1 April 2026 · Last reviewed 23 February 2026
PECR and Direct Marketing: What Counts, What Doesn't, and What the ICO Checks
The phrase "direct marketing" sounds straightforward. You send someone a promotional email. That is direct marketing. Obvious.
Except the legal definition under PECR is broader than most businesses assume, and the boundary between a marketing message and a legitimate service communication is where a surprising number of ICO investigations begin.
What PECR means by "direct marketing"
PECR does not define "direct marketing" directly — it relies on the definition from Section 122(5) of the Data Protection Act 2018, which mirrors the earlier DPA 1998 definition:
"Direct marketing" means the communication (by whatever means) of any advertising or marketing material which is directed to particular individuals.
That covers more than you might think.
It includes:
- Promotional emails about your products or services
- SMS marketing messages
- Automated marketing calls
- Fax marketing (still regulated, rarely used)
- Email newsletters that include any promotional content
- Re-engagement campaigns aimed at lapsed customers
- Cross-sell and upsell emails to existing customers
- Charity fundraising appeals — the ICO has confirmed that fundraising counts as direct marketing under PECR
It does not include:
- Transactional emails (order confirmations, shipping notifications, password resets)
- Service communications genuinely necessary for the performance of a contract
- Communications required by law or regulation
The critical word is "any advertising or marketing material." If the email has a promotional purpose — even partly — it falls under PECR's direct marketing rules.
The grey zone: service emails with marketing in them
This is where businesses get into trouble. A genuinely transactional email — "Your order has shipped, here's the tracking number" — is not direct marketing. But what if that shipping confirmation includes a "you might also like" product recommendation at the bottom? Or a discount code for the next purchase?
The ICO's position is that adding marketing content to a service email converts it into a marketing email. The ICO direct marketing guidance makes this explicit: if the primary purpose is service but you include promotional content, the marketing rules apply to the message.
Practical implications:
- Order confirmation + product recommendations = direct marketing. You need PECR consent or valid soft opt-in.
- Account update + promotional banner = direct marketing. The banner makes it a marketing message.
- Newsletter with industry news + your product mention = direct marketing. The product mention is promotional content directed at individuals.
If you want to send service communications without PECR consent, keep them purely transactional. No cross-sell suggestions, no discount codes, no "check out our latest" sections.
Channels covered by PECR direct marketing rules
PECR Regulation 22 covers unsolicited communications sent by electronic means for direct marketing purposes. The channels:
| Channel | PECR Rule | Consent Required? |
|---|---|---|
| Regulation 22 | Yes, unless soft opt-in applies | |
| SMS/text | Regulation 22 | Yes, unless soft opt-in applies |
| Automated calls | Regulation 19 | Yes, always |
| Live sales calls | Regulation 21 | No, unless on TPS/CTPS — must screen |
| Fax | Regulation 20 | Yes, for individuals |
Email and SMS share the same consent rules — the soft opt-in can apply to both. Automated calls always require prior consent with no soft opt-in exception. Live calls don't require consent but must be screened against the Telephone Preference Service.
What the ICO investigates
The ICO's published enforcement actions show a clear pattern in how direct marketing investigations proceed:
Step 1: Complaint or monitoring. An individual complains, or the ICO's monitoring team identifies a pattern of unsolicited communications.
Step 2: Information request. The ICO asks you to provide evidence of consent for the specific individuals who complained, plus details of the marketing campaign, the total volume sent, and your consent records.
Step 3: Consent evidence review. The ICO examines whether you can demonstrate valid consent under Regulation 22, or whether the soft opt-in exception applies. They check the actual consent wording, the mechanism, and whether consent was specific to your organisation.
Step 4: Penalty assessment. If consent cannot be demonstrated, the ICO assesses a monetary penalty based on factors including: the volume of messages, whether vulnerable people were affected, the degree of organisational culpability, and any steps taken to mitigate.
The pattern behind PECR fines is remarkably consistent: organisations that cannot produce consent records receive the largest penalties.
B2B direct marketing: different rules
PECR treats individual subscribers and corporate subscribers differently for email marketing.
Individual subscribers (including sole traders and some partnerships): full Regulation 22 rules apply. You need consent or soft opt-in.
Corporate subscribers (companies, LLPs, Scottish partnerships, government bodies): Regulation 22 does not apply to marketing emails sent to corporate subscribers. You can email info@company.com without PECR consent.
But — and this is where businesses get confused — if you email a named person at a corporate address (john.smith@company.com), you may be contacting an individual subscriber. The ICO's guidance on corporate subscribers notes that emails to named individuals at companies may need consent, because the individual is the subscriber, not the company.
In practice: generic role-based corporate emails (info@, sales@, accounts@) are lower risk. Named individual emails at companies require the same caution as any other individual subscriber.
And even for corporate subscribers, UK GDPR still applies to the personal data processing. You still need a lawful basis for holding the person's details.
How to assess your direct marketing compliance
1. Audit every email type you send. List every automated email, campaign, and newsletter. For each, determine whether it contains any promotional content. If it does, PECR direct marketing rules apply.
2. Separate transactional from marketing. If you currently bundle promotional content into service emails, split them. Keep transactional emails purely transactional.
3. Check consent basis per channel. For email and SMS, confirm you have consent or valid soft opt-in for each contact. For live phone calls, confirm you screen against TPS. For automated calls, confirm you have consent — no exceptions.
4. Review your B2B email practices. If you email named individuals at companies, treat them as individual subscribers and ensure you have consent or soft opt-in.
5. Run a compliance check. The PECR compliance checker flags direct marketing consent gaps across all channels. For a full walkthrough of consent requirements, the PECR compliance checklist covers all 15 items.
The definition is broader than you expected. The enforcement is more active than most businesses realise. And the evidence the ICO demands is more specific than your ESP provides. That gap — between what the law requires and what your tools record — is where PECR fines happen.