PECR Compliance Explained: What Every Email Marketer Needs to Know

Updated: March 2026

Email marketing is one of the most tightly regulated digital channels in the UK. The Privacy and Electronic Communications Regulations 2003 (PECR) and the UK General Data Protection Regulation (UK GDPR) work together to govern when and how businesses can contact people by email. 

This guide covers every aspect of PECR compliance, as well as GDPR, from consent mechanics to sign-up form design, subscriber preference management, and the consequences of getting it wrong.

What is PECR, and how does it relate to GDPR for email marketing?

PECR (the Privacy and Electronic Communications Regulations 2003) is the UK law that specifically governs electronic marketing, including email. It works alongside UK GDPR: GDPR sets the standard for valid consent, while PECR determines when that consent is required. The ICO enforces both, and non-compliance with either can result in significant financial penalties.

The Privacy and Electronic Communications Regulations 2003 implement the EU’s ePrivacy Directive into UK law. Post-Brexit, the UK retained PECR in substantially the same form as part of the retained EU law framework under the Data Protection Act 2018.

PECR covers all unsolicited marketing communications sent by electronic means, including email, SMS, automated calls, and fax. It sits alongside the UK GDPR rather than replacing it. The ICO’s guidance on direct marketing makes clear that organisations must comply with both frameworks simultaneously: PECR tells you when consent is needed, and UK GDPR tells you what valid consent looks like.

The European Data Protection Board (EDPB), whose guidance continues to be influential in interpreting UK data protection law, has consistently emphasised that consent for electronic marketing must meet the high standard set by GDPR Article 7 to be valid under ePrivacy rules.

Key distinction: GDPR broadly applies to the processing of personal data. PECR applies specifically to the act of sending electronic marketing. You need to comply with both. A business that lawfully collects email addresses under the GDPR may still violate PECR if it sends marketing communications without proper consent.

What does PECR require before sending a marketing email?

PECR requires that organisations obtain prior, freely given, specific, informed, and unambiguous consent from individuals before sending them unsolicited marketing emails. This means active opt-in only. Pre-ticked boxes, bundled consent, and implied agreement do not meet the standard. The only exception is the “soft opt-in” for existing customers.

Regulation 22 of PECR prohibits sending unsolicited marketing communications by electronic mail unless the recipient has previously notified the sender that they consent to receive such communications. This is a strict rule with limited exceptions.

Valid consent under PECR must meet the UK GDPR standard. Under UK GDPR Article 7 and Recital 32, consent must be:

• Freely given: No detriment for refusing consent; consent cannot be bundled with terms and conditions

• Specific: The individual must consent to marketing, not just data processing in general

• Informed: The individual must know who is contacting them and for what purpose

• Unambiguous: Signified by a clear affirmative action, such as ticking an unchecked box

The ICO’s direct marketing guidance makes clear that “pre-ticked boxes or inactivity” do not constitute valid consent. Every marketing email campaign that relies on consent must be traceable to a specific, documented consent event for each recipient.

What is the soft opt-in exception, and who can use it?

The soft opt-in allows UK businesses to send marketing emails to existing customers without explicit prior consent, provided the marketing relates to similar products or services to those already purchased, the customer was given a clear opportunity to opt out at the time of purchase, and every subsequent email includes an easy way to unsubscribe.

Regulation 22(3) of PECR sets out the soft opt-in exception. It permits electronic marketing to existing customers where all four conditions are met:

1. The contact details were obtained during a sale, or negotiations for a sale, of a product or service

2. The marketing relates to similar products or services only

3. The customer was given a simple means of opting out at the time their details were collected, and chose not to use it

4. Every subsequent marketing message includes a clear, easy opt-out mechanism

The soft opt-in is a UK-specific provision. It does not exist in the EU’s ePrivacy Directive in the same form, which is one reason email marketing compliance varies between UK and EU operations.

Key limitations organisations frequently misapply:

• The exception does not apply to prospecting for new customers

• It does not apply to charities, political organisations, or other non-commercial senders

• “Similar products and services” is interpreted narrowly. A customer who bought car insurance cannot automatically be marketed travel insurance under the soft opt-in

• Consent must be documented even for soft opt-in reliance: when was the purchase made, what opt-out opportunity was given, and what exactly was sold?

Are pre-ticked boxes and implied consent valid for email marketing?

No. Pre-ticked consent boxes are explicitly prohibited under both PECR and UK GDPR. Implied consent, such as assuming that providing an email address equates to agreeing to marketing, is also invalid. Every marketing consent must involve an active, positive opt-in action taken freely by the individual with full information about what they are agreeing to.

The ICO has taken enforcement action specifically targeting pre-ticked boxes. In multiple penalty notices, the regulator has found that pre-ticked boxes fail to meet the “unambiguous indication of wishes” requirement under GDPR Recital 32, rendering any marketing sent on that basis unlawful.

Consent mechanisms that PECR and UK GDPR do not accept:

• Pre-ticked opt-in boxes

• Opt-out boxes (where customers must actively untick to refuse consent)

• “By providing your email address, you agree to receive our newsletter” statements embedded in checkout flows

• Bundled consent, where marketing consent is part of accepting the terms of service

• Silence or inactivity as consent

As of 2025, the ICO’s enforcement approach has expanded to include organisations that rely on third-party consent: if your marketing list was purchased from a data broker or list provider, the original consent must be granular enough to cover your organisation specifically. Generic consent to “marketing from third parties” does not meet the standard.

What should a PECR-compliant email marketing sign-up form include?

A compliant sign-up form must use an unchecked opt-in box, clearly describe what the subscriber is agreeing to (including frequency and content type), identify the data controller, link to the privacy policy, and not bundle marketing consent with any other agreement. Separate checkboxes are required for different marketing purposes.

ICO guidance on consent for direct marketing specifies that sign-up forms should:

1. Use unchecked checkboxes. The subscriber must take an active step to opt in. Pre-ticked or auto-selected boxes are prohibited.

2. Use plain language. The consent request must clearly explain who will be contacting the person, how often, and for what type of content. Avoid legal jargon. “Tick here to receive our monthly newsletter covering GDPR updates and compliance tips from GDPRLocal” is better than “Tick here to receive marketing communications.”

3. Identify the data controller. The subscriber must know which organisation holds their data. If multiple organisations will use the data, each must be named.

4. Link to your privacy policy. The privacy policy should be accessible from the sign-up form, not buried after sign-up.

5. Use separate checkboxes for different purposes. If you want to email about product updates and separately about third-party offers, you need separate consents.

6. Never bundle consent with terms. A single “I agree to the Terms and Conditions and marketing consent checkbox is invalid for marketing purposes. The ICO has penalised this approach in enforcement actions.

7. Implement double opt-in. Although not legally mandatory under PECR, the ICO recommends double opt-in as best practice. It provides stronger evidence of consent and keeps lists clean. Double opt-in involves sending a confirmation email requiring the subscriber to click a link before being added to the list.

How must organisations manage subscriber preferences and unsubscribes?

Organisations must provide a clear, functional unsubscribe mechanism in every marketing email, and must action opt-out requests promptly. Withdrawing consent must be as easy as giving it under UK GDPR Article 7(3). Continuing to send marketing emails after an unsubscribe request constitutes a PECR violation and is one of the most common causes of ICO complaints.

UK GDPR Article 7(3) establishes the right to withdraw consent at any time. PECR reinforces this by requiring every unsolicited marketing email to include a means by which the recipient can request that such communications cease.

Practical requirements:

• Unsubscribe link: Every marketing email must include a clearly visible, functional unsubscribe link. The ICO has penalised organisations for obscuring unsubscribe links, using tiny font, or making the link difficult to find

• Processing time: Best practice, and an expectation the ICO applies in complaint handling, is to process opt-outs within 10 working days. Systems should remove unsubscribed contacts from active marketing lists promptly

• Suppression lists: Do not delete unsubscribed contacts entirely from your records. Maintain a suppression list of those who have opted out so they are not accidentally re-added and re-contacted

• Preference management: Offering granular preferences (e.g., choosing content type or frequency) reduces overall opt-outs and improves engagement rates while demonstrating respect for subscriber choices

• Re-permission campaigns: If you are uncertain whether existing consent meets the current legal standard, run a re-permission campaign. This involves contacting subscribers to actively reconfirm their consent. Those who do not respond should be removed from your marketing list

What records must organisations keep to demonstrate PECR compliance?

Organisations must maintain documented evidence of how and when each subscriber gave consent, including the date, method, and exact wording of the consent request presented at the time. This is not optional: the ICO expects organisations to produce consent records during investigations, and the inability to do so is itself treated as an indicator of non-compliance.

Under the UK GDPR accountability principle (Article 5(2)), data controllers must be able to demonstrate compliance. For email marketing, this means:

• Timestamp of consent (date and time)

• Method of consent collection (which form, which page)

• The exact wording of the consent request is shown to the subscriber

• IP address or other technical identifier, where feasible

• Whether a double opt-in confirmation was completed

Online marketing platforms (such as Mailchimp, HubSpot, or Klaviyo) typically automatically retain consent timestamps and source information. However, organisations should verify this is being captured correctly and that records can be exported if required by the ICO.

Consent records should be retained for as long as you are actively marketing to the individual and for a reasonable period after (as evidence in the event of a complaint). The ICO does not specify a fixed retention period, but typical practice is to retain records for the duration of the subscriber relationship plus two to three years.

What are the penalties for PECR non-compliance?

The ICO can issue fines of up to £500,000 under PECR for serious contraventions. Where the same conduct also breaches UK GDPR, the ICO can issue GDPR fines of up to £17.5 million or 4% of annual global turnover, whichever is higher. Non-financial consequences include enforcement notices requiring cessation of marketing and reputational damage from public ICO investigations.

Unlike GDPR, PECR currently operates under a separate enforcement regime. The maximum fine under PECR is £500,000, which the ICO may issue where a contravention is serious, not complied with, and likely to cause substantial distress. The ICO published proposals to update PECR enforcement in line with GDPR powers, and any update should be monitored.

Notable ICO PECR enforcement (as of 2025):

• Multiple fines in the range of £50,000-£150,000 for organisations sending marketing emails without valid consent

• Enforcement notices requiring immediate cessation of marketing activities

• Monetary penalty notices made public on the ICO’s register, damaging brand reputation

In addition to regulatory fines, individuals may bring compensation claims under UK GDPR Article 82 for both material damage and non-material distress caused by unlawful marketing.

Frequently Asked Questions

Can I market to business email addresses without consent? 

PECR applies to individual subscribers. Marketing to generic business addresses (such as [email protected]) is generally outside PECR, but marketing to named individuals at businesses ([email protected]) requires the same consent as any consumer email. Corporate subscribers retain the right to opt out.

Does PECR apply to transactional emails? 

No. Service and transactional emails (order confirmations, account notifications, password resets) are not marketing communications and are not subject to PECR consent requirements. However, if a transactional email contains promotional content, that content may trigger PECR obligations.

Can I buy a marketing list and email people on it? 

Only if the consent recorded by the list vendor is sufficiently specific to cover your organisation and your type of marketing. The ICO has found that generic “third-party marketing” consent is not sufficient. You must review the consent wording before use. If in doubt, do not use purchased lists.

How long does consent last? 

PECR does not specify a fixed consent duration. The ICO recommends refreshing consent after around two years of inactivity. If a subscriber has not engaged (opened or clicked) in a significant period, it is good practice to run a re-engagement or re-permission campaign.

What counts as “existing customers” for the soft opt-in? 

A customer who has completed at least one transaction (purchase or service engagement) with your organisation within a reasonably recent period. There is no fixed statutory period, but two to three years is typically referenced in ICO guidance. Prospects who have only made enquiries do not qualify.

Must every email include an unsubscribe link? 

Yes. Every unsolicited marketing email must include a means of opting out. There is no exception for small businesses, infrequent senders, or B2B emails sent to named individuals.

What if someone contacts me to unsubscribe but ends up staying on the list by mistake? 

Continuing to send marketing after a clear unsubscribe request is a PECR violation. If this occurs, act immediately, document the error, remove the individual, and review the system failure. The ICO considers organisations’ response to errors when determining whether to take enforcement action.

Do the same rules apply to SMS marketing? 

Yes. PECR applies to SMS marketing in the same way as it does to email marketing. The same consent requirements, soft opt-in rules, and opt-out obligations apply.

Does GDPR consent need to be obtained separately from PECR consent? 

PECR consent and GDPR consent are often the same consent event, but they serve different legal purposes. The consent you obtain for marketing under PECR simultaneously satisfies UK GDPR’s requirement for a lawful basis for processing the personal data used for that marketing. You do not need two separate consent checkboxes, but the consent language must cover both the act of sending marketing (PECR) and the processing of personal data to do so (GDPR).

What is a legitimate interests assessment, and can it replace consent for email marketing? 

Legitimate interests under UK GDPR Article 6(1)(f) cannot be used as the lawful basis for unsolicited marketing emails under PECR. PECR requires consent (or soft opt-in reliance). However, legitimate interests may be relevant for processing data in ways that support your marketing infrastructure. Always seek specialist advice if you are considering relying on legitimate interests for any aspect of your email programme.

For tailored advice on your email marketing compliance, contact our team or sign up for free to get started.