28 January 2026 · Last reviewed 23 February 2026

PECR vs GDPR: The Marketing Consent Rules Your Email Platform Won't Explain

You open your inbox on a Tuesday morning and find a letter from the Information Commissioner's Office. Not a marketing email. Not a newsletter. An official investigation notice asking you to provide evidence of valid consent for 14,000 marketing emails your company sent in the last six months.

Your stomach drops. You log into Mailchimp. You can see that subscribers opted in. You can see dates. But the ICO isn't asking about GDPR. They're asking about PECR compliance — the Privacy and Electronic Communications Regulations — and your email platform has almost nothing useful to show them.

This is not a hypothetical. It happens to UK businesses regularly, and it's happening more often since the ICO ramped up enforcement in 2022.

Two Laws, One Email: Why PECR Compliance and GDPR Are Not the Same Thing

Most UK marketers treat data protection as a single topic: "GDPR." They've heard of it, their platform mentions it, they've got a privacy policy. Job done. Except sending a marketing email in the UK triggers two separate laws, and they have different requirements.

GDPR (the UK version, technically the UK GDPR retained from EU law) governs how you collect, store, and process personal data. It's about the data itself. Your lawful basis for holding someone's email address, their right to access it, your obligation to delete it on request — that's GDPR territory.

PECR — the Privacy and Electronic Communications Regulations 2003 — governs the act of sending the electronic communication. It's about the email itself, the text message, the automated call. PECR sets the rules for when you're allowed to send marketing communications, regardless of how clean your data processing is under GDPR.

Here's the critical distinction: you can be fully GDPR-compliant and still violate PECR. You might have a perfectly lawful basis for holding someone's email address (say, contractual necessity from a purchase), but if you send them a marketing email without meeting PECR's consent requirements, you've broken the law.

The ICO's own direct marketing guidance makes this explicit: PECR sits alongside GDPR, and compliance with one does not guarantee compliance with the other.

Think of it this way: GDPR asks "are you allowed to have this person's data?" PECR asks "are you allowed to send this person this message?" Two different questions. Two different standards of proof.

Where Mailchimp, HubSpot, and Every Other ESP Fall Short

Email service providers have done a reasonable job of building GDPR-related features. Mailchimp has double opt-in. HubSpot records consent timestamps. Campaign Monitor logs subscription sources. On the surface, this looks like it covers you.

It doesn't. Here's why.

What ESPs actually record

A typical ESP consent record looks something like this:

  • Email address: jane@example.com
  • Subscribed: Yes
  • Date: 14 March 2025
  • Source: Signup form
  • Double opt-in confirmed: Yes

That's useful for GDPR's "records of processing" requirement under Article 30. It shows you have a lawful basis for holding the data and that the person agreed to receive emails.

What PECR actually requires

PECR's consent standard (drawn from Regulation 22 and interpreted through ICO enforcement actions) requires you to demonstrate:

  1. The specific wording shown to the subscriber at the point of consent — not a generic "they signed up," but the actual text they saw and agreed to
  2. That consent was freely given, specific, informed, and unambiguous — meaning unticked boxes, no pre-selected options, no bundled consent buried in terms and conditions
  3. What categories of marketing were described — did you say "product updates" but then send promotional offers for partner companies?
  4. The mechanism of consent — was it a web form, a paper form at an event, a verbal opt-in on a phone call?
  5. Evidence that consent was recorded at the time it was given — not reconstructed after the fact

Now look at that ESP record again. It tells you that someone subscribed. It tells you when. It does not tell you what they were told, what they agreed to, or what the form looked like at the time.

If your signup form wording changed six months ago, your ESP has no record of what the previous version said. If you added a new marketing category, there's no snapshot showing whether existing subscribers consented to it. If your form had a pre-ticked checkbox (still surprisingly common), the ESP dutifully recorded the "consent" without flagging that it's invalid under PECR.

The consent management platform confusion

This gap gets worse when you factor in CMPs — consent management platforms like Cookiebot, OneTrust, or CookieYes. These tools handle cookie consent, which is a different section of PECR (Regulation 6, covering storage of information on user devices). They pop up the banner, record cookie preferences, and manage opt-in for tracking scripts.

Many businesses assume their CMP covers all of PECR. It doesn't. Your cookie banner has nothing to do with whether you can send someone a marketing email. Cookie consent under PECR Regulation 6 and email marketing consent under PECR Regulation 22 are separate requirements with separate evidence trails.

So you've got ESPs covering part of GDPR, CMPs covering one slice of PECR (cookies), and nothing systematically covering PECR email marketing consent — the bit the ICO most frequently investigates and fines for. If you use Mailchimp, our step-by-step PECR audit guide for Mailchimp shows exactly where these gaps appear in practice.

The Soft Opt-In: The Most Misunderstood Rule in UK Email Marketing

PECR does include one exception to the consent requirement for marketing emails, and it's the rule that causes the most confusion and the most enforcement trouble: the "soft opt-in" under Regulation 22(3).

The soft opt-in allows you to send marketing emails without explicit prior consent if all four of these conditions are met (we cover each condition in detail in our soft opt-in guide):

  1. You obtained the contact details in the course of a sale or negotiation of a sale — the person bought something from you, or was actively in the process of buying
  2. The marketing is for your own similar products or services — not a partner's products, not a different business unit's unrelated offering, your own similar stuff
  3. You gave the person a simple opportunity to opt out when you collected their details — typically an unticked checkbox saying "tick here if you'd rather not receive marketing"
  4. You give them an opt-out opportunity in every subsequent message — an unsubscribe link in every email

Miss any one of those four conditions and the soft opt-in doesn't apply. You needed explicit consent, and you didn't have it.

Where businesses get this wrong

The most common failures the ICO finds:

"Negotiation of a sale" is interpreted too broadly. Someone downloading a free whitepaper is not negotiating a sale. Someone filling in a contact form to ask a question is not negotiating a sale. Someone attending your webinar is not negotiating a sale. The ICO has been clear: this means actual commercial transactions or active purchase discussions.

"Similar products or services" is stretched beyond recognition. If someone bought running shoes from you, you can email them about running gear. You cannot email them about your new insurance comparison service, even if it's operated by the same company. "Similar" means genuinely similar to what they purchased.

The opt-out at point of collection is missing or buried. It needs to be a clear, simple mechanism presented at the time you collect the email — not hidden in paragraph 47 of your terms of service.

Soft opt-in is applied to leads, not customers. This is the big one. The soft opt-in requires a sale or negotiation of a sale. If someone signed up for your newsletter but never purchased anything, the soft opt-in does not apply. You need explicit PECR consent. Full stop.

The ICO's enforcement history is littered with companies that got the soft opt-in wrong. It's a narrow exception, not a broad permission, and the burden of proving you met all four conditions falls on you.

What the ICO Actually Asks for in an Investigation

When the ICO opens an investigation into unsolicited marketing emails — and they opened investigations resulting in 49 fines totalling £4.63 million between March 2022 and late 2025 — they follow a fairly predictable pattern. Knowing what they ask for is the best guide to what you should be recording.

The initial information request

The ICO will typically request:

  • A copy of the specific marketing communication(s) that triggered the complaint or were identified in monitoring
  • The total volume of similar communications sent in a defined period
  • Evidence of consent for each recipient, or evidence that the soft opt-in applied
  • Copies of the consent mechanism — the actual form, page, or script used to collect consent, as it appeared at the time consent was given
  • Your data processing records under GDPR Article 30
  • Your direct marketing policy, if you have one
  • Records of any complaints received about the communications

Where companies fail

The pattern in published ICO enforcement notices is remarkably consistent. Companies fail because they cannot produce:

  1. Point-in-time evidence of consent wording. The form exists today, but what did it say 18 months ago when these subscribers signed up? Most companies have no idea.
  2. Individual-level consent records tied to specific wording. The ESP says the person subscribed, but what exactly did they consent to?
  3. Evidence for the soft opt-in conditions. If relying on soft opt-in, can you prove there was a sale, that the products are similar, and that an opt-out was offered at the point of collection?

Take the HelloFresh case from 2022: the ICO fined them £140,000 for sending approximately 79 million spam emails. The core issue wasn't that HelloFresh didn't have any consent processes — it's that they couldn't demonstrate valid PECR consent for the volume of communications sent. Their systems recorded that messages were sent, but the consent evidence didn't hold up to scrutiny.

Or look at the smaller fines — companies fined £10,000 or £20,000. These aren't reckless spammers. They're often legitimate businesses that genuinely believed they had consent but couldn't prove it to the ICO's standard. The evidence gap between "we think we had consent" and "here is the documented proof" is where fines happen.

A Self-Audit You Can Do This Week

You don't need to wait for an ICO letter to find out whether your consent records would survive scrutiny. Run through this checklist against your current setup. Be honest with yourself — the ICO will be.

1. Pull a sample subscriber and trace the consent chain

Pick five subscribers at random from your list. For each one, can you answer:

  • When did they consent?
  • What exactly were they told when they consented?
  • What mechanism did they use (web form, paper form, phone call)?
  • What marketing categories did they agree to receive?
  • Was consent explicit (actively opted in) or are you relying on soft opt-in?

If you're relying on soft opt-in, can you also prove:

  • What they purchased and when?
  • That your marketing is for similar products/services?
  • That they were given an opt-out at the point of collection?

If you can answer all of those with documented evidence — not memory, not assumption, actual records — you're in better shape than most. If you can't, you have a gap.

2. Screenshot your current consent mechanisms

Go to every place where you collect email addresses for marketing: your website signup form, your checkout flow, your event registration, your lead magnets. Screenshot each one. Record:

  • The exact wording displayed
  • Whether checkboxes are pre-ticked or unticked
  • What marketing categories are described
  • Whether consent is bundled with other terms or separate
  • The date you captured the screenshot

Do this today, and do it again every time you change the wording. This is the cheapest form of compliance insurance you can get.

You can also use our consent wording checker to evaluate whether your current form language meets PECR requirements.

3. Check your ESP's actual consent records

Log into your email platform and export the consent data for those five sample subscribers. Compare what your ESP recorded against what the ICO would ask for (see the section above). Note the gaps.

Common gaps you'll find:

  • No record of consent wording, only that consent was given
  • No distinction between GDPR consent (data processing) and PECR consent (marketing communication)
  • No record of what marketing categories were described at the point of consent
  • No historical versions of signup forms

4. Review your soft opt-in eligibility

If you send marketing emails to customers without explicit consent (relying on soft opt-in), audit whether you genuinely meet all four conditions for every recipient. Pay special attention to:

  • People who started a purchase but didn't complete it — does "negotiation of a sale" apply to abandoned carts? (The ICO's position is nuanced here; don't assume it does.)
  • People who purchased one product but receive marketing for a substantially different product line
  • Whether your checkout flow actually includes an opt-out mechanism at the point of collection

5. Run a quick compliance check

If you want a faster read on where you stand, our free PECR compliance checker walks through the key requirements and flags the most common gaps. It takes about five minutes and gives you a prioritised list of what to fix.

For a more thorough assessment, the PECR compliance checklist for 2026 covers the full set of requirements step by step.

The Practical Takeaway

PECR compliance for email marketing comes down to one thing: can you prove, for any given subscriber, that you had valid permission to send them that specific type of marketing email at the time you sent it?

Not "we had a signup form." Not "they're in our Mailchimp list." Not "we think we're covered by soft opt-in." Can you produce the actual evidence — the wording they saw, the consent they gave, the mechanism they used, the date it happened — in a format the ICO would accept?

Most UK businesses cannot. Not because they're acting in bad faith, but because their tools don't capture this information and nobody told them they needed to.

Here's what to do about it:

  1. Treat PECR and GDPR as separate compliance tasks. Your ESP handles some GDPR requirements. Your CMP handles cookie consent under PECR. Email marketing consent under PECR is a third area that probably isn't covered by either.

  2. Start documenting consent evidence now. Even manual screenshots and spreadsheets are better than nothing. Record what your forms say, when they change, and tie individual subscriber consent to specific form versions.

  3. Audit your soft opt-in assumptions. If you're relying on the soft opt-in for any portion of your list, verify that you genuinely meet all four conditions. The soft opt-in is not a blanket exemption for customer emails.

  4. Keep historical records. The ICO doesn't care what your form says today. They care what it said when each subscriber signed up. Version your consent mechanisms.

  5. Build the habit before enforcement reaches you. The ICO's fine volume has increased year over year. Smaller companies are not exempt — fines start at a few thousand pounds and the reputational damage often costs more than the fine itself.

This is the exact problem ConsentTrail is built to solve: documenting your PECR marketing consent chain automatically, so that when the ICO asks for evidence, you have it. If you want to be notified when it launches, you can join the waitlist.

The best time to sort this out was before you sent your last campaign. The second best time is now.

Frequently asked questions

What does PECR stand for?

PECR stands for the Privacy and Electronic Communications Regulations 2003. It is a UK law (SI 2003/2426) that sets rules for electronic marketing (email, SMS, phone calls, fax) and cookies. PECR sits alongside UK GDPR — they are separate laws with different requirements, and you need to comply with both.

What is the difference between PECR and GDPR for email marketing?

GDPR (the UK General Data Protection Regulation) covers how you collect, store, and process personal data. PECR adds specific rules about sending marketing messages via electronic channels. You can be fully GDPR-compliant and still breach PECR if you send marketing emails without proper PECR consent. Both laws apply at the same time.

Do I need PECR consent if I already have GDPR consent?

Not necessarily. GDPR consent covers data processing; PECR consent covers sending the marketing message itself. If your GDPR consent wording specifically covers receiving marketing emails from your organisation, it may satisfy PECR too — but only if it meets PECR's requirements for being specific, informed, and given by positive action.

This article is for informational purposes only and does not constitute legal advice. For guidance specific to your business, consult a qualified legal professional.