13 July 2026 · Last reviewed 13 July 2026

ICO Guidance on Direct Marketing: What Email Marketers Need to Know

The ICO is the regulator that enforces PECR and the UK GDPR. When it comes to direct marketing — including email, SMS, and phone calls — it publishes formal guidance that explains what the law requires and how the ICO will assess compliance.

This article works through the key sections of that guidance as they apply to email marketing, what has changed following the Data (Use and Access) Act 2025, and which parts of the guidance matter most in practice.

What guidance does the ICO publish on direct marketing?

The ICO has two main publications relevant to email marketers:

Guidance on direct marketing using electronic mail — the detailed guidance on PECR Regulation 22, covering what counts as direct marketing under PECR, the consent requirement, the soft opt-in exemptions, and the corporate subscriber distinction. This is the primary reference for anyone running email marketing in the UK.

Direct marketing guidance — broader guidance covering all channels (email, SMS, post, calls), the interaction between PECR and the UK GDPR, and the ICO's enforcement priorities.

Both are regularly updated. The electronic mail guidance was updated in 2025 to reflect the DUAA 2025's new charitable soft opt-in, which was added to PECR Regulation 22(3A).

What the electronic mail guidance says about consent

The ICO's guidance on what "consent" means under PECR Regulation 22 is clear and specific. For unsolicited marketing emails to individual subscribers, the consent must:

  • Be freely given — no bundled consent, no required tick as a condition of service
  • Be specific — the person knows they are agreeing to receive marketing from your organisation
  • Be informed — they understand what they are consenting to
  • Be given by a clear affirmative action — an unticked checkbox or written confirmation, not a pre-ticked box or silence

The ICO guidance explicitly states that implied consent is not sufficient for electronic marketing under PECR. You cannot infer consent from the fact that someone provided their email address.

This is stricter than the UK GDPR standard for consent in some respects, and it is separate from your GDPR lawful basis. Our PECR vs GDPR overview explains why satisfying GDPR's consent standard doesn't automatically satisfy PECR's.

The subscriber type distinction

One of the most practically important parts of the ICO's guidance is the subscriber type distinction. The rules work differently depending on who is receiving the email:

Individual subscribers — consumers and sole traders (and, in some circumstances, small partnerships). For these recipients, you need either:

  • Prior, specific consent to receive marketing from you; or
  • A valid soft opt-in under Regulation 22(3)

Corporate subscribers — limited companies, LLPs, and similar incorporated entities. The PECR consent requirement does not apply to the company. You are not required to have the company's consent to send marketing to its general business address.

What the guidance does not override is your GDPR obligation. Even for corporate addresses, you are processing a named individual's work email, which is personal data. You still need a GDPR lawful basis — usually legitimate interest. Our B2B email marketing guide covers the practical detail on how this works.

The soft opt-in: what the guidance says

The soft opt-in in Regulation 22(3) allows marketing without prior consent where four conditions are met. The ICO's guidance sets out the conditions:

  1. You obtained the person's contact details in the course of a sale or negotiations for a sale of a product or service
  2. You are marketing similar products or services to those involved in the original transaction
  3. You gave the person the opportunity to opt out at the time you collected their details
  4. You give the person the opportunity to opt out in every subsequent marketing message

The ICO has been clear that all four must be met — fail any one condition and the soft opt-in does not apply. The "similar products or services" test is the one that generates most questions; the ICO's position is that it requires genuine similarity, not a loose connection. Our full guide to the soft opt-in covers each condition in detail.

The DUAA 2025 added a new soft opt-in for charitable purposes at Regulation 22(3A), allowing charities to market to existing supporters under similar conditions. This applies only to charities and is outside the scope of most commercial email programmes.

What the guidance says about unsubscribes and opt-outs

The ICO guidance requires that every marketing email includes a way for the recipient to opt out, and that opt-out requests are honoured promptly. The ICO's published enforcement history shows that failing to honour opt-out requests is one of the most common PECR breaches investigated.

Practically, this means:

  • Every marketing email must include a functioning unsubscribe mechanism
  • When someone unsubscribes, you must stop sending them marketing — you cannot "wait to process" the request at your next batch
  • Opt-outs must be recorded and must suppress future sending

The ICO guidance does not specify an exact maximum timeframe for processing opt-outs, but enforcement notices show the ICO treats delays of days as problematic, not days as acceptable.

What has changed with the DUAA 2025

The Data (Use and Access) Act 2025 made three changes relevant to the ICO's direct marketing guidance:

  1. Increased maximum fines — from £500,000 to £17.5 million or 4% of global annual turnover. This means the financial consequences of a PECR breach are materially higher than they were before 5 February 2026. Our guide to the DUAA 2025 PECR changes covers this in full.

  2. Charitable soft opt-in — added Regulation 22(3A) to permit charities to market to existing supporters without consent. Applies only to charities.

  3. Statutory recognition of direct marketing as a legitimate interest — inserted an example into Article 6 of the UK GDPR confirming that direct marketing can be a legitimate interest. This doesn't change the requirement to complete a balancing test; it removes ambiguity about whether direct marketing is capable of being a legitimate interest in the first place.

The ICO's enforcement priorities

The ICO's direct marketing guidance includes a section on how it approaches enforcement. The factors that tend to attract regulatory attention are:

  • High volume of unsolicited marketing without verifiable consent
  • Purchased or harvested contact lists
  • Failure to honour opt-out requests
  • Misleading sender information or subject lines
  • Repeated breaches by the same organisation

The ICO does not investigate every complaint. It uses a risk-based approach, prioritising cases that show systemic failures or large numbers of affected individuals. But the DUAA's increased penalty cap means the stakes of a successful investigation are considerably higher than before.

Sources

  • ICO — Guidance on direct marketing using electronic mail
  • ICO — How do we comply with the PECR electronic mail marketing rules?
  • ICO — Direct marketing guidance (all channels)
  • Privacy and Electronic Communications Regulations 2003, Regulation 22

This article is for informational purposes only and does not constitute legal advice. For guidance specific to your situation, consult a qualified legal professional or data protection officer.