How to Email Businesses Legally: B2B Marketing, Opt-Outs, and the Corporate Subscriber Rule

"You don't need consent to email businesses." It is the line every B2B marketer has heard, and it is true — up to a point. The point is narrower, and the practical obligations broader, than most people assume. This guide covers exactly when the corporate subscriber exemption applies, what you still have to do, and the trap that turns a "compliant" B2B campaign into an individual-subscriber breach.

The corporate subscriber exemption: what it actually is

PECR splits the people you might email into two categories, and the rules differ sharply between them.

• Individual subscribers — consumers, sole traders, and (in most cases) partnerships. Regulation 22 applies in full: you need consent or a valid soft opt-in to send them marketing emails.
• Corporate subscribers — limited companies, LLPs, Scottish partnerships, and public bodies. The ICO's B2B marketing guidance confirms that the Regulation 22 consent rule does not apply to electronic marketing sent to a corporate body. You can email a limited company at a generic address like info@company.co.uk without PECR consent.

That is the exemption. It is genuinely useful — it is why B2B prospecting by email is lawful in a way that consumer prospecting is not. But it comes with conditions and one significant caveat.

What you still have to do — even for corporate subscribers

The exemption removes the consent requirement. It does not remove everything else.

You must identify yourself. PECR Regulation 23 prohibits sending marketing email that disguises or conceals the sender's identity, or that lacks a valid address to which the recipient can send an opt-out request. This applies to corporate subscribers too. Every B2B marketing email needs a clear sender identity and a working opt-out route.

You should honour opt-outs. Here the position is subtle. PECR does not technically compel you to suppress a corporate subscriber who asks to stop receiving electronic mail — but it requires you to provide a valid opt-out address, which signals the clear intention that corporate subscribers can unsubscribe. The ICO's guidance is that you should comply with a corporate subscriber's opt-out and keep a "do not email" suppression list. Ignoring opt-outs is both bad practice and a fast way to attract complaints that trigger an ICO look.

UK GDPR still applies. A business email address that identifies a person — john.smith@company.co.uk — is personal data. You still need a UK GDPR lawful basis to process it (legitimate interest is the usual one for B2B), and the individual still has data protection rights, including the right to object to direct marketing.

The trap: named individuals at corporate addresses

This is where "we only email businesses, so we're fine" falls apart.

The corporate subscriber exemption applies to the corporate body. But an email to a named individual at that body — john.smith@company.co.uk rather than sales@company.co.uk — may mean you are contacting an individual subscriber, because the ICO's position is that the individual, not the company, can be the subscriber.

The ICO's own worked example: a recruitment company emails a named HR director; the HR director asks them to stop; the recruitment company must suppress that address and add it to its do-not-contact list. The named individual exercised a right that, in the consumer world, is grounded in Regulation 22 and the GDPR right to object.

The practical consequence: role-based addresses (info@, sales@, accounts@) are lower risk; named-individual addresses at companies should be treated with the same caution as any individual subscriber. If your B2B list is mostly named individuals, you are closer to the individual-subscriber rules than the exemption suggests.

For the full scope of what counts as direct marketing in the first place, see our PECR direct marketing guide, and for the underlying exemption detail, the PECR B2B email marketing guide.

A practical B2B email compliance routine

1. Segment by subscriber type. Separate corporate bodies from sole traders and partnerships (which are individual subscribers and need consent or soft opt-in). Separate role-based addresses from named individuals.
2. Document your GDPR basis. For B2B, this is usually legitimate interest — complete a Legitimate Interests Assessment and keep it. The DUAA 2025 named direct marketing as an example of a legitimate interest, but the balancing test still applies; see our legitimate interest guide.
3. Identify yourself and provide an opt-out in every email. Required under Regulation 23 even for corporate subscribers.
4. Maintain a suppression list. Honour every opt-out and objection — corporate or individual — and never re-contact a suppressed address.
5. Treat named individuals carefully. If you market heavily to named contacts at companies, apply individual-subscriber caution: be ready to justify your basis and stop on request.
6. Remember sole traders and partnerships are not corporate subscribers. Emailing a sole trader is emailing an individual subscriber — consent or soft opt-in applies.

The bottom line

The corporate subscriber exemption is real and worth using, but "you don't need consent to email businesses" oversimplifies it into a risk. You still must identify yourself, provide and honour opt-outs, hold a GDPR lawful basis, and — most importantly — recognise that emailing named individuals at companies can pull you back under the individual-subscriber rules. Get the segmentation right and B2B email is a genuinely lighter-touch channel. Get it wrong and you are running consumer-grade risk while believing you are exempt.

Not sure whether a particular message even counts as direct marketing, or which rules apply to a given contact? Run the Direct Marketing Scope Checker, and use the PECR compliance checker for a quick read on your overall position.

This article is for informational purposes only and does not constitute legal advice. For guidance specific to your business, consult a qualified legal professional. Legislative references verified against legislation.gov.uk and ICO guidance as at June 2026.