GDPR vs PECR for Direct Marketing: Two Laws, Different Rules, One Email

Every marketing email you send from a UK business triggers two laws simultaneously. UK GDPR governs the personal data you hold. PECR governs the electronic message you send. Both apply. Neither exempts you from the other.

Most businesses treat "data protection compliance" as a single checkbox. In practice, GDPR and PECR set different standards for different things, and the gap between them is where enforcement most commonly bites.

Where GDPR and PECR align

Both require you to have a basis for what you're doing. Under GDPR, you need a lawful basis for processing personal data (consent, legitimate interest, contractual necessity, etc.). Under PECR, you need either consent or valid soft opt-in to send marketing emails.

Both require records. GDPR Article 30 requires records of processing activities. PECR requires you to demonstrate consent for each recipient. An organisation that maintains proper consent records typically satisfies both.

Both are enforced by the ICO. The Information Commissioner's Office handles complaints and investigations for both laws. A single investigation can — and often does — examine compliance with both regimes simultaneously.

Both apply to personal data. PECR regulates communications to individuals (and, for some channels, corporate subscribers). GDPR applies whenever personal data is processed. Since email addresses of named individuals are personal data, every marketing email involves both laws.

Where they diverge

Lawful basis options

This is the most consequential difference and the one that catches businesses off guard.

Under GDPR, you can choose from six lawful bases for processing personal data. For direct marketing, the two most relevant are:

• Consent — the person actively agreed
• Legitimate interest — you have a business reason, and the person's rights don't override it

Many businesses use legitimate interest as their GDPR lawful basis for email marketing. The ICO's legitimate interests guidance permits this, provided you complete a proper assessment.

Under PECR, for unsolicited marketing emails to individuals, you have only two options:

• Consent under Regulation 22 — the person specifically notified you that they consent to receiving marketing
• Soft opt-in under Regulation 22(3) — four conditions must all be met

Legitimate interest is not a standalone basis for sending marketing emails under PECR. This is the trap. A business that documents legitimate interest under GDPR and assumes it covers email marketing has a GDPR-compliant data processing operation and a PECR-non-compliant email programme.

The ICO has been explicit on this point. Their direct marketing guidance states that PECR's consent requirements apply in addition to — not instead of — GDPR's lawful basis requirements.

What "consent" means

Both laws require consent to be freely given, specific, informed, and unambiguous. But the practical requirements differ.

GDPR consent focuses on the data processing: did the person agree to you holding and using their personal data for marketing purposes?

PECR consent focuses on the communication: did the person specifically agree to receive marketing messages from your organisation, via the channels you intend to use, about the categories of content you intend to send?

A signup form that says "I agree to receive emails" might satisfy GDPR consent for data processing. Under PECR, the ICO looks for specificity about who is sending the marketing and what kind of marketing it covers. "I agree to receive emails" without identifying the sender or describing the marketing could fall short.

Scope of application

GDPR applies to all personal data processing — not just marketing. It covers your entire customer database, employee records, supplier data, and more.

PECR applies specifically to electronic communications: email, SMS, automated calls, fax, and cookies. It does not regulate postal marketing (that falls under GDPR alone) or your broader data processing practices.

This means postal direct marketing has different rules. You can send direct mail using GDPR legitimate interest without needing PECR consent — because PECR does not apply to postal communications.

Penalty regimes

GDPR fines can reach £17.5 million or 4% of global annual turnover (whichever is higher).

PECR fines were historically capped at £500,000 — but the Data (Use and Access) Act 2025 increased the maximum to £17.5 million or 4% of turnover, the same as GDPR.

The ICO has issued 49 PECR fines since March 2022 totalling £4.63 million. With the cap now aligned with GDPR levels, PECR enforcement carries significantly more weight.

Practical scenarios

Scenario 1: Customer purchased a product, you want to email them about similar products.

• GDPR: Legitimate interest likely sufficient (document the assessment)
• PECR: Soft opt-in applies — but only if you offered an opt-out at collection and the marketing is for similar products

Scenario 2: Someone downloaded your free guide and gave their email.

• GDPR: Consent for data processing (assuming you asked for it)
• PECR: You need explicit consent. Soft opt-in does NOT apply — there was no sale. A free download is not "negotiations for a sale"

Scenario 3: You bought an email list from a data broker.

• GDPR: You need a lawful basis (consent or legitimate interest) for processing the data
• PECR: You need evidence that each person consented to receive marketing from your organisation specifically. A vague "consent to third-party marketing" from the broker is not sufficient. See third-party data and PECR

Scenario 4: You send a monthly newsletter mixing industry news and product promotions.

• GDPR: Lawful basis for processing (consent or legitimate interest)
• PECR: The promotional content makes this a marketing communication. You need PECR consent or valid soft opt-in

How to satisfy both laws simultaneously

Step 1: Map your email types. List every email you send (campaigns, automations, newsletters, transactional). For each, identify whether it contains marketing content. If it does, both GDPR and PECR apply.

Step 2: Document your GDPR lawful basis. For contacts whose data you hold for marketing, record whether you rely on consent or legitimate interest. If legitimate interest, complete and document the assessment.

Step 3: Confirm your PECR consent separately. For each contact who receives marketing emails, verify you have either (a) PECR consent — evidenced by the wording they agreed to, identifying your organisation and describing the marketing — or (b) valid soft opt-in meeting all four conditions.

Step 4: Keep the records separate and specific. A generic "consented to marketing" flag in your ESP does not tell you whether PECR consent was obtained, what wording was shown, or whether soft opt-in conditions were documented. The PECR compliance checklist covers the specific records the ICO expects.

Step 5: Audit quarterly. Both laws create ongoing obligations. Forms change, new contacts arrive through different channels, and team members add contacts manually. The PECR compliance checker gives you a quick self-assessment, and the consent wording checker evaluates whether your current form language meets both standards.

Two laws. One email. Both apply. The businesses that treat them as separate compliance workstreams — documenting GDPR lawful basis and PECR consent independently — are the ones that pass an ICO investigation. The ones that assume "we're GDPR compliant, we're covered" are the ones that generate enforcement notices.