6 May 2026 · Last reviewed 23 February 2026

ICO Email Marketing Fines: How Investigations Start and What Triggers Penalties

The ICO does not fine businesses for sending marketing emails. It fines them for sending marketing emails they cannot prove were consented to.

That distinction matters. The organisations receiving the largest PECR penalties are not necessarily the worst offenders — they are the ones with the weakest evidence. Understanding how investigations work, what triggers them, and what determines the penalty amount is the most practical thing you can do to protect your business.

How ICO investigations start

PECR investigations begin through three main routes:

1. Individual complaints

Any person can complain to the ICO about unsolicited marketing. The ICO's Make a Complaint portal accepts reports about unwanted marketing emails, texts, calls, and faxes. A single complaint does not automatically trigger an investigation — but patterns do. Multiple complaints about the same sender, or a complaint about high-volume sending, will escalate.

2. ICO monitoring

The ICO actively monitors for PECR breaches. Their Direct Marketing Intelligence Hub analyses complaint patterns across organisations. They also receive referrals from other regulators and industry bodies.

3. Self-reported breaches

Organisations sometimes report their own breaches — either proactively or when prompted by an ICO enquiry about a related matter. Self-reporting can reduce (but not eliminate) penalties.

The investigation process

Based on published ICO monetary penalty notices, investigations follow a consistent pattern:

Stage 1: Information request. The ICO writes to you asking for:

  • The specific marketing communication(s) in question
  • Total volume of similar communications sent in a specified period
  • Evidence of consent for the individuals who complained
  • Your consent collection mechanisms (forms, scripts, processes)
  • Your direct marketing policy
  • Records of complaints and opt-out requests

You typically have 28 days to respond. This is not negotiable.

Stage 2: Evidence assessment. The ICO reviews what you provided. They look at the consent wording, check whether soft opt-in conditions are documented, verify opt-out mechanisms work, and assess whether third-party data was properly sourced.

Stage 3: Preliminary enforcement notice. If the ICO finds breaches, they issue a notice of intent — a preliminary penalty with the proposed fine amount and reasoning. You have the opportunity to make representations.

Stage 4: Final monetary penalty notice. After considering your representations, the ICO issues the final penalty. This is published on their enforcement page and is a matter of public record.

What determines the fine amount

The ICO considers multiple factors when setting a penalty. Based on analysis of published PECR fines:

Volume of communications. Sending 79 million emails (HelloFresh, £140,000) attracts a different penalty than sending a few thousand. Based on published penalty notices, volume appears to be the most strongly associated factor with higher penalty amounts.

Nature of the consent failure. A business that had some consent processes but documented them badly is treated differently from one that bought a list and blasted it without any consent. Third-party data cases consistently attract higher penalties.

Evidence of due diligence. Did you have consent processes? Did you keep records? Did you conduct audits? Organisations that can show they tried — even imperfectly — receive lower penalties than those with no processes at all.

Vulnerable individuals. If marketing targeted or disproportionately affected vulnerable people, penalties increase.

Complaints and harm. The number of complaints, whether people suffered distress, and the nature of the intrusion all factor in.

History. Previous ICO warnings or enforcement actions increase penalties.

Financial resources. The ICO considers ability to pay, particularly for smaller organisations. Fines are meant to be proportionate but deterrent.

The fine cap has changed

For two decades, the maximum PECR fine was £500,000. That cap dated back to 2003.

The Data (Use and Access) Act 2025, which received Royal Assent on 19 June 2025, increased the maximum to £17.5 million or 4% of global annual turnover — whichever is higher. The increased penalties took effect on 5 February 2026 via Commencement Order No. 6. This aligns PECR penalties with the UK GDPR maximum, a 35-fold increase.

For context: as of late 2025, the average PECR fine since March 2022 was roughly £95,000 across 49 enforcement actions (source: ICO action we've taken). Under the new regime, fines calibrated to 4% of turnover are materially different for any business with revenue above £2.5 million.

The pattern across all PECR email marketing fines

Reading through the ICO's published monetary penalty notices since 2022 reveals remarkably consistent themes:

The sender could not produce consent records. In nearly every case, the core issue was not that consent was never given — it is that the business could not prove it was. No wording archived. No per-contact records. No documentation of soft opt-in conditions.

Third-party data was the highest-risk category. Organisations using data they did not collect themselves received the largest average fines. The consent chain was either broken, non-existent, or relied on vague "third-party marketing" wording that did not meet PECR's specificity requirements.

Soft opt-in was claimed but not documented. Several fined organisations said they relied on soft opt-in for existing customers but could not evidence all four conditions. Missing: proof of the opt-out at collection, or evidence that marketing was for similar products.

Opt-out mechanisms were broken or slow. Some organisations received complaints after failing to process unsubscribe requests. A working unsubscribe link is both a PECR requirement and the simplest way to prevent complaints.

How to reduce your enforcement risk

1. Build the evidence trail now, not after an ICO letter arrives. Document consent wording, timestamps, sources, and mechanisms per contact. The PECR compliance checklist covers all 15 requirements. The consent records retention guide covers what to keep and for how long.

2. Audit third-party data or stop using it. If any contacts on your list came from a source other than your own forms, verify the consent chain. If the supplier cannot produce the original consent wording showing your organisation was named, suppress those contacts.

3. Document soft opt-in conditions. If you email customers under soft opt-in, record the evidence for all four conditions per contact. Use the Soft Opt-In Eligibility Checker to verify your setup qualifies.

4. Test your opt-out mechanism. Click your own unsubscribe link. Does it work? Is it simple? How quickly does suppression take effect?

5. Run a self-audit. The PECR compliance checker identifies your specific gaps. A documented self-audit that shows you identified and addressed issues is the strongest evidence of good faith — and the factor most likely to reduce a penalty if enforcement reaches you.

The ICO is not trying to catch businesses by surprise. The guidance is published. The enforcement actions are public. The evidence requirements are well documented. Every fine issued since 2022 involved an organisation that either did not know the rules or did not record the evidence. Neither is a defence.

This article is for informational purposes only and does not constitute legal advice. The enforcement patterns described are based on published ICO monetary penalty notices available at ico.org.uk/action-weve-taken. For advice specific to your situation, consult a qualified legal professional.