PECR Compliance Checklist for UK Email Marketing (2026)

If the ICO opened an investigation into your email marketing tomorrow, could you produce evidence that every contact on your list gave valid consent under PECR?

For most UK businesses, the honest answer is no. ESPs like Mailchimp and HubSpot record that someone subscribed, but not what they consented to. Spreadsheets tracking opt-ins go stale within weeks. And the consent wording from six months ago? Probably lost when marketing redesigned the landing page.

This checklist covers 15 specific things you need documented and provable, based on the ICO's direct marketing guidance and regulations 22 and 22A of PECR.

If you're unclear on how PECR and GDPR interact, read our breakdown of PECR vs GDPR for marketing consent first.

Consent Collection (Items 1–4)

1. Document the exact consent wording shown at every collection point.

Screenshot the precise text next to your signup checkbox or form. "Subscribe to our newsletter" is not consent wording — it needs to identify who is sending the marketing, what channels will be used, and what content the subscriber is agreeing to receive. Use the Consent Wording Checker to test whether your current text meets the standard.

2. Record the collection method and source URL for each contact.

The ICO expects you to identify the specific source. A contact record showing "web form" is not sufficient — you need "website form at consenttrail.co.uk/newsletter, submitted 14 March 2025."

3. Ensure consent checkboxes are unticked by default.

Pre-ticked boxes do not constitute valid consent under PECR. Audit every form across your site — including checkout flows, account registration, and gated content downloads — to confirm no box is pre-selected.

4. Separate marketing consent from terms and conditions acceptance.

Bundled consent is not valid consent. If your signup flow combines terms acceptance and marketing opt-in into a single action, that fails PECR. These must be separate actions — especially in checkout flows where they're commonly merged.

Consent Records (Items 5–8)

5. Store a timestamped consent record for every contact on your list.

Your ESP's subscription date is a start, but it's not a consent record. A proper record includes: the date and time consent was given, the version of the consent wording shown, the source URL or collection point, and the IP address or other identifier.

6. Maintain a version history of all consent wording changes.

When you update signup form text, the old wording doesn't stop mattering — contacts who subscribed under it are still covered by that version. You need a log of what wording was live during what period. Most businesses track this in spreadsheets, which works until someone forgets to update the sheet.

7. Verify that consent records are retrievable per individual contact.

The ICO asks for evidence about specific individuals. Can you pull up the consent record for jane.smith@example.com in under five minutes? If the answer involves digging through ESP exports and cross-referencing spreadsheets, your process won't hold up.

8. Confirm that consent records survive ESP migrations.

If you switched email platforms recently, did the original consent evidence come with you? Many businesses migrate subscriber lists as CSVs, losing consent metadata in the process. For a practical walkthrough of what Mailchimp actually stores (and what it doesn't), see our PECR audit guide for Mailchimp.

Soft Opt-In (Items 9–11)

If you email existing customers without explicit consent, you're relying on the PECR soft opt-in exemption — which is narrower than most businesses assume. See our guide on how soft opt-in actually works.

9. Document the original transaction that established each customer relationship.

Soft opt-in requires that the contact's email was collected "in the course of a sale or negotiations for a sale." You need to show what was purchased (or negotiated) and when. A CRM record of the transaction is the minimum.

10. Record that an opt-out opportunity was provided at the point of collection.

This is the requirement businesses most commonly miss. Soft opt-in is only valid if the customer was given a clear opportunity to refuse marketing at the time their details were collected — not just in subsequent emails. Archive screenshots of the opt-out mechanism shown during checkout or enquiry.

11. Confirm that marketing content is limited to similar products or services.

Soft opt-in only covers "similar products and services" to what the customer originally purchased. If someone bought running shoes and you're emailing them about insurance, it doesn't apply. Map your product categories and document which campaigns are permissible for each segment.

Third-Party Data (Items 12–13)

Purchased and shared lists account for the majority of PECR fines issued since 2022.

12. Obtain and archive the original consent wording from every third-party data source.

If you acquired contacts from a partner, lead generation company, or purchased list, you need the exact consent wording those contacts saw — not a summary. If the data provider can't supply this, you cannot demonstrate valid consent. The PECR compliance checker flags third-party data risk as part of its assessment.

13. Verify that third-party consent specifically names your organisation.

Generic consent like "we may share your data with selected partners" does not satisfy PECR. The wording must specifically identify your organisation by name, or describe you clearly enough that the subscriber understood they were consenting to hear from you.

Ongoing Compliance (Items 14–15)

14. Include a working unsubscribe mechanism in every marketing email and process opt-outs within the ICO's expected timeframe.

Every email must contain a functional unsubscribe link. The ICO expects opt-outs processed promptly — 28 days is the outer limit, though 48 hours is the practical standard. Audit your unsubscribe flow quarterly: click the link, confirm it works, verify the contact is suppressed in your ESP.

15. Run a documented consent audit at least every six months.

PECR compliance is not a one-off exercise. Forms change, ESPs get migrated, team members add contacts manually. Schedule a recurring audit every six months and document what was checked, what gaps were found, and what was remediated. This audit log becomes evidence of good faith compliance if the ICO comes asking.

Where Existing Tools Fall Short

Most businesses attempting this checklist hit practical problems quickly:

• ESP records store subscription dates and statuses, but not consent wording versions or collection source details.
• Spreadsheets work for small lists but become unmaintainable past a few hundred contacts. There's no way to link a specific contact to the consent wording they saw.
• CRM systems track customer relationships but aren't built to archive consent text or generate ICO-ready evidence exports.

This is the gap ConsentTrail is being built to fill — a consent audit tool that connects to your ESP and documents the full consent chain the ICO requires. It's coming soon; you can join the waitlist to get notified at launch.

What To Do Next

Start with items 5 and 7. Pull up a specific contact in your system and try to produce their complete consent record — wording, timestamp, source, collection method. If you can't do it in five minutes, that's your most urgent gap.

Then work through the rest systematically. Use our PECR compliance checker for a quick self-assessment, and if you rely on soft opt-in, read the full guide on soft opt-in requirements to confirm you meet all four conditions.

With PECR fines now increased to £17.5M or 4% of turnover under the Data (Use and Access) Act 2025, this is a priority, not a backlog item. Use the PECR fine calculator to see what your exposure looks like under the new limits, and read our analysis of every ICO PECR fine in 2024-2025 to understand the patterns behind enforcement. Businesses that document their consent chain now will be in a far stronger position than those scrambling when an ICO letter arrives.

This article is for informational purposes only and does not constitute legal advice. For guidance specific to your business, consult a qualified legal professional.