UK GDPR and the Privacy and Electronic Communications Regulations (PECR) govern email marketing to individuals in the UK. The key rule is that you must have explicit, freely given, informed consent before sending marketing emails to individuals (including sole traders). The main exceptions are the 'soft opt-in' for existing customers (you can email existing customers about similar products/services, provided they had a clear opportunity to opt out), and emails to corporate email addresses of limited companies (where PECR rules are less strict, though UK GDPR still applies to data handling).
Many UK businesses operate email marketing programmes that are not fully compliant — using pre-ticked opt-in boxes, purchased email lists, or consent gathered before 2018 without a proper refresh. The ICO enforces PECR and UK GDPR through fines: significant financial penalties have been issued to businesses of all sizes for non-compliant email marketing. Beyond fines, non-compliant practices damage deliverability and brand trust.
UK email marketing compliance checklist
- Explicit consent — sign-up forms must use an unticked checkbox with clear language explaining what they are consenting to
- Consent records — you must be able to prove consent for every contact (who consented, when, and to what)
- Easy unsubscribe — every marketing email must include a one-click unsubscribe link, and opt-outs must be honoured within 10 working days (immediately in practice for automated systems)
- Sender identification — every email must clearly identify your business as the sender
- Privacy policy — your email sign-up must link to a privacy policy explaining how subscriber data is used
- No purchased lists — you cannot send marketing emails to individuals who have not consented to receive them from your specific business
- Data retention — you should not retain subscriber data indefinitely; have a clear policy for when you remove inactive contacts
The soft opt-in is a frequently misunderstood exception. It applies only to existing customers who have bought (or seriously negotiated to buy) similar products or services, where they were given a clear chance to opt out at the time of purchase, and where the new email is about similar products — not marketing for unrelated services. The soft opt-in does not apply to new leads, cold outreach, or contacts where no purchase relationship exists.
No — in most cases. Receiving a business card constitutes neither opt-in consent under UK GDPR nor qualifies for the soft opt-in exception. You can follow up with an individual email referencing your meeting, but you cannot add their address to your marketing list without their explicit consent. B2B contacts can be added to marketing lists if they have given explicit consent, or if you can demonstrate a legitimate interest basis with an easy-to-exercise opt-out — but this must be assessed carefully for each situation and documented.
The ICO can issue fines of up to £500,000 under PECR for serious breaches of email marketing rules. Under UK GDPR, fines can be up to £17.5 million or 4% of global annual turnover (whichever is higher) for the most serious data protection violations. In practice, large fines are issued for systemic non-compliance at scale, but warnings, audits, and smaller fines are issued to businesses of all sizes. The reputational and deliverability damage from a high spam complaint rate is often more immediately damaging than regulatory action.