11 November 2022

The Information Commissioner's Office (“ICO”) recently published its much-anticipated guidance on direct marketing using electronic mail (the “Guidance”), as provided for in the Privacy and Electronic Communications Regulations 2003 (as amended) (“PECR”). PECR sits alongside the UK GDPR and Data Protection Act 2018 and sets out restrictions on the electronic marketing activities that can be carried out by businesses.

The Guidance addresses what must be done to comply with PECR if an organisation sends direct marketing by electronic mail, setting out areas of legal compliance and also suggestions for best practice to aid compliance with PECR.

What is electronic mail marketing?

Electronic mail is “any text, voice, sound or image message sent over a public electronic communications network which can be stored in the network or in the recipient’s terminal equipment until it is collected by the recipient and includes messages sent using a short message service

In practice, this covers:

  • email and text (SMS) messages;
  • picture or video messages;
  • voicemail messages;
  • in-app messages; and
  • direct messaging on social media (i.e. where someone receives a private message).

The definition doesn’t cover online advertising (e.g. advertisements placed on websites). It also doesn’t cover some types of direct marketing using social media (e.g. advertising messages shown on news feeds).

Direct marketing is defined under the Data Protection Act 2018[1] as “the communication (by whatever means) of advertising or marketing material which is directed to particular individuals

In practice this covers:

  • all types of advertising, marketing or promotional material;
  • commercial marketing (e.g. promotion of products and services); and
  • the promotion of aims and ideals (e.g. fundraising or campaigning).

The Guidance also covers the distinction between when a message is considered to be a marketing message or a service message, as well as the rules under PECR on sending marketing to corporate subscribers or individual subscribers.

What are the rules on direct marketing using electronic mail?

In general the PECR rules apply to anyone that wishes to send unsolicited messages by electronic mail for the purposes of direct marketing.

It is the ‘sender’ or ‘instigator’ of the message who has responsibility for complying with the PECR rules – which means that even if you use a webmail provider or a marketing platform, you may still have responsibility for compliance under PECR.

PECR states that you can only send direct marketing by electronic mail if:

  • you have consent from the recipient; or
  • you can meet all of the requirements of the ‘soft opt-in’.

However, different rules apply if you’re distinguishing between individual subscribers and corporate subscribers. Whichever ground you are using (consent or soft opt-in), you must also provide certain information when you send marketing by electronic mail. This applies to both individual and corporate subscribers.

In addition, the Guidance also covers when marketing is “solicited” or “unsolicited” (i.e. whether the individual has specifically asked you to email them with marketing information, which is different to consenting to receive general electronic mail marketing) and whether PECR applies in each situation.

Regardless of whether the electronic mail is solicited or unsolicited or whether it’s sent to an individual or corporate subscriber, businesses must not disguise or hide your identity and must provide a valid contact address for people and businesses to opt-out or unsubscribe.

How to comply with the rules on Direct Marketing

The Guidance provides detail on how to use consent to send marketing by electronic email, providing detail on how consent should be obtained and how granular that consent is required to be. The Guidance also provides information on how to use the soft opt-in. We have summarised in broad terms the requirements under both consent and the soft opt-in:

Requirements for consent

Requirements for soft opt-in

1. Consent request must be prominent, concise, easy for users to understand and separate from things like general terms and conditions.

2. You must ensure that the consent specifically covers receiving that particular type of electronic mail from you

3. You should ask for consent separately for each method of communication e.g. mail or text.

4. Consent must be freely given – i.e. not a condition of buying a product or service.

1. You obtained the individual’s contact details;

2. In the course of a sale or negotiation of a sale of a product or service;

3. You are marketing your similar products and services;

4. You provided an opportunity to refuse or opt-out when you collected the details; and

5. You give subscribers an opportunity to refuse or opt-out in every subsequent communication.

What happens if you don’t comply with PECR?

The ICO can:

  • serve an enforcement notice that requires an organisation to stop sending direct marketing that is in breach of PECR; and/or
  • serve a monetary penalty notice imposing a fine of up to £500,000 which can be issued against the organisation or its directors.

If you'd like to discuss electronic mail marketing in detail or have any queries about the Guidance, please contact Olivia Ward or another member of Burges Salmon's data protection team.




[1] PECR takes its definition of direct marketing from the DPA 2018. This is because any undefined term within PECR has the same meaning as in the UK data protection regime.

Key contact

A photo of David Varney

David Varney Partner

  • Data Protection and Cybersecurity
  • Technology and Communications
  • Outsourcing

Subscribe to news and insight

Burges Salmon careers

We work hard to make sure Burges Salmon is a great place to work.
Find out more