?

“Marketing” covers a broad range of emails, not just discount codes and newsletters. Under UK law, any email that aims to promote your goods, services, image or ideals can be considered direct marketing. That includes:

• Sales announcements, product launches and discount offers
• Event invitations, referral incentives and loyalty programme updates
• “We thought you’d like this” recommendations and upsell emails
• Surveys that include promotional content or follow-ups designed to sell

Not every business email is marketing. Service or “transactional” messages (e.g. order confirmations, delivery notices, password resets) are typically not direct marketing, so different rules apply. However, if you add promotional content to a service email, regulators may treat the whole message as marketing.

It’s helpful to categorise your email types early on-transactional vs. marketing-and apply the correct rules and templates to each. This keeps you compliant and makes your processes easier to train and scale.

Which Laws Apply In The UK?

There are two core legal frameworks that apply when you send marketing emails in the UK:

• Privacy and Electronic Communications Regulations 2003 (PECR) – rules on unsolicited marketing by email, SMS and calls, including consent requirements and the “soft opt‑in”.
• UK GDPR and the Data Protection Act 2018 – rules on how you collect, use, share and secure personal data, plus individuals’ rights (access, deletion, objection to marketing, etc.).

PECR answers “can I send this email to this person?” UK GDPR answers “how do I process their data lawfully, fairly and transparently?” You need to comply with both.

Other important touchpoints include:

• Information Commissioner’s Office (ICO) registration and fees – most organisations processing personal data must pay the ICO fee unless exempt.
• Consumer law – ensure offers and claims in your emails are fair, accurate and not misleading (for example, pricing and promotions must be clear).
• E‑privacy and cookies – if your emails or links rely on tracking technologies (e.g. tracking pixels, cookies on your site), additional rules apply.

If you’re unsure whether your activities require paying the ICO fee, it’s worth checking the guidance and considering whether an exemption applies. If you do process personal data for marketing, you’ll usually need to pay the ICO fee.

Consent, Soft Opt-In And Legitimate Interests

Under PECR, sending marketing emails to individuals (including sole traders and some partnerships) generally requires consent-unless the “soft opt‑in” applies. For corporate subscribers (e.g. most limited companies), you usually can send marketing without prior consent, but you must still offer an easy opt‑out and comply with UK GDPR.

When Do You Need Consent?

Consent must be freely given, specific, informed and unambiguous, given by a clear affirmative action (no pre-ticked boxes). You should be able to demonstrate that consent was obtained and what the individual was told at the time.

Consent is typically required when you want to email new individual subscribers who have not bought from you or clearly opted in. Purchased email lists are risky-often unlawful under PECR-and rarely meet UK GDPR standards.

What Is The Soft Opt‑In?

The soft opt‑in allows you to send marketing emails to existing customers without express consent if all of the following are true:

• You obtained the recipient’s email during a sale (or negotiations for a sale) of a product or service to them.
• You’re marketing your own similar products or services.
• You gave them a clear chance to opt out at the time of data collection and in every subsequent message.

The soft opt‑in doesn’t apply to new prospects who haven’t enquired about or bought from you. It also doesn’t apply to third‑party products or unrelated services. For a deeper dive on using this pathway safely, many small businesses refer to a concise explainer on soft opt‑in.

Can You Rely On Legitimate Interests?

UK GDPR requires a lawful basis for processing personal data. For marketing, the most common are consent and legitimate interests. If PECR requires consent for the actual sending of the email, you must have consent-legitimate interests can’t replace it. However, you may rely on legitimate interests for related processing (e.g. segmentation or analytics), provided you complete a balancing test and honour opt‑outs.

In practice, many B2C campaigns rely on consent or the soft opt‑in under PECR, with legitimate interests used for certain ancillary processing. For B2B emails to corporate subscribers, legitimate interests may support the processing while PECR may not require consent-but you must still provide a simple opt‑out and respect it.

Opt-Outs, Transparency And Data Rights

Every marketing email must include a clear and easy way to opt out-one‑click unsubscribe links are best practice. You must action opt‑outs promptly. Continuing to email someone who has objected is a common source of complaints.

Be Transparent From The Start

Tell people clearly what they’re signing up to, how often you’ll email them, and what type of content to expect. Your Privacy Policy should explain what personal data you collect, how you use it for marketing, who you share it with (e.g. email service providers), and how individuals can exercise their rights.

Respect Data Rights

Individuals have rights under UK GDPR-including the right to access their data, to object to direct marketing, and to request deletion (in certain circumstances). You need processes to verify identity, log requests and respond within the relevant timeframes. If you’re building out your internal process, it helps to have a clear playbook on handling subject access requests and when data deletion is appropriate.

Tracking Pixels And Cookies

Many email tools use tracking pixels to see whether an email was opened or a link was clicked. When those links land on your website and set cookies for marketing/analytics, consent rules apply.

For non‑essential cookies (including most analytics and advertising cookies), you’ll generally need a compliant banner and user consent before dropping them, along with a robust Cookie Policy. Make sure your consent tool supports user-friendly cookie banners and, where required, a clear option to reject all cookies.

Essential Documents And Contracts

Getting your documentation right helps you demonstrate compliance and manage risk with suppliers, partners and customers. Core documents for email marketing include:

• Privacy Policy – explains your data practices, lawful bases, marketing activity, sharing with processors and international transfers. Keep it consistent with how you actually run campaigns and update it as your martech stack evolves.
• Cookie Policy – details your cookies, pixels and trackers and how users can control them. It should mirror your consent management platform settings.
• Data Processing Agreement (DPA) – if you use a third‑party email platform/CRM (Mailchimp, HubSpot, Klaviyo, etc.), you must have a compliant Data Processing Agreement in place that covers instructions, security and international transfers.
• Data Sharing Agreement – if you share personal data with other controllers (e.g. a co‑marketing partner running a joint webinar), consider a formal Data Sharing Agreement that clarifies who does what, including handling rights requests and opt‑outs.
• Opt‑in Records – keep robust records of sign‑ups (date/time, method, wording shown, source page) and soft opt‑in eligibility (purchase or enquiry details). These are essential if the ICO ever asks you to evidence your compliance.
• Internal Marketing Policy – short guidance for your team on consent capture, list hygiene, complaint handling, and role‑based access to marketing data. This keeps everyone on the same page and reduces accidental missteps.

Avoid generic templates or conflicting policies-your documentation should reflect your real processes and tools. Professional drafting tailored to your tech stack will protect you as you grow.

Step-By-Step: How To Send Marketing Emails Legally

1) Map Your Campaigns And Data Flows

List your campaign types (newsletters, promotions, win‑backs), the audiences you’ll use (prospects, customers, lapsed customers), and where the data comes from. Identify which ones rely on consent, soft opt‑in or B2B legitimate interests. Note any special categories of data (usually avoid collecting these for marketing).

2) Choose Your Legal Pathway For Each Audience

Decide whether you’ll use explicit consent or soft opt‑in for B2C lists. For B2B corporate subscribers, confirm whether PECR permits marketing without consent and document your UK GDPR lawful basis (typically legitimate interests with an internal balancing test). Don’t mix pathways casually-clarity helps you keep clean lists.

3) Fix Your Capture Points

Update web forms, checkout pages and lead magnets. Use unticked checkboxes and plain‑English language. If you rely on soft opt‑in, ensure you’re collecting addresses during a sale or negotiation and clearly offering an opt‑out at that point. Keep proof of consent or eligibility.

4) Refresh Your Policies And Consent Notices

Make sure your on‑page consent wording aligns with your Privacy Policy and references the types of communications you’ll send. Implement or update your Cookie Policy and consent banner if you’re using tracking pixels and analytics.

5) Put Contracts In Place With Your Providers

Sign a Data Processing Agreement with your email platform and any other processors (CRM, analytics, data enrichment tools). Confirm where data is stored, how it’s secured, and what happens if there’s a breach.

6) Build Unsubscribe And Rights Handling Into Your Workflow

Every marketing email should include a working unsubscribe link. Test it. Sync your unsubscribe list across tools. Create a simple playbook for handling access requests and deletion requests, including timelines and verification-your team will need it as you scale.

7) Keep Evidence And Review Regularly

Maintain a compliance log: ICO fee status, lawful basis per list, opt‑in records, DUAs/DPAs, cookie settings, and any DPIAs or legitimate interests assessments. Run quarterly spot checks on capture points and templates. Good housekeeping now prevents headaches later.

Special Cases To Watch

• Purchased lists: High risk. Consent is rarely valid; you usually can’t rely on PECR for individuals. B2B lists may still be non‑compliant under UK GDPR if the data was scraped unlawfully.
• Joint campaigns: Clarify controller vs. processor roles. Use a Data Sharing Agreement and align opt‑out handling.
• International transfers: If your email platform stores data abroad, ensure appropriate safeguards are in place and reflected in your contracts and privacy notices.
• Profiling/automated decisions: If you do heavy segmentation or automation, consider whether a DPIA is appropriate and be transparent about what you do.
• Blended emails: Avoid turning service emails into marketing-keep them strictly transactional to sidestep PECR issues.

What Must Each Marketing Email Contain?

As a practical checklist, your marketing emails should include:

• Your business name and a valid contact address (email or physical)
• Clear identification that the message is promotional (no disguising the purpose)
• A visible, easy unsubscribe link that works immediately or as soon as possible
• Accurate subject lines and claims (no misleading content)

Train your team to use approved templates and run periodic content reviews-for both compliance and brand consistency.

Penalties And Complaints

The ICO can take enforcement action for breaches of PECR and UK GDPR, including fines. More commonly, poor practices trigger customer complaints and email provider blocks that hurt your deliverability. The simple way to avoid this? Respect consent, enable quick opt‑outs, keep your data clean, and be transparent.

Key Takeaways

• When you send marketing emails in the UK, you must comply with both PECR (rules on sending) and UK GDPR (rules on processing). Treat them as a package.
• For B2C audiences, you’ll usually need consent unless the soft opt‑in applies. For B2B corporate subscribers, consent may not be required by PECR, but you must still provide an opt‑out and meet UK GDPR standards.
• Be transparent at sign‑up, keep robust opt‑in records, and include an easy unsubscribe link in every message. Action opt‑outs promptly.
• If you use tracking pixels and site analytics, implement a compliant consent mechanism and publish a clear Cookie Policy, alongside a comprehensive Privacy Policy.
• Put the right contracts in place with your providers-at minimum a strong Data Processing Agreement-and align roles for any joint campaigns with a Data Sharing Agreement.
• Build processes for handling subject access requests and deletion requests, and maintain a compliance log. Review capture points and templates regularly.
• Steer clear of purchased lists and misleading content; they’re frequent sources of complaints and regulatory scrutiny.

If you’d like tailored advice on your email marketing compliance, policies or contracts, you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat. We’re here to help you set up your marketing legally and confidently.