Is It Illegal To Send Marketing Emails Without Permission In The UK?

If you run a small business, email marketing can feel like the most cost-effective way to grow - until you start worrying about whether you’re allowed to email people at all.

A common Google search (and a very fair question) is whether it’s illegal to send marketing emails without permission in the UK.

The short version is: it can be illegal, and the rules depend on who you’re emailing, what you’re sending, and how you got their details. The good news is that once you understand the basics, compliance is very doable - and it’s one of those “legal foundations” that protects your business from day one.

This article is general information for UK businesses and isn’t legal advice. If you need advice on your specific marketing setup, get professional advice.

Is It Illegal To Send Emails Without Permission In The UK?

It can be illegal to send marketing emails without permission in the UK, because the UK has specific rules regulating electronic marketing.

The two key legal frameworks to be aware of are:

• PECR (the Privacy and Electronic Communications Regulations) - these sit alongside data protection law and set specific rules for marketing by email, SMS, phone, and cookies.
• UK GDPR and the Data Protection Act 2018 - these regulate how you collect, use, store, and share personal data (including email addresses).

In practice, PECR usually answers the most important question for email marketing: are you allowed to send that marketing email to that person?

UK GDPR then adds an extra layer: even if PECR allows the email, you still need to handle the person’s data lawfully (e.g. transparency, security, retention, rights to opt out, and so on).

So When Does It Become “Illegal”?

It’s most likely to be unlawful if you:

• email individuals (including many sole traders and some partnerships) marketing content without valid consent or a valid “soft opt-in” basis;
• hide your identity, use misleading subject lines, or don’t make it clear it’s marketing;
• don’t provide a simple unsubscribe method (or you ignore opt-outs);
• buy a marketing list and email it without properly checking whether valid permission exists;
• collect emails for one purpose (e.g. a quote) and start sending newsletters without telling people and giving them a clear choice.

None of this means you can’t use email marketing. It just means you need the right legal footing, and you need to show respect for people’s inboxes and personal data.

What Counts As A “Marketing Email” (And When The Rules Apply)

Many businesses assume “marketing email” means a glossy newsletter. In reality, it’s broader than that.

A message is likely “marketing” if it promotes:

• your products or services (including special offers, new launches, seasonal promos);
• your brand (e.g. “here’s why we’re the best in the industry”);
• an event or webinar you’re running (especially if it leads to sales);
• someone else’s products or services (e.g. affiliate promotions or partner offers).

Even a short email like “Just checking in - we’d love to work with you” can count as marketing if it’s encouraging a commercial relationship.

What About “Service Emails”?

Purely transactional or service emails (e.g. order confirmations, password resets, delivery updates, invoices) generally aren’t “marketing”.

But be careful: if you add marketing content into a service email (e.g. “Your receipt is attached - by the way, here’s 20% off our new range”), that email may become a marketing email, which changes the compliance requirements.

Does It Matter If It’s A Person Or A Company?

Yes. The rules apply differently depending on whether you’re emailing:

• individual subscribers (which includes most people, and can include sole traders and some partnerships); or
• corporate subscribers (companies and LLPs).

This distinction matters a lot for B2B marketing - we cover it in more detail below.

Consent Vs Soft Opt-In: When You Can Email Customers

For many small businesses, the safest (and most common) route is either:

• consent; or
• the “soft opt-in” (a limited exception that can apply to existing customers).

What Counts As Valid Consent?

Consent under UK GDPR needs to be real consent - not a pre-ticked box, not hidden in terms, and not assumed.

As a practical checklist, valid consent is usually:

• freely given (they had a real choice);
• specific and informed (they knew what they were signing up for);
• unambiguous (a clear affirmative action, like ticking a box); and
• recorded (you can prove it later if needed).

If you’re collecting emails through a website form, checkout page, lead magnet, or event sign-up, it’s worth making sure your wording is clear and your data handling is covered by a proper Privacy Policy.

What Is The Soft Opt-In (And Why Do Businesses Like It)?

The “soft opt-in” is a specific rule under PECR that may let you send marketing emails without express consent in limited circumstances.

Generally, you can rely on soft opt-in if:

• you obtained the person’s email address during the sale (or negotiations for the sale) of a product or service to them;
• you’re marketing your own similar products or services (not unrelated offers);
• you gave them a clear opportunity to opt out when you collected their email; and
• you include an easy opt-out in every subsequent marketing email.

This is why many ecommerce businesses can email existing customers about similar products - but it’s not a free-for-all. If you stretch “similar products” too far, or you didn’t offer a proper opt-out at collection, you can fall outside the exception.

If you want a deeper dive into how this works in practice, the soft opt-in rules are explained in more detail in soft opt-in email marketing guidance.

A Quick Example (To Make This Concrete)

• Likely OK under soft opt-in: A customer buys skincare from your online shop. At checkout, you clearly say “We’ll email you about similar products and offers - you can opt out anytime” with an unticked opt-out box. You later email them about a new moisturiser range.
• Likely not OK under soft opt-in: Someone requests a quote for plumbing work. You later add them to a newsletter promoting your partner’s finance services. That’s not “similar products/services”, and it may not even be your marketing.

When in doubt, it’s safer to get express consent - and make sure it’s properly documented.

B2B Marketing Emails: Do You Still Need Permission?

This is where a lot of small businesses get tripped up.

You might assume that because you’re emailing a “business address” (like info@company.co.uk) you can send marketing emails freely. Sometimes that’s true - but not always.

Emails To Companies (Corporate Subscribers)

PECR is generally less strict for emails sent to corporate subscribers (like limited companies and LLPs).

That said, you still need to comply with key requirements, including:

• clearly identifying your business (don’t disguise who you are);
• not using misleading subject lines or headers;
• including a valid contact address; and
• including an unsubscribe option (and respecting opt-outs).

Also, just because you can email a company doesn’t mean you should ignore good practice. Poor targeting and ignoring opt-outs is a fast way to damage your reputation (and deliverability), even if enforcement risk is lower.

Emails To Sole Traders And Partnerships (Often Treated Like Individuals)

Many B2B contacts are not companies - they’re sole traders or partnerships. Under PECR, sole traders are treated like individual subscribers, and some partnerships may be treated similarly (depending on the type of partnership and how the address relates to an identifiable individual). In those cases, you typically need consent or soft opt-in to send marketing emails.

Practically, that means a list you think is “B2B” might actually include people you can’t lawfully email without permission.

What About “Legitimate Interests” Under UK GDPR?

You may have heard that you can send marketing emails on the basis of “legitimate interests”. This is where it gets confusing.

Legitimate interests is a lawful basis under UK GDPR for processing personal data. However, PECR still sets specific rules for email marketing. If PECR requires consent (or soft opt-in), you generally can’t sidestep it by relying on legitimate interests alone.

This is why it’s important to look at both regimes together (PECR + UK GDPR), not just one in isolation.

Compliance Checklist: How To Send Marketing Emails Lawfully

If you want to keep email marketing as a growth channel (without the legal headaches), here’s a practical compliance checklist you can implement now.

1) Know Where Your List Came From (And Don’t “Hope” It’s Compliant)

You should be able to answer, for every contact:

• When and how did we collect this email address?
• What were they told at collection?
• Did they consent - or does soft opt-in apply?
• When did they last engage with us?

If you can’t answer those questions, your risk increases quickly - especially if someone complains.

2) Be Careful With Bought Lists And Scraped Emails

Buying email lists is high-risk in the UK. Even if a supplier says the list is “GDPR compliant”, you’re still the one pressing send - and you’re still responsible for compliance.

Similarly, scraping emails from websites or public directories can create both PECR and UK GDPR issues. “Publicly available” doesn’t automatically mean “free to market to”.

3) Make Your Opt-In Wording Clear (And Keep Records)

If you rely on consent, your opt-in wording should clearly explain:

• what type of emails you’ll send (newsletters, offers, product updates);
• how often you’ll send them (roughly);
• that they can unsubscribe at any time.

And you should keep evidence of consent (date/time, wording shown, method of sign-up). This is much easier to do upfront than to reconstruct later.

4) Always Include An Unsubscribe Link (And Make It Work)

This is non-negotiable. Marketing emails should include a simple way to opt out (usually an unsubscribe link).

Also:

• don’t make people log in to unsubscribe;
• don’t add extra steps;
• process opt-outs promptly; and
• make sure your systems don’t accidentally re-add unsubscribed people.

One of the easiest ways to trigger complaints is to ignore (or accidentally override) an opt-out request.

5) Keep Your Data Safe (Including Where You Store Your Mailing List)

Your email list is personal data. You need to protect it from unauthorised access, loss, or misuse.

This includes thinking about:

• who in your team can access the list;
• using strong passwords and multi-factor authentication;
• whether your cloud storage tools are appropriate for personal data; and
• having processes for dealing with data breaches.

Many businesses also benefit from having a documented approach to privacy compliance, like a GDPR package, especially as your list grows and more team members touch customer data.

6) Don’t Keep Email Addresses Forever “Just In Case”

UK GDPR includes the principle of storage limitation - you shouldn’t keep personal data longer than you need it.

In marketing terms, that means thinking about:

• how long you keep inactive subscribers;
• when you run re-permissioning campaigns (if appropriate);
• when you delete or suppress old contacts.

A simple retention policy can go a long way here. If you’re unsure what’s reasonable, data retention is explained in a practical way in this guide on data retention periods.

7) Get Your Internal Processes Right (Especially If Staff Send Marketing Emails)

If you have employees (or contractors) sending outbound emails, think about consistency and control:

• Are people using approved templates and wording?
• Is there a consistent unsubscribe process?
• Do you have rules about exporting lists or using personal devices?

This is where having a clear Acceptable Use Policy can help set expectations about how staff handle business systems and personal data.

What Happens If You Get It Wrong?

If you send marketing emails unlawfully, consequences can include:

• complaints to the Information Commissioner’s Office (ICO);
• enforcement action (including orders to stop processing or stop marketing);
• fines (particularly for serious or repeated breaches);
• deliverability issues (your domain gets flagged as spam, harming legitimate customer comms);
• brand damage (loss of trust is hard to undo).

For a small business, the commercial impact of being labelled “spammy” can hurt just as much as the legal risk - so it’s worth getting your approach right early.

Key Takeaways

• Yes, it can be illegal - the answer to “is it illegal to send emails without permission in the UK?” depends on PECR rules and whether you have valid consent or can rely on soft opt-in.
• PECR governs marketing emails, while UK GDPR governs how you handle the email address as personal data (collection, transparency, security, retention, and rights).
• Soft opt-in is limited - it usually only applies where you got the email during a sale/negotiation, you market similar products/services, and you offered opt-out at collection and in every email.
• B2B isn’t a free pass - emails to companies may be less restricted, but sole traders (and some partnerships) can be treated like individuals, meaning consent or soft opt-in may be required.
• Unsubscribe and opt-outs matter - always include a working opt-out and respect it promptly to reduce legal and reputational risk.
• Good data practices support marketing compliance - protect your mailing list, limit access internally, and don’t retain personal data longer than necessary.

If you’d like help setting up your email marketing compliance (including consent wording, privacy documentation, and practical processes), you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.