22 April 2026 · Last reviewed 23 February 2026
PECR Email Marketing Rules: What You Can and Cannot Send
PECR Regulation 22 is the law that determines whether you are allowed to send a marketing email. Not whether you can hold the data. Not whether your privacy policy is adequate. Whether you can press send.
It is three paragraphs long. It has triggered more ICO enforcement actions than any other provision in the regulations. And most UK businesses have never read it.
Here is what it says, in practical terms.
The default rule: no unsolicited marketing emails without consent
Regulation 22(1) and (2) set the baseline: you cannot send — or instigate the sending of — unsolicited marketing emails to individual subscribers unless they have previously notified you that they consent.
"Previously notified" means they actively told you it was acceptable. Not that they failed to object. Not that they visited your website. Not that they gave you their email address for some other purpose. They consented, specifically, to receiving marketing from you.
"Individual subscribers" includes natural persons — named people. It also includes sole traders and some partnerships. It does not include corporate subscribers (companies, LLPs), who have different rules. More on that below.
The exception: soft opt-in
Regulation 22(3) provides a single exception. You can send marketing emails without separate consent if all four conditions are met:
- You obtained the recipient's email during a sale or negotiations for a sale of your products or services
- The marketing is for your own similar products or services
- You gave the recipient a simple opportunity to refuse marketing when you collected their details
- Every marketing email includes an easy way to opt out
Fail any one condition and you need explicit consent. The soft opt-in guide walks through each condition with examples.
The most common failure: treating any customer relationship as a sale. Free trial signups, lead magnet downloads, and webinar registrations are not sales or negotiations for sales. The soft opt-in does not cover them.
What counts as an "unsolicited" marketing email
The word "unsolicited" does work you might not expect.
If someone signs up for your newsletter via a properly consented form, your emails are solicited — they asked for them. You have consent.
If someone bought a product and you email them about similar products using soft opt-in, the email is still technically unsolicited (they did not specifically request it), but it is permitted under Regulation 22(3).
If someone gave you their email for a support request and you add them to your marketing list, that email is unsolicited and you have no consent and no soft opt-in. You cannot send it.
The test is not whether the person knows who you are. It is whether they agreed to receive marketing from you, or whether you meet the soft opt-in conditions.
Corporate subscribers: different rules
Regulation 22 applies to individual subscribers. For corporate subscribers — companies registered at Companies House, LLPs, government bodies — the consent requirement does not apply to marketing emails.
You can email sales@company.com without PECR consent. However:
- UK GDPR still applies if you process personal data (including named individuals' business email addresses)
- Emails to named individuals at corporate addresses may still trigger Regulation 22 — the ICO's position is that the individual, not the company, may be the subscriber
- You must still honour opt-out requests — even corporate contacts who ask you to stop must be removed
The safe approach: treat named individuals at companies the same as any other individual subscriber.
What the ICO looks for
The ICO investigates PECR email marketing complaints by requesting evidence. Based on published enforcement actions, they specifically ask for:
Evidence of consent: The actual wording the subscriber saw, when they saw it, and how they opted in. Not a generic flag in your ESP — the specific consent wording and mechanism.
Volume data: How many similar emails were sent, to how many recipients, over what period.
Soft opt-in justification: If you rely on soft opt-in, evidence for each condition — the original sale, the similar products justification, the opt-out at collection, and the unsubscribe mechanism.
Third-party data trail: If any recipients were sourced from third parties, the original consent wording from the data source and proof your organisation was named.
Complaint handling: Records of opt-out requests and when they were actioned.
Organisations that can produce this evidence receive lower penalties or avoid enforcement entirely. Organisations that cannot produce it — even if consent was probably given — face the highest fines. The PECR compliance checklist covers all 15 evidence requirements.
Common email types and their PECR status
| Email type | PECR marketing? | Consent needed? |
|---|---|---|
| Promotional campaign to subscribers | Yes | Yes (or soft opt-in) |
| Newsletter with promotional content | Yes | Yes (or soft opt-in) |
| Re-engagement email to lapsed contacts | Yes | Yes (original consent must still be valid) |
| Abandoned cart email with product suggestions | Probably yes | Yes (or soft opt-in — was there a sale?) |
| Order confirmation (no promotional content) | No | No |
| Shipping notification (no promotional content) | No | No |
| Password reset | No | No |
| Service disruption notice | No | No |
| Cross-sell email after purchase | Yes | Yes (or soft opt-in for similar products) |
The boundary is promotional content. If the email contains any advertising or marketing material directed at the recipient, PECR applies. Adding a product recommendation or discount code to a transactional email converts it. The direct marketing guide covers the grey areas.
What to do right now
Audit your email programme against Regulation 22. For every email type you send, determine: is this marketing? If yes, do you have consent or valid soft opt-in for each recipient?
Check your consent wording. The Consent Wording Checker evaluates whether your current form language meets PECR's specificity requirements.
Document soft opt-in where you rely on it. If any segment of your list receives marketing under soft opt-in, record the evidence for all four conditions per contact.
Run the compliance checker. The PECR compliance checker flags gaps across consent, soft opt-in, and third-party data — and tells you which items are most urgent.
Regulation 22 is three paragraphs of legislation. The consequences of getting it wrong run to six-figure fines and counting. The gap between "we probably have consent" and "here is the documented evidence" is exactly where PECR enforcement lives.