PECR (Privacy and Electronic Communications Regulations) is the UK law governing email marketing. It requires consent before sending marketing email, with a 'soft opt-in' exception: you can email existing customers about similar products without explicit consent if you offered an opt-out at collection and in every email. PECR works alongside UK GDPR. After Brexit, the UK retained PECR with enforcement by the ICO.
PECR: UK Email Marketing Rules After Brexit
What PECR Covers
PECR is the UK's implementation of the EU ePrivacy Directive. It specifically regulates:
- Unsolicited marketing emails and texts
- Cookies and tracking technologies
- Telephone marketing
- Communications data privacy
For email marketers sending to UK recipients, PECR is the primary law governing consent. It works alongside UK GDPR (the UK's retained version of EU GDPR post-Brexit).
PECR Consent Requirements
Default Rule: Prior Consent Required
You need consent before sending marketing email to individual subscribers. Consent must be:
- Freely given: No pre-checked boxes (see our consent documentation guide)
- Specific: Tell them what they're signing up for
- Informed: Clear about who will email them and about what
- Unambiguous: Active opt-in (checking a box, submitting a form)
The Soft Opt-In Exception
PECR allows marketing email without explicit consent when ALL of these apply:
- You collected the email address during a sale or sale negotiation
- You're marketing similar products or services to what they bought
- You gave them an opt-out opportunity at the point of collection
- You include an unsubscribe option in every email
This is narrower than it sounds. "Similar products" means genuinely similar — not your entire product catalog. And the opt-out at collection must be real, not buried in terms and conditions.
Practitioner note: The soft opt-in is the most misunderstood part of PECR. Companies interpret "similar products" as "anything we sell." The ICO has enforced against businesses that used a shoe purchase as justification to send insurance marketing. Keep it genuinely similar.
B2B Email Under PECR
PECR distinguishes between individual subscribers and corporate subscribers:
Individual subscribers (personal email addresses): Full PECR consent rules apply.
Corporate subscribers (role-based corporate emails like [email protected]): PECR's consent requirement doesn't apply, but you must:
- Identify yourself as the sender
- Provide a valid opt-out mechanism
- Comply with UK GDPR for any personal data involved
Important: An email to [email protected] is still an individual subscriber because it identifies a specific person. The corporate exception only applies to generic addresses.
PECR vs UK GDPR
| Aspect | PECR | UK GDPR |
|---|---|---|
| What it covers | Sending marketing messages | Processing personal data |
| Consent standard | Opt-in (with soft opt-in exception) | Lawful basis (consent, legitimate interest, etc.) |
| Applies to | Electronic marketing messages | All personal data processing |
| Enforced by | ICO | ICO |
| Penalties | Up to £500,000 | Up to £17.5M or 4% global turnover |
Both apply simultaneously. You need PECR consent to send the email AND UK GDPR lawful basis to process the personal data.
Post-Brexit Changes
After Brexit, the UK retained PECR and created UK GDPR (a domestic version of EU GDPR). Key differences from EU rules:
- UK has its own supervisory authority (ICO instead of EU DPAs)
- UK GDPR penalties denominated in GBP (£17.5M cap)
- UK may diverge from EU ePrivacy regulations in future
- Transfers of data between UK and EU require adequacy decisions or safeguards
For email marketers: if you send to both UK and EU residents, comply with both PECR/UK GDPR and EU GDPR. The requirements are similar enough that complying with the stricter interpretation covers both.
Practitioner note: UK-based clients often assume GDPR no longer applies to them post-Brexit. UK GDPR is nearly identical to EU GDPR. If you were compliant before Brexit, you're likely still compliant — but verify your data transfer mechanisms for EU subscriber data.
Compliance Checklist
- Consent mechanism meets PECR standards (active opt-in, not pre-checked)
- Soft opt-in only used for similar products to existing customers
- Every marketing email includes functional unsubscribe
- Sender clearly identified in every email
- Privacy policy explains email marketing data processing
- Consent records maintained (who, when, what they consented to)
- B2B emails to corporate addresses still include opt-out
If you need help ensuring your email program complies with UK regulations, get in touch.
Sources
- ICO: Direct Marketing Guidance
- UK Legislation: PECR 2003
- ICO: Guide to UK GDPR
- ICO: Enforcement Actions
v1.0 · April 2026
Frequently Asked Questions
What is the soft opt-in under PECR?
The soft opt-in lets you send marketing email to existing customers without explicit consent if: you collected their email during a sale or negotiation, you're marketing similar products or services, you gave them an opt-out opportunity when collecting their email, and you include an opt-out in every email.
Does PECR apply to B2B email?
PECR's consent rules apply to individual subscribers. For B2B emails sent to corporate email addresses ([email protected]), PECR is less restrictive — but you still must identify yourself, provide an opt-out, and comply with UK GDPR for any personal data processing.
What is the penalty for violating PECR?
The ICO can issue fines up to £500,000 for PECR violations. Combined UK GDPR violations can reach up to £17.5 million or 4% of global turnover. The ICO actively enforces against unsolicited marketing email.
Want this handled for you?
Free 30-minute strategy call. Walk away with a plan either way.