Email Marketing and Do Not Call Lists – Frequently Asked Questions

What is PECR?

PECR (Privacy and Electronic Communications Regulations) is a UK regulation that governs electronic marketing communications, including emails, texts, and calls. It works alongside UK GDPR to protect individuals’ privacy when organisations send marketing messages.

Do I need consent for email marketing?

Yes. PECR requires businesses to obtain explicit opt-in consent before sending marketing emails. Subscribers must take an explicit action to agree, such as ticking an unchecked box or clicking a consent button.

What is explicit opt-in consent?

Explicit opt-in consent means subscribers must actively choose to receive marketing emails through a clear and affirmative action. Pre-ticked boxes or silence do not constitute valid consent.

Is there an exception to the email consent requirement?

Yes. The “soft opt-in” exception permits you to send marketing emails to existing customers about similar products or services without explicit prior consent, provided you offer a clear opt-out option in every message.

What qualifies for soft opt-in?

Soft opt-in applies when:

• The customer purchased or showed interest in similar products/services

• You gave them a clear chance to opt out initially

• You provide an easy opt-out option in every message

What records must I keep for email consent?

You must maintain detailed consent records, including:

• The date and time consent was obtained

• The method of consent

• What information was provided to the subscriber

• Evidence that consent meets GDPR standards

What should my privacy notice include for email marketing?

Your privacy notice should explain:

• What data is collected

• Why is it collected

• How it will be used

• Who it will be shared with

• How long will it be stored

Must I use double opt-in for email marketing?

While not mandated by PECR, double opt-in is a best practice. It involves sending a confirmation email that requires subscribers to verify their subscription, provides additional proof of consent, and maintains a clean mailing list.

What happens if I use pre-ticked boxes?

Pre-ticked boxes are prohibited under PECR. Consent must be freely given through unchecked checkboxes or active opt-in actions.

What is the “Do Not Call” list?

The Do Not Call list, also known as the Telephone Preference Service (TPS), is a national registry that enables individuals to block unwanted telemarketing calls. Once registered, it typically takes 31 days for the registration to take effect.

Do I need to screen against the Do Not Call list?

Yes. In practice, you must screen most call lists against the TPS register before making marketing calls. You must also maintain your own internal “do not call” list for people who object or opt out.

What’s the difference between TPS and CTPS?

• TPS (Telephone Preference Service): Protects individuals, sole traders, and some partnerships from unsolicited marketing calls

• CTPS (Corporate Telephone Preference Service): Protects limited companies, LLPs, and some partnerships from unsolicited marketing calls

For B2B calls, you must screen against both registers.

Can I make live marketing calls without consent?

Yes, to a business number not listed on the TPS or CTPS, provided the person hasn’t objected to your calls in the past and you’re not marketing claims management services. However, live calls to individuals require PECR compliance.

Do automated marketing calls require consent?

Yes. Automated calls (recorded messages from automated dialling systems) require specific consent to receive this type of call; general consent for marketing is not enough.

What must automated calls include?

All automated calls must include:

• Your name

• A contact address or freephone number

• Your phone number or an alternative contact number is displayed to the recipient

What is the difference between live calls and automated calls?

Live calls: May not require prior consent for corporate subscribers (if screened against TPS/CTPS), but do require TPS screening.

Automated calls must always require explicit prior consent, regardless of the subscriber type.

What should I do if someone objects to calls?

You must add them to your internal “do not call” list immediately and respect their objection across all marketing channels and campaigns.

Must I display caller ID on marketing calls?

Yes. Display your caller ID on all direct marketing calls to ensure transparency and build trust with potential customers.

What is a Data Processing Addendum (DPA)?

A DPA is a critical document that outlines compliance with GDPR requirements for businesses processing user data. If you use third-party email marketing platforms, ensure your contract includes a DPA.

What are common email marketing compliance mistakes?

Common mistakes include:

• Sending marketing emails without valid consent

• Using pre-ticked boxes or other invalid consent mechanisms

• Failing to provide clear unsubscribe options

• Inadequate record-keeping of consent

• Lack of transparency about data usage and third-party sharing

What unsubscribe options must I provide?

You must provide clear and easily accessible unsubscribe options. The unsubscribe process should be straightforward, allowing individuals to withdraw their consent immediately. You must process opt-outs promptly.

How quickly must I process opt-outs?

You must honour opt-outs promptly. Once someone unsubscribes, they should no longer receive marketing communications from you.

What are transactional emails?

Transactional or service-related emails, such as order confirmations or account updates, are generally exempt from the marketing consent requirements under PECR, provided they don’t contain promotional content.

Can I include promotional content in transactional emails?

No. If you include promotional content in transactional emails, they become marketing emails and are subject to PECR and GDPR compliance.

What data can I use for email marketing?

You can use personal data from customers’ purchases or negotiations. However, GDPR requires you to avoid collecting data based on assumptions of future usefulness. Focus on current necessity and periodically review whether data collection remains necessary.

Must I apply data minimisation to email marketing?

Yes. The data minimisation principle requires you to collect only necessary data for your stated purposes. Delete any unnecessary information periodically. This reduces breach risk and ensures compliance with the GDPR.

What’s the difference between consent and legitimate interest?

Consent: Individuals actively agree to receive marketing; they must opt in actively.

Legitimate interest: You can market to existing customers about similar products/services without explicit consent (soft opt-in), provided you give them an easy opt-out option.

What happens if I don’t comply with email marketing laws?

Non-compliance can result in:

• Enforcement actions from the Information Commissioner’s Office (ICO)

• Significant financial penalties

• Reputational damage

How does GDPR apply to email marketing?

GDPR governs how organisations collect, process, and store personal data. It requires:

• Valid consent before processing

• Clear privacy notices

• Allowing individuals to exercise data rights (access, deletion)

PECR determines when consent is needed for electronic marketing; GDPR sets the standards for obtaining that consent.

Can I record marketing calls?

You must inform individuals before recording a call. Callers must be told that the call is being recorded, why, on what legal basis, how long it will be stored, and what rights they have. Consent must be freely given and informed.

What should I tell someone before recording a call?

You must inform them:

• The call is being recorded

• Why is it being recorded

• The legal basis for recording

• How long will the recording be stored

• What rights do they have regarding the recording

Can individuals refuse a recorded call?

Yes. If you rely on consent, individuals must be able to refuse. Offer an unrecorded call option or alternative means of communication, such as email.

How long can I keep call recordings?

Establish a clear retention policy. Retain recordings only as long as necessary to meet their purpose, then safely delete them.

Are call recordings protected?

Yes. Recordings must be stored securely with limited access to authorised staff. Encrypt or otherwise protect recordings to prevent unauthorised access.

What if I receive a data request from someone on a recording?

Individuals have the right to request a copy of their call recording. You must respond within a reasonable timeframe and provide the recording in a secure format.

Can someone withdraw consent to be recorded?

Yes. If the recording was based on consent, the individual can withdraw consent and request deletion, unless there’s another legal reason to keep it.

What’s GDPRLocal’s approach to email marketing compliance?

GDPRLocal offers guidance on PECR and GDPR compliance for email marketing, enabling businesses to understand consent requirements, establish best practices for building compliant mailing lists, and correctly structure privacy notices. We help organisations screen against do-not-call lists and maintain proper compliance records.