Marketing Consent in the UK: What Businesses Need to Know

byAlex Solo1 December 20258 min read

eCommerce Digital Marketing & Advertising Regulatory Compliance Data & Privacy

If you’re growing a customer base in the UK, you’ll almost certainly be sending emails, running ads or picking up the phone. That means one thing: you need to get marketing consent right.

The rules aren’t there to make your life harder - they’re designed to build trust with your customers. When you collect and use personal data for marketing in a compliant way, you’ll see better engagement, fewer complaints and lower risk.

In this guide, we break down how UK GDPR and the Privacy and Electronic Communications Regulations (PECR) apply to small businesses, when you actually need marketing consent, and how to collect it properly across email, SMS, calls, and online tracking.

Marketing consent is the permission you obtain from an individual to send them direct marketing or to track them online for advertising. In the UK, two key regimes apply:

UK GDPR and the Data Protection Act 2018: govern how you process personal data (lawful basis, transparency, security, rights).
PECR (Privacy and Electronic Communications Regulations): add extra rules for electronic marketing (email, SMS, calls, cookies and tracking technologies).

Think of it this way: UK GDPR asks “Do you have a lawful reason to use this person’s data and have you told them clearly what you’re doing?” PECR then adds: “Are you allowed to send that email/SMS/call or set that cookie in the first place?”

Consent under UK GDPR must be:

Freely given - no pressure or bundling with other terms.
Specific - separate from other consents (e.g. different channels or purposes).
Informed - clear, plain language about who you are and what you’ll send.
Unambiguous - an opt-in action (no pre-ticked boxes).
Easy to withdraw - one click or a simple reply should do it.

When you can’t rely on consent, you may be able to use another lawful basis (for example, legitimate interests). But for electronic marketing to individuals, PECR often requires consent regardless - so you need to consider both regimes together.

This is where many small businesses get tripped up. The rules change depending on the channel and the type of recipient (individual vs corporate).

Email And SMS

To individuals (B2C): PECR generally requires prior consent for unsolicited marketing emails and texts. There is a narrow “soft opt-in” for your own similar products/services if the contact details were collected during a sale (or negotiation of a sale), you gave an opt-out at the time, and include an opt-out in every message. Used correctly, the soft opt-in is very useful for small businesses.
To corporate subscribers (B2B): PECR consent rules are more flexible for company addresses (e.g., info@company.com). You can often rely on legitimate interests under UK GDPR, provided your message is relevant, proportionate, and includes a clear unsubscribe.

If you’re unsure whether your campaign falls under soft opt-in or needs opt-in consent, err on the safe side. Getting this wrong can lead to complaints, ICO attention and brand damage. For the channel-specific requirements, it helps to review the basics of email marketing laws before you launch.

Telephone Marketing

Live calls: You can make live marketing calls to individuals who haven’t opted out via the Telephone Preference Service (TPS) or told you not to call. You’ll still need a UK GDPR lawful basis and to identify yourself clearly. If you’re using customer data for calling, check our guidance on business calls.
Automated calls: PECR generally requires prior consent for automated pre-recorded marketing calls to individuals.

When you upload a customer list to a platform (e.g. customer-matching audiences), you are processing personal data. You’ll need a lawful basis under UK GDPR, ensure appropriate transparency in your privacy information, and comply with the platform’s terms. If the original collection was for marketing, consent or soft opt-in rules may bite depending on how you captured the data.

Yes - but with caution:

Legitimate interests can cover some B2B email marketing to corporate addresses and some on-platform advertising where personal data is minimal and interests are balanced.
Contract can apply where the communication is strictly necessary to perform a contract (e.g., “your order ships tomorrow”), not to upsell or cross-sell.
Legal obligation covers mandatory notices, not marketing.

Always separate service messages from marketing. A shipping update is fine without consent; a message that promotes related products is marketing and triggers PECR/consent requirements.

You don’t need to make things complicated - you just need to be clear, granular and keep good records. Here’s a practical blueprint you can apply to most channels.

Use opt-in checkboxes, not pre-ticked boxes.
Separate purposes/channels: email, SMS, phone, and third-party marketing consents should be distinct so customers can choose.
Plain English consent statements that say what you’ll send, how often (roughly), and that they can opt out at any time.
Link to your Privacy Policy next to the form, so people can see who you are, what you collect, and their rights. If you don’t have one, get a tailored Privacy Policy in place before you start collecting data.

Capture And Store Evidence

Log the date, time, source and method of consent (e.g., website checkout, in-store tablet, event QR).
Record the specific wording the person saw at the time of opt-in.
Keep channel-level flags so email vs SMS preferences are tracked separately.

Use Double Opt-In Where Risk Is Higher

Double opt-in (confirmation email or SMS) isn’t mandatory, but it helps verify ownership of the address/number and reduces spam complaints. It’s especially helpful if you offer sign-up incentives or run competitions where people may enter others’ details.

In-Store Or Events

On paper forms or tablets, make the consent wording visible and include a link or QR to your Privacy Policy.
Don’t bundle consent with entry - if someone enters a competition, they shouldn’t be forced to receive ongoing marketing. Offer a separate opt-in.

For The Soft Opt-In

Confirm that the contact was collected during a sale or negotiation of a sale (quote requests can be enough).
Only market your own similar products or services.
Give a clear opportunity to opt out at the time of collection and in every message.
Keep records that show how the contact was obtained and that an opt-out was offered.

Managing Opt-Outs, Evidence And Individual Rights

Consent is not a one-off task. Staying compliant means handling withdrawals quickly, keeping your evidence up to date and respecting people’s rights.

Make Unsubscribing Effortless

Include a one-click unsubscribe in every email and an easy STOP reply for SMS.
Process opt-outs without delay (ideally immediately, and within 24–48 hours at most).
Keep a suppression list to ensure people who opt out don’t receive marketing in the future.

Be prepared to demonstrate when, how and for what purposes consent was obtained. Your CRM should store consent logs alongside each contact and record any changes (opt-out, channel change, re-permissioning campaign).

Respond To Data Rights Requests

Access (SARs): Provide a copy of the personal data you hold and related information within the statutory timeframe. If you receive subject access requests, have a repeatable process.
Erasure: Delete data when requested unless an exception applies (e.g., legal obligations to retain certain records). If you rely on suppression lists, retain minimal data to respect the opt-out.
Objection/Restriction: Stop marketing when someone objects; consider restricting processing while you review a complaint.

Documents And Contracts To Put In Place

Privacy Policy that explains your marketing practices, lawful bases, cookies and rights, ideally drafted to UK GDPR standards. You can get a tailored Privacy Policy for your website and app.
Cookie Policy and clear notices explaining what’s being set and why, supported by a consent mechanism. If you publish one, ensure it aligns with your Cookie Policy and actual tech.
Data Processing Agreement (DPA) with any agency or vendor processing data on your behalf (ESP, SMS gateway, CRM). Our team can prepare a robust Data Processing Agreement and help you review vendor terms.

Cookies, Tracking And Online Advertising

Cookies and similar technologies (pixels, SDKs, local storage) are regulated by PECR. In most cases, you must get prior consent before setting non-essential cookies (analytics, advertising, personalisation). “Legitimate interests” under UK GDPR doesn’t override PECR’s consent requirement.

Use a cookie banner that lets users accept or reject non-essential cookies and manage preferences - a simple “By using this site you agree” isn’t enough. If you’re designing this now, our practical guide to cookie banners is a good place to start.
Include a “Reject All” option on the first layer (equal prominence to Accept), and don’t drop non-essential cookies until consent. For details on design pitfalls, see our explainer on “Reject All” buttons.
Ensure your CMP (consent management platform) actually blocks scripts until consent, and respect user choices across pages.
Keep your cookie list up to date - scan periodically and update your policy.

Pixels, Analytics And Ad Tech

Analytics: Most analytics tools are non-essential; obtain consent before loading them (unless you configure privacy-preserving modes that make them truly essential - rare).
Advertising pixels (e.g., Meta, Google Ads): Treat as non-essential and consent-based. Consider server-side tagging to limit the data you send.
International transfers: If tools send data overseas, conduct a transfer risk assessment and ensure appropriate safeguards are in place.

Transparency

Your Privacy Policy should explain what tracking you use, why, and how users can control it. Align that with your on-page notices and consent UX to avoid misleading customers.

Key Takeaways

PECR and UK GDPR work together: PECR governs how you can market electronically (and often requires prior consent), while UK GDPR governs how you process the personal data behind the scenes.
For B2C email/SMS, you’ll usually need consent unless the soft opt-in applies to your own similar products or services and you offer an opt-out at collection and every time you contact them.
Design consent at the point of capture: clear opt-in boxes, channel-specific choices, plain wording, and a link to your Privacy Policy. Keep detailed records of who consented, when and how.
Make opting out painless and fast. Maintain suppression lists, and have a process for subject access requests, objections and erasure.
Non-essential cookies, pixels and analytics require prior consent. Implement compliant cookie banners and align them with a clear Cookie Policy.
Put proper contracts in place with your vendors: a Data Processing Agreement with processors, plus transparent disclosures about cross-border transfers if your tools send data overseas.
Don’t forget your broader compliance: register and pay your ICO fee (unless exempt), maintain data minimisation and security, and separate service messages from marketing.

If you’d like help setting up compliant marketing consent flows - from your Privacy Policy and Cookie Policy through to vendor DPAs and lawful basis assessments - our team is here to make it simple. You can reach us on 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.

Alex Solo

Alex is Sprintlaw’s co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.

Need legal help?

Get in touch with our team

Tell us what you need and we'll come back with a fixed-fee quote - no obligation, no surprises.

Proceeding confirms you agree to our Privacy Policy

Need support?

Need help with your business legals?

Speak with Sprintlaw to get practical legal support and fixed-fee options tailored to your business.

Get Started Book A Call