UK Email Marketing Laws: GDPR, PECR And Compliance Rules

Email remains one of the most cost-effective ways to market your business. But if you’re advertising by email in the UK, there are specific legal rules you need to follow.

If you get it right, you can build trust, grow repeat business and generate reliable sales. If you get it wrong, you risk customer complaints, reputational damage, and regulatory action (including enforcement by the ICO).

Below, we’ll walk through the core rules UK small businesses should know, plus practical ways to keep your email marketing compliant without killing your marketing momentum.

What Laws Apply To Advertising By Email In The UK?

When you send marketing emails, you’re usually dealing with two overlapping legal regimes:

• UK GDPR (and the Data Protection Act 2018) - these govern how you collect, use, store and share personal data (like names, email addresses, purchase history and tracking data).
• PECR (the Privacy and Electronic Communications Regulations) - these set the specific rules for electronic marketing (including marketing by email, SMS and some types of online tracking).

In plain English, PECR often answers the question “are you allowed to send this marketing email?”, while UK GDPR focuses on “are you handling their personal data fairly and securely?”.

Even if you’re a tiny business with a small mailing list, these rules still apply.

Why This Matters For Small Businesses

Advertising by email is usually a “high-visibility” activity. People notice it immediately. If someone didn’t ask to hear from you, they’ll often complain quickly - sometimes directly to you, sometimes to the ICO.

So it’s worth setting up your email marketing properly from day one, rather than scrambling to fix things after the fact.

Do You Need Consent To Send Marketing Emails?

Most of the compliance issues in email marketing come down to one word: consent.

Under PECR, sending marketing emails to individuals generally requires their prior consent unless an exception applies (most commonly, the “soft opt-in” for existing customers).

The Default Rule: Consent For Individuals

If you’re emailing individual consumers (including sole traders and many partnerships), you’ll usually need:

• a clear opt-in (not pre-ticked), and
• an explanation of what they’re signing up for, and
• a simple way to unsubscribe in every email.

Consent has to be freely given, specific, informed and unambiguous. So “by using our website you agree to receive marketing” is not a safe approach on its own.

The Soft Opt-In: Marketing To Existing Customers

The soft opt-in is a practical exception that many small businesses rely on. In broad terms, it can allow you to send marketing emails without express opt-in consent if:

• you got the person’s email address during the sale (or negotiation of a sale) of a product or service;
• you’re marketing your own similar products/services (not someone else’s);
• you gave them a clear chance to opt out when you collected their email; and
• you include an opt-out/unsubscribe in every message.

This is often the lawful route for things like emailing customers about new stock, service reminders, follow-up offers, or updates that are closely related to what they bought before.

If you want to get this right in practice, your sign-up wording and checkout flows matter a lot - and it should line up with your Privacy Policy.

What About B2B Marketing Emails?

B2B is where things can get confusing.

PECR distinguishes between emails sent to “individual subscribers” and “corporate subscribers”. Marketing emails to a generic corporate address (like info@ or sales@) can be treated differently from marketing emails to a named person at a company.

In practice, if you’re emailing a named person at a business (for example, firstname.lastname@company.co.uk), UK GDPR is likely to apply because you’re processing personal data. You’ll also need to make sure the recipient has a clear way to opt out of marketing. Depending on the circumstances, you may rely on consent, or you may rely on legitimate interests under UK GDPR - but PECR can still require prior consent where the recipient is an “individual subscriber” (which can include some non-corporate business structures).

So, as a practical rule for small businesses: treat B2B marketing as something that still needs a clear lawful basis, good transparency, and easy opt-out.

What Does GDPR Require When You Collect And Use Email Addresses?

Even when PECR allows you to send the email, UK GDPR still sets rules around how you collect, store and use your mailing list data.

Here are the key GDPR principles that matter most for advertising by email.

1. Transparency (Tell People What You’re Doing)

You should be able to show that people were told:

• who you are (your business name and contact details);
• what you’ll use their email address for (e.g. newsletters, promotions, product updates);
• your lawful basis (e.g. consent or legitimate interests, depending on the scenario);
• who you share data with (for example, an email marketing platform); and
• how they can unsubscribe or exercise their rights.

This is why having a clear Privacy Policy isn’t just “nice to have” - it’s part of your compliance foundations.

2. Purpose Limitation (Don’t Use Data For Surprise Marketing)

If you collected an email address for one reason (like fulfilling an order), you need to be careful about using it for another reason (like marketing) unless your notices and permissions covered that.

That doesn’t mean you can never market to customers - it just means your sign-up points should clearly explain what will happen next.

3. Data Minimisation And List Hygiene

Only collect what you need. For many small businesses, an email address and first name is enough for marketing.

Then keep your list tidy:

• remove hard bounces and invalid addresses;
• stop emailing people who unsubscribe immediately (and keep a suppression list);
• consider periodic re-permissioning for older lists.

4. Storage Limitation (Don’t Keep Marketing Data Forever)

There’s no single “magic number” for how long you can keep email addresses - but you should have a sensible retention approach. For example, if someone hasn’t engaged in years and you no longer have a customer relationship, you may need to consider whether keeping their details is still justified.

If you’re setting internal rules for staff around data handling and systems access, internal guidelines can help prevent risky habits (like exporting lists to personal devices or using unapproved tools).

5. Security (Protect Your Mailing List)

Your email list is valuable - and it’s personal data. Make sure you:

• use strong passwords and multi-factor authentication for marketing tools;
• limit access to staff who actually need it;
• have processes for leavers (so ex-staff don’t keep access);
• know what you’ll do if there’s a data breach.

If you use a third-party email marketing provider (which most businesses do), you’ll usually need the right contractual protections in place - often through a Data Processing Schedule.

Common Email Marketing Mistakes That Create Legal Risk

Most small businesses don’t set out to break the rules - these problems usually happen because marketing moves quickly and compliance gets overlooked.

Here are the common traps we see when businesses start advertising by email.

Buying Or Renting Email Lists

Purchased lists are one of the fastest ways to generate complaints. Even if a supplier claims the list is “GDPR compliant”, you still need to be confident you have valid permissions to market to those people.

In most cases, buying a list is not worth the risk.

Pre-Ticked Boxes Or Bundled Consent

Consent needs to be an active choice. Pre-ticked boxes or forcing people to accept marketing as part of signing up for a service can invalidate the consent.

Unclear “From” Details And Missing Business Identity

Marketing emails should clearly show who the sender is. If people can’t tell who you are, they’re more likely to report the email as spam - and regulators tend to take a dim view of unclear identity in marketing messages.

No Unsubscribe Link (Or A Difficult One)

Every marketing email should include a clear, simple unsubscribe option. Making it difficult to unsubscribe is a fast track to complaints.

Also: once someone opts out, you need to action it promptly and reliably.

Tracking Without Thinking (Pixels, Cookies And Analytics)

Many email marketing tools automatically use tracking pixels to record opens and clicks. Depending on how the tracking works and what you do with the data, this can raise privacy and transparency issues - and in some setups it may also trigger consent requirements (for example, where tracking involves storing or accessing information on a user’s device, or where it’s used for profiling or cross-site tracking).

If your emails direct people to a website that uses cookies or similar tracking, you’ll also want your Cookie Policy to match what you’re actually doing.

Best Practices For Compliant Advertising By Email (A Practical Checklist)

Compliant advertising by email doesn’t have to be complicated. The goal is to build a marketing system that is:

• lawful (PECR + UK GDPR compliant);
• transparent (people understand what’s happening);
• easy to manage (you can prove what you did); and
• good for your brand (less spam complaints, more trust).

1. Set Up Your Sign-Up Wording Properly

Your sign-up form is where most compliance success (or failure) starts. Aim for wording that is:

• specific about what emails you’ll send;
• separate from other consents (don’t bundle);
• clear about opt-out; and
• linked to your privacy information.

If you’re collecting sign-ups through your website, it’s also worth ensuring your Website Terms And Conditions match your customer journey and marketing approach.

2. Keep Proof Of Consent (Or Soft Opt-In Conditions)

If you rely on consent, keep records like:

• when and how the person opted in;
• what wording they saw at the time;
• what list or campaign they joined; and
• any preference settings they chose.

If you rely on soft opt-in, keep records showing the customer relationship and that you offered an opt-out at collection.

3. Segment Your Lists (So You Don’t Over-Email)

Segmentation is both a marketing best practice and a compliance-friendly habit. For example:

• separate “newsletter subscribers” from “customers”;
• separate B2B contacts from consumer contacts;
• separate people who opted in from people contacted under soft opt-in;
• exclude unsubscribes across all lists automatically.

This reduces the chance you email people who didn’t expect to hear from you.

4. Make Unsubscribing Easy And Respect It

Every marketing email should include:

• a working unsubscribe link (ideally one click);
• an option to reduce frequency (optional, but helpful); and
• a clear sender identity.

Once someone unsubscribes, don’t “re-add” them later unless they opt back in. And don’t keep emailing them from a different list because “it’s a different campaign”.

5. Use The Right Agreements With Your Marketing Tools

If your email platform processes personal data on your behalf (sending emails, hosting your list, tracking engagement), you’ll usually need appropriate contractual terms in place. That commonly takes the form of a Data Processing Schedule with the provider.

If you’re unsure what your platform provides (or whether it covers international data transfers), it’s worth checking before you start scaling your campaigns.

6. Train Your Team And Set Clear Internal Rules

Small businesses often grow quickly - and suddenly multiple people are touching your marketing database.

A simple internal policy (including tool access, export rules, and acceptable use standards) can prevent the classic issues like:

• staff exporting lists to spreadsheets and losing track of them;
• marketing being sent through personal email accounts;
• unclear ownership of opt-out requests.

For many businesses, an Acceptable Use Policy is a practical starting point.

Key Takeaways

• Advertising by email in the UK is mainly governed by PECR (marketing rules) and UK GDPR/Data Protection Act 2018 (personal data handling rules).
• In many cases, you’ll need valid consent before sending marketing emails to individuals, unless you can rely on the soft opt-in for existing customers.
• Your compliance depends heavily on your sign-up wording, your ability to prove consent (or soft opt-in conditions), and always including a clear unsubscribe option.
• Be cautious with B2B marketing: work emails can still be personal data, and you still need a lawful basis, transparency and opt-out controls. PECR consent requirements can also depend on who you’re emailing (for example, whether the recipient is an individual or corporate subscriber).
• Using third-party email tools usually means you need the right data protection paperwork in place, such as a Data Processing Schedule, and your Privacy Policy and Cookie Policy should match what you actually do.
• Good compliance is also good brand protection - fewer complaints, better engagement, and more trust in your business.

If you’d like help setting up compliant email marketing practices, drafting the right privacy wording, or reviewing your current approach to email marketing, you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.