The information on this page was current at the time it was published. Regulations, trends, statistics, and other information are constantly changing. While we strive to update our Knowledge Base, we strongly suggest you use these pages as a general guide and be sure to verify any regulations, statistics, guidelines, or other information that are important to your efforts.

January 31st, 2020 Update: On March 29, 2017, UK Prime Minister Theresa May triggered Article 50, which formally started the process whereby the UK would leave the European Union. The original plan was for the UK to leave the EU on March 29th, 2019 but on October 28th, 2019, the EU agreed to push the extension deadline to January 31, 2020. 

The council agreed to conclude the withdrawal, and it  took effect at midnight on January 31st, 2020. After this date, the UK is no  longer an EU member state. This will obviously shift how business is done in the UK. We will keep updating this page to reflect these changes. 

Learn more about Brexit here. 

Email Marketing In The UK

What laws and regulations apply?

The Privacy and Electronic Communications (EC Directive) Regulations complement the existing data protection regime and set out more specific privacy rights on electronic communications. PECR was derived from European law, it implemented the European Directive, 2002/58/EC. PECR has been updated twice, the 2004 Amendment changed rules on marketing calls to companies and the 2011 Amendment changed rules on cookies, reporting security breaches, and the Information Commissioner's Office’s enforcement powers.

To Whom and what do the Privacy and Electronic Communications Regulations apply?

The PECR are broader than the Data Protection Act (DPA), in that they apply even if your organisation does not process personal data for marketing purposes, i.e., you do not know the name of the person you are contacting. PECR applies if you:

• market by phone, text, email, or fax;

• use cookies or a similar technology on your website; or compile a telephone (or similar public) directory.

PECR and the Data Protection Act are meant to complement each other in policy and practice. There is some overlap among the two, but when there are differences, you must comply with both. If you are processing personal data, you must comply with the Data Protection Act. PECR simply sets out some extra rules for electronic communications.

What are the important terms to understand?

Electronic Communications - Although it is not defined in the PECR, electronic communications generally means any information sent between particular parties through a phone line or internet connection. This includes:

• phone calls

• text messages

• video messages

• faxes

• emails

• internet messages

Electronic communications does not include generally available information, such as the content of websites or broadcast programming.

Consent - In the context of the PECR, consent must be knowingly given, clear, and specific. It must be given to your particular company and to the manner in which you intend to market, i.e., email, phone call (live or automated), text, or fax.

The clearest way to obtain consent is to allow the receiver to click an “opt-in” box. You must always provide the receiver with the opportunity to withdraw consent, or “opt out.” An unticked “opt-in” box is more clear than a pre-ticked “opt-in” box or an “opt-out” box.

How do I comply with the PECR?

PECR restricts unsolicited marketing by phone, text, email, fax, or other electronic message. In general, the rules are stricter for marketing to individuals than to other businesses or companies.

Regulation 22 prohibits you from sending or instigating the sending of unsolicited email marketing messages without the receiver’s specific consent. Under Regulation 23, you are prohibited from disguising or concealing your identity and must provide a valid contact address for recipients to ‘opt--out’ of or unsubscribe from future marketing. The term “soft opt-in” is often used to describe the exception to this general rule, and applies to existing customers. “Soft opt-in” means organisations can send marketing emails if:

• they obtained contact details during the course of a sale (or negotiation of a sale) of a product or service to that person;

• they are only marketing their own similar product or service; and

• they gave the person the opportunity to opt-out of the marketing, both initially when contact details were collected and in every subsequent marketing message.

The ‘soft opt-in’ rule applies to the negotiation of a sale, therefore an actual sale is not required.

Example

A customer logging into a company’s website to browse its range of products or services does not constitute the negotiation of a sale. However, if a customer completes an online enquiry form asking for more details about a product or service, this could be enough to constitute negotiations.

Example

A customer sending an enquiry to ask a company if it can order a specific product could be considered negotiations. But an enquiry to ask if the company is going to open more branches in a particular location is not.

The ‘soft opt-in’ rule does not apply to prospective customers or new contacts (e.g., from buy-in lists). It also does not apply to non-commercial promotions, e.g., charities, fundraising, or political campaigns. These require specific consent.

Sole traders and some partnerships are treated as individuals, and thus, the above rules that apply to individuals would also apply to these sole traders and partnerships. The Regulation 22 consent requirements do not apply to email marketing sent to any corporate body.

Regulation 22 prohibits a person or organisation from sending or instigating the sending of unsolicited email marketing messages. Thus, you cannot get around the rule by asking people to forward marketing messages to friends or to provide you with their friends’ contact details.

Can I use marketing lists?

You are allowed to use bought-in marketing lists and you can create your own marketing lists; however, you are still required to comply with all marketing regulations, which can be particularly tricky when using bought-in lists.

Bought-in marketing lists

Bought-in marketing lists are impractical for recorded call, text, and email marketing, which all require the individual to have given specific consent to receive the particular type of marketing from you. You must also satisfy yourself that any list you use is accurate and the data was collected fairly and that the consent is specific and recent enough to rely on.

Compiling your own marketing lists

Using the details of people who previously bought goods or services from you or who have registered through your website or made an enquiry is a great way to compile a marketing list. However, you cannot assume that because someone provided his contact details, he is happy to receiving marketing from you. You should make it clear upfront that you intend to use his details for marketing purposes. The easiest way to get clear consent is to use opt-in boxes for each type of marketing message you intend to send, e.g., text, email, phone. To ensure you are compiling an accurate and up-to-date list, record when, how, and what type of marketing consent you received. It is also important to note whether it is an individual or a company, as different rules apply to each. If you do not know whether it is an individual or a company, assume it is an individual and comply with the more strict rules.

Sharing marketing lists

If you intend to share your marketing lists with another company or group within your parent company, you must have each individual’s specific consent to do so. You cannot show consent by simply providing the notice in a hard to find, difficult to understand, and rarely read privacy policy.

Responding to objections or opt-outs

As soon as someone objects to or opts-out of your marketing messages, you should add him to your “do not contact” list. You can send an immediate reply confirming his unsubscribed status, but you may not contact him in the future even to ask if he would like to opt-in again. When someone objects or opts-out, you should not delete his information altogether, instead you should add him to your “do not contact” list, to ensure he will not be contacted in the future by mistake. This is particularly important if you buy new leads or marketing lists, as his details may be on a new list.

What are the risks of non-compliance? 

The Information Commissioner’s Office is tasked with the enforcement of the PECR. Enforcement measures include: audits, criminal prosecution, and monetary penalties up to £500,000. The ICO publishes quarterly updates on enforcement measures taken.

Privacy and Electronic Communications (EC Directive) Regulations

Information Commissioner's Office: Guide to the Privacy and Electronic Communications Regulations

Information Commissioner's Office: Personal Information Online Small Business Checklist

Information Commissioner's Office: Personal Information Online Code of Practice

Information Commissioner’s Office: Direct Marketing Guide

Information Commissioner's Office: Direct Marketing Checklist

Information Commissioner’s Office: Quarterly Updates on enforcement measures