The Legal Guide to Email Marketing and Consent

October 6, 2022

Email is one of the most useful tools available to the modern marketer - it allows businesses to reach often already-engaged audiences with a targeted message, on a global scale, providing an instant impact without breaking the bank. 

However, various regulations apply in terms of what you can and can’t do, and so care is needed to ensure your marketing efforts comply with the law, especially in relation to the UK GDPR. Read on to explore the do's and don’ts of email marketing.

Current UK law

There are a few key pieces of legislation that it’s important to be aware of – the Privacy and Electronic Communications Regulations (PECR) contain rules on various forms of electronic marketing, including emails and the use of personal data for email marketing purposes is governed by the UK GDPR and the Data Protection Act 2018. 

The Information Commissioner’s Office (ICO) is the UK’s data regulator and has the right to enforce certain sanctions in respect of breaches of data and marketing law. It has issued guidance on various aspects of marketing practices and whilst you are not legally obliged to follow such guidance, it is good practice and will stand your business in good stead, particularly if you do find yourselves on the wrong side of the ICO. 

Who can I market to and do I need their consent?

Slightly different rules apply depending on whether you’re marketing to businesses or individuals. Let's explore these... 

Marketing to businesses

You can send marketing emails to other businesses without obtaining their consent; however, it is good practice to keep a list of any businesses that object and to hold back from sending marketing emails to them again. 

Be aware that if your business contact’s email address includes their name (e.g., this amounts to personal data and must be treated as such, including offering them the right to opt out of receiving marketing emails. 

It is also worth bearing in mind that sole traders and some types of partnerships are deemed to be ‘individuals’ from a legal perspective and so take care when marketing to these types of businesses as you may be required to comply with the more onerous rules that apply to individuals, described below. 

Marketing to individuals 

If you wish to send marketing emails to individuals, they must: 

  • Have specifically consented to receive emails from your business, or
  • Be an existing customer who has bought (or negotiated to buy) a similar product or service from you previously, and you must have offered them a clear way to opt-out of receiving marketing emails, both when you initially collected their details and in every subsequent email sent. This is known as ‘soft opt-in’. 

Where consent is obtained, this must be:

  • Freely given (for example, it must not have been given because access to a product or service depends on it),
  • Specific (the individual must specifically agree to receive marketing emails),
  • Informed (they must understand what they are consenting to), and 
  • Unambiguous (for example, by actively ticking an empty consent box).

The soft opt-in rule essentially amounts to ‘implied consent’ to marketing, because the individual has recently purchased from your business. You cannot rely on this rule to market to potential or new customers. The marketing must also be relevant to your products or services – it cannot relate to another non-commercial cause, such as charity fundraising, and soft opt-in cannot be relied upon by charities or not-for-profit organisations generally.

You must also make your identity clear and provide an email address which they can contact to unsubscribe.

What are the risks?

So, if you get it wrong, how bad could it be – it’s only an email, right? Many businesses have fallen foul of the rules over the past few years, particularly with individuals becoming much more sensitive and savvier about their data rights since the implementation of the UK GDPR. Unfortunately, some opportunistic individuals have also spotted the chance to make some money off the back of unwitting businesses that get it wrong by holding them to ransom if they receive an email that they shouldn’t have. 

The ICO has the power to invoke a number of sanctions for breach of the PECR, including criminal prosecution, non-criminal enforcement, and audit. They can also impose a monetary penalty notice of up to £500,000 which can be issued against the organisation or personally against its directors for serious breaches of the rules, for example where there is an element of wilful breach. These sanctions are not mutually exclusive, so they can be used in combination.

And, as you will no doubt be aware, the ICO also has a range of powers under the UK GDPR to impose sanctions, including, in the most serious of cases, fines of up to £17.5 million or 4% of total worldwide annual turnover (whichever is higher).

The regulations around consent and soft opt-in are not straightforward and so if you intend to utilise email marketing, it would be worth seeking advice from a solicitor before launching your first campaign to ensure you’re clear on how to comply with the law. 

Your email marketing infographic

Keeping tabs on all the legal requirements related to email marketing can be tricky. That's why we've put it all together in one handy infographic. Take a look!

Need support with email marketing? Explore how our data protection experts can help.

email marketing and consent
Receive our insights directly to your inbox by signing up to our newsletter

Recommended content