11 February 2026 · Last reviewed 11 February 2026

The PECR Soft Opt-In: When You Can Email Customers Without Explicit Consent

If you run email marketing in the UK, you've probably heard that you need consent before sending promotional emails. That's the general rule under PECR (the Privacy and Electronic Communications Regulations 2003). But there's an important exception that many small businesses either don't know about or get wrong: the soft opt-in.

The soft opt-in, set out in Regulation 22(3) of PECR, lets you send marketing emails to existing customers without separate explicit consent — provided you meet four specific conditions. Get all four right, and you have a lawful basis. Miss one, and you need explicit consent.

This guide walks through each condition, shows what it looks like in practice, and covers what to document so you can prove compliance if anyone asks.

The four conditions of soft opt-in

All four must be satisfied. Not three. All four.

1. You obtained the contact details during (or in the course of negotiations for) a sale

The customer's email address must have been collected as part of an actual sale or during negotiations that could have led to a sale. The relationship must have started because the person was buying something from you.

What counts:

  • A customer buys a product from your online shop and enters their email at checkout.
  • Someone requests a quote for your services, gives you their email, but ultimately doesn't go ahead. (The ICO considers this "negotiations for a sale" — see ICO direct marketing guidance.)

What doesn't count:

  • Someone signs up for your free newsletter. No sale, no negotiation for a sale.
  • A person downloads a free whitepaper and gives their email. Still no sale.
  • You buy a mailing list from a third party. The relationship is between the customer and the other company, not you.

What to document: Record where and when you collected each email address, and the transaction or enquiry that generated it.

2. The marketing must be about similar products or services

You can only market products or services similar to what the customer originally bought or enquired about. The ICO doesn't define "similar" rigidly, but the test is whether a reasonable person would consider the products related to the original purchase.

What counts:

  • A customer buys running shoes from your shop. You email them about other running gear, socks, or fitness accessories.
  • Someone hires you for a kitchen renovation. You email them about bathroom renovation services.

What doesn't count:

  • A customer buys running shoes. You email them about unrelated products like home furniture or financial services.
  • Someone hires you for web design. You email them about an investment opportunity from your sister company.

The grey area is real. A customer who bought a laptop — can you email them about phone cases? Probably a stretch. Laptop accessories or software? Much more defensible. When in doubt: would the customer expect to hear about this given what they bought?

What to document: Record what each customer originally purchased or enquired about. When you send a campaign, note which product/service category it relates to.

3. You gave the customer a chance to opt out when you first collected their details

At the point you collected the email address — typically at checkout or during an enquiry form — you must have given the person a clear and simple way to refuse marketing.

What counts:

  • An unticked checkbox at checkout saying something like: "We'd like to send you emails about similar products. Tick here if you'd rather not receive these."
  • A clear statement during account registration with an opt-out mechanism.

What doesn't count:

  • A pre-ticked checkbox that the customer has to untick. (The ICO is clear — pre-ticked boxes don't count as a genuine opportunity to refuse.)
  • Burying the opt-out in paragraph 47 of your terms and conditions.
  • No mention of marketing at all during collection.

This is where a lot of businesses trip up. If your checkout form two years ago didn't include an opt-out option, you can't retrospectively apply soft opt-in to those contacts.

What to document: Archive screenshots of your forms as they existed at each point in time. When you update your checkout process, save a dated copy of the old version. Without it, you can't prove you offered the opt-out. Use the Consent Wording Checker to verify your current opt-out language meets the standard.

4. You include an opt-out in every marketing message

Every email you send under soft opt-in must include a simple way for the recipient to opt out of future messages. Every message, not just the first one.

What counts:

  • A clear unsubscribe link in every email (this is standard in any decent email marketing platform).
  • A reply-to mechanism where the customer can email back to opt out.

What doesn't count:

  • An unsubscribe process that requires the customer to log in, navigate through account settings, and find a buried preference toggle.
  • A link that doesn't work or an instruction to send a letter to your registered office.

What to document: Keep a copy of each campaign you send (most email platforms do this automatically). Record when opt-out requests come in and when they're actioned.

Common mistakes

Treating soft opt-in as a free pass. It isn't. It's a narrowly defined exception with four conditions. If you can't demonstrate all four, you need explicit consent.

Assuming it covers any customer relationship. Free accounts, free trials, and newsletter sign-ups without a purchase don't qualify. The trigger is a sale or negotiation for a sale.

Not documenting the opt-out at collection. The most common gap we see. Businesses update their forms, lose the old versions, and can't prove an opt-out was offered when a particular email was collected three years ago.

Stretching "similar products" too far. If you need a four-step logical chain to connect the original purchase to what you're marketing now, it's probably not similar enough.

Confusing soft opt-in with GDPR legitimate interest. Different legal mechanisms. PECR soft opt-in is specific to electronic marketing; GDPR legitimate interest is a separate lawful basis. You may need to satisfy both. See our guide on PECR vs GDPR marketing consent for more.

Ignoring the B2B distinction. Soft opt-in applies to individual subscribers (including sole traders and some partnerships). Corporate subscribers have different rules.

Putting it into practice

A quick checklist:

  1. Audit your email list. For each contact, can you identify the sale or enquiry that generated the email address?
  2. Check your forms. Do your current collection points include a clear opt-out for marketing? Did they at the time each contact was collected?
  3. Review your campaigns. Are you only marketing products/services similar to what each segment originally purchased?
  4. Test your unsubscribe. Click your own unsubscribe link. Does it work? Is it straightforward?
  5. Document everything. Form screenshots, purchase records, campaign copies, opt-out logs. If it isn't written down, it didn't happen.

For the full set of PECR compliance requirements beyond soft opt-in, see our 15-point PECR compliance checklist. And if you want to see what a PECR fine could cost your business under the new limits, try the PECR fine calculator.

The soft opt-in is genuinely useful for businesses that sell to customers and want to keep marketing to them. But it works only when you respect all four boundaries. Treat it as a structured exception, not a loophole, and you'll be in good shape if the ICO comes knocking.

This article is for informational purposes only and does not constitute legal advice. For guidance specific to your business, consult a qualified legal professional.