UK Email Marketing Laws: The Two Regulations Every Business Needs to Know

Ask most UK business owners what law governs their email marketing and you will get one answer: "GDPR." It is the wrong answer — or at least an incomplete one.

UK email marketing sits under two separate pieces of legislation. One governs the data. The other governs the message. Getting one right does not excuse getting the other wrong, and the penalties come from different enforcement powers with different limits.

The two laws

UK GDPR (the retained EU regulation, now part of UK law via the Data Protection Act 2018) regulates how you collect, store, and process personal data. It covers your lawful basis for holding email addresses, your obligations around data subject access requests, and your data processing records under Article 30.

PECR (the Privacy and Electronic Communications Regulations 2003) regulates the act of sending the electronic communication itself. It sets the rules for when you are allowed to send a marketing email, SMS, or automated call — regardless of whether your data processing under GDPR is flawless.

These are not two names for the same thing. They have different requirements, different consent standards, and the ICO enforces them through different powers. Our PECR vs GDPR comparison covers the detailed differences.

What GDPR requires for email marketing

Under UK GDPR, holding someone's email address for marketing purposes requires a lawful basis. Most businesses use one of two:

Consent (Article 6(1)(a)). The person actively agreed to you processing their data for marketing. This requires a clear, affirmative action — not a pre-ticked box or silence.

Legitimate interest (Article 6(1)(f)). You have a business reason for contacting them, and their interests and rights do not override yours. This requires a documented legitimate interests assessment before you start processing.

In practice, most email marketing relies on consent as the lawful basis for GDPR. The records your ESP keeps — subscription dates, double opt-in confirmations, source tags — are primarily GDPR evidence.

What PECR requires for email marketing

PECR adds a separate layer. Regulation 22 prohibits sending unsolicited marketing emails unless one of two conditions is met:

1. Prior consent. The recipient has specifically consented to receiving marketing from your organisation. This consent must be specific (they agreed to hear from you, not just "third parties"), informed (they knew what they were agreeing to), and given via a clear affirmative action.

2. The soft opt-in exemption. If the recipient's email was collected during a sale or negotiation, you can send marketing for similar products or services without separate consent — provided you offered an opt-out at collection and include one in every message. The soft opt-in guide covers all four conditions.

The critical difference from GDPR: PECR consent is specifically about the marketing communication, not just the data processing. You might have a perfectly lawful GDPR basis for holding someone's email, but without PECR consent (or valid soft opt-in), you cannot send them a promotional email.

Where the two laws overlap — and where they diverge

They overlap on consent records. Both laws expect you to be able to demonstrate consent. If you can prove PECR consent, you likely satisfy GDPR consent requirements as well.

They diverge on lawful basis options. Under GDPR, you have six possible lawful bases. Under PECR, for unsolicited marketing emails to individuals, you have two options: consent or soft opt-in. Legitimate interest — the most flexible GDPR basis — does not provide a standalone basis for sending marketing emails under PECR to individual subscribers.

They diverge on what "consent" means in practice. GDPR consent requires a clear affirmative action for data processing. PECR consent requires that the person specifically "notified" the sender that they consent to receiving marketing. The PECR standard requires specificity about the sender and the type of marketing — a general "I agree to receive emails" might satisfy GDPR but could fall short of PECR if it does not identify your organisation or describe the marketing clearly enough.

They diverge on enforcement. GDPR fines under the UK regime can reach £17.5 million or 4% of global turnover. PECR fines were historically capped at £500,000, but the Data (Use and Access) Act 2025 aligned PECR penalties with GDPR levels — the maximum is now £17.5 million or 4% of turnover. The ICO has issued 49 PECR fines since March 2022, totalling £4.63 million.

The practical gaps most businesses have

Based on how the ICO investigates email marketing complaints (detailed in our fines analysis), the most common gaps are:

1. No PECR-specific consent record. The ESP records a subscription. That covers GDPR Article 30. But nobody recorded what the consent wording said, whether it identified the sender specifically, or what marketing categories it described. When the ICO asks for PECR evidence, there is nothing to show.

2. GDPR lawful basis assumed to cover PECR. A business documents legitimate interest for holding customer data under GDPR and assumes that covers marketing emails under PECR. It does not. PECR requires separate consent or valid soft opt-in.

3. Consent wording not archived. The signup form has been redesigned three times. Nobody screenshotted the previous versions. Subscribers who joined under old wording cannot be linked to what they were actually told.

4. Soft opt-in documentation missing. Businesses email existing customers assuming the soft opt-in applies but cannot prove the original sale, cannot show that an opt-out was offered at collection, and cannot demonstrate the marketing is for similar products. Use the Soft Opt-In Eligibility Checker to test whether your setup qualifies.

What to do about it

Treat PECR and GDPR as separate compliance workstreams. They are different laws with different requirements. A single "GDPR compliance" project does not cover PECR email marketing.

Audit your consent evidence against both laws. For each subscriber, you need: (a) a GDPR lawful basis for holding their email, and (b) either PECR consent or valid soft opt-in for sending them marketing. The PECR compliance checklist walks through all 15 requirements.

Archive your consent wording. Screenshot your forms today. Date the screenshots. Do it again every time the wording changes. This is the single cheapest compliance action you can take, and the one most businesses skip. The Consent Wording Checker can evaluate whether your current language meets PECR requirements.

Document soft opt-in eligibility separately. If you rely on soft opt-in for any segment of your list, maintain a record showing all four conditions are met. This is separate from your GDPR processing records.

Two laws, one email. Both apply every time you press send. The businesses that understand this distinction are the ones that survive an ICO investigation intact.