22 June 2026 · Last reviewed 4 June 2026

GDPR and Email Marketing in the UK: The Rules That Actually Apply in 2026

If you search "GDPR email marketing," you will find a lot of advice written for the EU, a lot written before Brexit, and a lot that quietly ignores the second law that governs every marketing email sent in the UK. This guide is UK-specific, current to 2026, and starts from the most important fact most articles bury: GDPR is only half the law you need to comply with.

The two-law reality

Every marketing email you send from a UK business is governed by two pieces of legislation at once:

  • UK GDPR (given effect through the Data Protection Act 2018) governs the personal data — your lawful basis for holding email addresses, the rights of the people on your list, and your record-keeping obligations.
  • PECR (the Privacy and Electronic Communications Regulations 2003) governs the act of sending the electronic message — when you are allowed to put a marketing email in someone's inbox at all.

Most "GDPR email marketing" guides only cover the first one. But the law that the ICO most often fines businesses under for email marketing is PECR, not GDPR. You can have flawless GDPR paperwork and still break the law on every send. Our UK email marketing laws guide covers both layers in full; this article focuses on what each requires of you in practice.

What UK GDPR requires for email marketing

GDPR governs whether you may lawfully process the personal data involved in marketing — primarily the email address and any profile attached to it.

You need a lawful basis

Under Article 6 of the UK GDPR, holding and using personal data for marketing requires one of six lawful bases. For email marketing, two are realistic:

  • Consent (Article 6(1)(a)) — the person actively agreed to you using their data for marketing.
  • Legitimate interest (Article 6(1)(f)) — you have a genuine business interest that is not overridden by the person's rights, documented in a Legitimate Interests Assessment. The Data (Use and Access) Act 2025 explicitly named direct marketing as an example of a legitimate interest, but the balancing test still applies — see our guide to legitimate interest for email marketing.

GDPR consent has a specific standard

Where you rely on consent, Article 4(11) defines it as "any freely given, specific, informed and unambiguous indication" of the person's wishes, given by "a statement or by a clear affirmative action." Article 7 adds that you must be able to demonstrate consent was given, and that withdrawing consent must be as easy as giving it. In plain terms:

  • Freely given — no making marketing a condition of service.
  • Specific — they agreed to this marketing, not a bundle.
  • Informed — they knew who you are and what they would receive.
  • Unambiguous — an unticked box they actively ticked, not a pre-ticked one or silence.

Recital 32 of the UK GDPR reinforces that "silence, pre-ticked boxes or inactivity should not … constitute consent."

GDPR gives people rights over their data

Your subscribers can request access to their data, ask for it to be deleted, and — importantly for marketing — object to direct marketing at any time. Under Article 21(2), the right to object to direct marketing is absolute: once exercised, you must stop, with no balancing test.

What PECR requires for email marketing

PECR is the law that decides whether you can send the message in the first place. Regulation 22 prohibits sending unsolicited marketing emails to individual subscribers unless one of two conditions is met:

  1. Prior consent — the recipient has specifically notified you that they consent to receiving marketing from your organisation. PECR borrows the GDPR consent standard, so it must be freely given, specific, informed, and unambiguous.
  2. The soft opt-in — if you collected the email during a sale or negotiation, you can market your own similar products without separate consent, provided you offered an opt-out at collection and include one in every message. All four conditions must be met — see the soft opt-in guide.

Crucially, legitimate interest is not a PECR option for emailing individuals. This is the gap that catches businesses out: they document GDPR legitimate interest and assume they are covered, when PECR still demands consent or soft opt-in for individual subscribers.

Where the two laws meet — and where the DUAA 2025 changed things

The cleanest way to think about it: GDPR asks "may we hold and use this data?" and PECR asks "may we send this message?" You need a "yes" to both for every marketing email.

The Data (Use and Access) Act 2025, with its main provisions in force from 5 February 2026, made several changes relevant here:

  • PECR fines rose from a £500,000 cap to £17.5 million or 4% of global turnover, aligning PECR penalties with UK GDPR. This is the change that matters most for risk — the DUAA PECR changes guide covers it in full.
  • Direct marketing was named in statute as an example of a legitimate interest under GDPR — but, as above, the balancing test and the PECR requirements still apply.
  • A new charity soft opt-in was added for charitable communications.
  • The DUAA also reformed the cookie rules (a separate topic from email), exempting certain analytics and functional cookies from consent — covered in the DUAA guide.

A compliance checklist for UK email marketing in 2026

Work through both layers for every marketing email:

  1. Confirm your GDPR lawful basis. Consent or legitimate interest. If legitimate interest, complete and keep the LIA.
  2. Confirm your PECR basis separately. Consent or soft opt-in for individuals; the corporate subscriber exemption for companies. This is the step most "GDPR compliance" projects skip.
  3. Get consent wording right. It must identify you, describe the marketing, and be collected by a clear affirmative action. The Consent Wording Checker tests yours against the standard, and consent wording examples that pass and fail PECR shows worked cases.
  4. Keep demonstrable records. Article 7(1) requires you to show consent was given — the wording, the date, the mechanism, per contact. A subscription flag in your ESP is not enough; see PECR consent records: what to keep and how long.
  5. Make opt-out and objection easy. An unsubscribe link in every email, processed promptly, plus a route to honour broader data-deletion and objection requests.
  6. Audit periodically. Forms change, lists migrate, contacts get added manually. The PECR compliance checklist covers the full ongoing set.

The bottom line

"GDPR email marketing" is a half-question. The full question for any UK business is: do I have a GDPR lawful basis to hold this data, and a PECR basis to send this message? Both must be answered, for every contact, with records you could produce if the ICO asked. The businesses that treat GDPR and PECR as one undifferentiated "data protection" task are exactly the ones that find out — during an investigation — that the half they ignored is the half that bites.

Run the PECR compliance checker for a five-minute read on where your two-layer compliance stands today.

This article is for informational purposes only and does not constitute legal advice. For guidance specific to your business, consult a qualified legal professional. Legislative references verified against legislation.gov.uk and ICO guidance as at June 2026.