GDPR Compliant Email Marketing: A UK SME Guide
Table of Contents
Most small businesses approach GDPR compliant email marketing from the wrong direction. They read about six-figure fines, assume they’re doing everything wrong, and either stop sending campaigns altogether or carry on unchanged out of frustration. Neither response serves them well.
This guide gives you a working framework: what the rules actually require, where the genuine risk lies for an SME, and how to build a compliant email programme that still delivers results. It covers UK GDPR, the Privacy and Electronic Communications Regulations (PECR), consent and legitimate interest, B2B versus B2C distinctions, and what to do with a list that pre-dates May 2018.
UK and Irish businesses operating across both jurisdictions need to understand that two separate regulatory regimes apply. This guide addresses both.
UK GDPR vs PECR: Which Law Governs Your Emails?
Most guides focus entirely on GDPR and overlook the regulation that matters most for GDPR email marketing in the UK: the Privacy and Electronic Communications Regulations (PECR). Getting this distinction right is the starting point for any GDPR compliant email marketing strategy.
What UK GDPR Covers
UK GDPR sets the rules for how you collect, store, process, and protect personal data. For businesses focused on GDPR email compliance, this is the framework that governs your subscriber records, not the sends themselves. Following Brexit, EU regulations were incorporated into UK domestic law. The EU GDPR continues to apply separately to data processing involving EU residents.
For email marketing, UK GDPR governs how you handle the personal data behind your subscriber list: how you record consent, how long you keep contact records, and how you respond to subject access or deletion requests. It sets the penalty framework at up to £17.5 million or 4% of global annual turnover under UK GDPR, and up to €20 million or 4% of global annual turnover under EU GDPR, whichever is higher in each case.
What PECR Actually Controls
PECR is the regulation that directly governs the act of sending marketing emails. It sits alongside UK GDPR and sets specific rules about electronic marketing communications to individuals. Understanding PECR is central to GDPR compliance for email marketing in the UK. While GDPR tells you how to handle the data, PECR tells you whether you can send the message in the first place.
Under PECR, you generally need prior consent before sending unsolicited direct marketing emails to individual subscribers. The exception is the soft opt-in rule for existing customers, which is covered in full below.
The Post-Brexit Position for UK and Irish Businesses
Since 1 January 2021, the UK has operated under its own data protection regime. The EU granted the UK an adequacy decision in June 2021, meaning personal data can flow between the EU and UK without additional legal mechanisms, though this decision is subject to periodic review.
For businesses marketing on both sides of the Irish border, this matters. EU GDPR applies to data on EU residents regardless of where your business is based; UK GDPR applies to UK residents. In the UK, the ICO regulates; in Ireland, the DPC; and businesses operating across both jurisdictions may need to engage with each.
The post-Brexit shift in digital marketing compliance obligations was particularly significant for Northern Irish businesses. Achieving GDPR compliance for email marketing now means navigating two separate frameworks. Many SMEs have not updated their processes to reflect the post-Brexit position, which creates avoidable risk.
Consent vs Legitimate Interest: Choosing Your Lawful Basis
Every piece of personal data you process must have a lawful basis under UK GDPR. For GDPR compliant email marketing to individual subscribers, the two most relevant options are consent and legitimate interest. Getting this right shapes everything else about how you build and manage your list.
When Consent Is the Right Choice
Consent is the cleaner option for most B2C email marketing. Under UK GDPR, valid consent must be freely given, specific, informed, and unambiguous. It requires a positive opt-in (a pre-ticked box does not count). The subscriber must understand what they are signing up for at the point of sign-up, not buried in a privacy policy they’ll never read.
Consent must be granular: promotional emails, transactional updates, and third-party offers each need a separate tick. Bundling them into a single checkbox creates compliance risk. Once given, consent must be recorded: who gave it, when, what they agreed to, and how it was obtained. Without that record, you effectively have no consent.
When Legitimate Interest Applies
Legitimate interest allows you to process data without explicit consent, provided you can show the processing is necessary for a genuine business purpose, that purpose is proportionate, and it does not override the individual’s rights and interests. For email marketing, this basis is harder to rely on than many guides suggest. The ICO has been clear that marketing to individuals generally requires consent under PECR, regardless of whether legitimate interest might otherwise apply under GDPR.
Legitimate interest is more relevant for B2B communications to corporate entities and for re-engagement campaigns to existing subscribers who have not opted out.
Consent vs Legitimate Interest: At a Glance
| Basis | When to use it | Requirements | Example |
|---|---|---|---|
| Consent | Cold contacts; new sign-ups; B2C marketing | Positive opt-in; specific; recorded; withdrawable | Newsletter sign-up form on your website |
| Legitimate interest | Existing B2B relationships; internal comms | LIA completed; proportionate; opt-out provided | Sending service updates to a business client |
| Soft opt-in | Existing customers; similar products or services | Prior purchase; relevant content; opt-out in every email | Emailing a customer who bought from you last month |
Building a GDPR compliant email marketing strategy means selecting the right lawful basis before the campaign is designed, not retrofitting compliance after the list has been built.
The Soft Opt-In: Emailing Existing Customers Without a New Consent Tick
The soft opt-in is the most misunderstood provision in GDPR compliant email marketing law, and it’s the one that gives SMEs the most practical flexibility. Most guides either omit it or describe the conditions incorrectly.
What the Soft Opt-In Allows
Under PECR, you can send marketing emails to an existing customer without new explicit consent, provided four conditions are met:
- The person gave you their contact details in the context of a sale or negotiation of a sale.
- You are only marketing your own similar products or services.
- You gave them a clear opportunity to opt out at the point of data collection.
- Every subsequent email includes a straightforward unsubscribe mechanism.
This rule applies to individual subscribers only, not to corporate email addresses.
What “Similar Products or Services” Means in Practice
The ICO does not define this precisely. If a customer bought web design services, marketing, SEO or content services, then it is likely defensible. Marketing an unrelated product category is riskier and should rely on separate consent.
The test is whether a reasonable person would expect to receive that type of marketing given what they bought. When in doubt, collect a fresh consent tick at the point of sale rather than relying on the soft opt-in.
Where Businesses Most Often Get This Wrong
Two errors come up repeatedly. First, businesses apply the soft opt-in to prospective customers who enquired but did not buy. The soft opt-in does not cover enquiries; it requires an actual purchase or sale negotiation. Second, businesses forget to include an opt-out mechanism in every subsequent email. Without it, the soft opt-in exemption fails entirely.
B2B vs B2C Email Marketing Under GDPR
The rules for GDPR B2B email marketing differ from those for individual consumers, but not in the unlimited way many B2B marketers assume. Understanding GDPR compliant email marketing in a B2B context matters, and there is a specific trap that catches many UK SMEs.
Corporate Subscribers vs Individual Subscribers
Under PECR, the strict opt-in requirement applies to “individual subscribers”, which means natural persons, including sole traders and most partnerships. Emails sent to a corporate subscriber (a limited company, a PLC, a public authority) are not subject to the PECR opt-in rule in the same way.
This means you can legitimately contact corporate email addresses without prior consent under PECR, provided every email includes an opt-out mechanism. UK GDPR still applies to any personal data in the email, including an individual’s name or direct work address.
The Sole Trader Trap
This is where many B2B email programmes fall down. A sole trader’s business email address is personal data relating to an individual. Under PECR, sole traders and some partnerships are treated as individual subscribers, not corporate subscribers. The strict opt-in rules apply to them in the same way they apply to consumers.
If your B2B list includes sole traders, you need consent or a valid soft opt-in for those contacts. A legitimate interest assumption alone does not meet the standard.
B2B Email Rules: Quick Reference
| Entity type | PECR opt-in required? | must opt-out be available? | Key rule |
|---|---|---|---|
| Limited company (Ltd, PLC) | No | Yes | Corporate subscriber; PECR opt-in not required |
| Sole trader | Yes | Yes | Treated as individual subscriber under PECR |
| Partnership (most) | Yes | Yes | Unless LLP or incorporated, default to individual rules |
| Public authority or charity | No for corporate address | Yes | Corporate subscriber rules apply to the entity address |
Building a GDPR-Compliant Email Programme
Running a GDPR compliant email marketing programme is not a one-off configuration; compliance is built into how you collect, store, and communicate with subscribers. The steps below cover the practical implementation from the sign-up form to sending.
Designing a Compliant Sign-Up Form
The sign-up form is where consent is captured, and it is one of the most visible areas of GDPR email compliance. The consent statement must appear before the submit button, not after. It must be specific about what the subscriber is agreeing to receive, for example, “marketing emails about our web design and SEO services” rather than a vague “updates. The opt-in must be a positive action: an unticked checkbox, a button click, or similar. Pre-ticked boxes and implied consent through form submission alone do not meet the standard.
The form should also link to your privacy policy, which must include what data you collect, how long you keep it, and how the subscriber can withdraw consent or request deletion.
A well-built sign-up form is a web design and compliance decision combined. When ProfileTree builds websites for SME clients, consent architecture is part of the brief, not an afterthought.
Double Opt-In: Is It a Legal Requirement?
No. Double opt-in is not a legal requirement under the UK GDPR or PECR for GDPR-compliant email marketing. A subscriber clicking a confirmation link before being added to your list is best practice, but not legally mandated. A single, clearly recorded opt-in meets the legal standard.
It is, however, the strongest record of consent available, and it measurably improves list quality. For businesses that receive ICO complaints, a double-opt-in record is considerably easier to defend than a single-checkbox log.
Managing Unsubscribes and Data Retention
Every marketing email must include an unsubscribe mechanism that works immediately and without conditions. Requiring a logged-in account to unsubscribe, adding a delay before processing the request, or asking a subscriber to provide a reason before removing them are all non-compliant practices.
Keep subscriber records only as long as you have a lawful basis to hold them. A defined inactivity window of 12 to 24 months is a common standard, after which inactive contacts are re-permissioned or removed. Document the retention period in your records of processing activities.
Your GDPR Email Compliance Checklist
Use this GDPR email compliance checklist before launching any new email programme or reviewing an existing one. It covers the key steps for GDPR compliance for email marketing across sign-up, records, and ongoing sends.
- The sign-up form uses an unticked consent checkbox with a specific consent statement
- The consent statement is separate from the terms and conditions
- Privacy policy is linked from the sign-up form
- Consent records are stored: who, when, what they agreed to, and how
- All emails include a functioning unsubscribe link
- Unsubscribe requests are processed immediately
- The suppression list is maintained to prevent re-adding unsubscribed contacts
- Data retention period is defined and documented
- The email platform’s data processing agreement (DPA) is in place
- Privacy policy accurately reflects your data processing activities
Cleaning Legacy Lists: What to Do with Pre-GDPR Data
Many UK businesses still use email lists built before May 2018, often through methods that do not meet current GDPR-compliant email marketing standards. Whether those contacts can still be emailed is one of the most common GDPR email compliance questions SMEs face.
Assessing Your Legacy List
Start with what you can evidence. For each segment of your list, ask: Do you have a record of how the contact was added? Was there any opt-in? Is there a purchase relationship that might support a soft opt-in argument? Contacts with no consent record and no purchase history are high risk and should generally be removed.
Re-Permission Campaigns
Where contacts signed up through an older form or have a purchase history, a re-permission campaign can recover legitimate subscribers while clearing the rest.
The re-permission email should explain that you are updating records, confirm what the subscriber is signing up for, and include a clear opt-in link. Send one, maximum two. Anyone who does not respond should be removed; repeated contact after silence is not defensible.
What Not to Do
Silence is not consent. Do not assume an inactive subscriber is still a valid contact. Migrating a list to a new platform does not reset the consent position; the legal basis follows the data, not the system it is held in. Do not purchase third-party lists either; they are virtually impossible to use in a PECR-compliant way because valid consent must have named your business specifically.
Putting It Into Practice
GDPR compliant email marketing is achievable for any SME that takes a systematic approach. Understand which legal basis applies to your audience: consent for most B2C contacts, soft opt-in for recent customers, and a careful check on sole traders in your B2B list. Build consent capture into your website correctly. Maintain records. Make it easy to unsubscribe. Address legacy data honestly rather than hoping it does not surface.
If your email programme needs a structural review, covering sign-up form design, platform configuration, and content strategy, ProfileTree works with businesses across Northern Ireland, Ireland, and the UK on digital marketing strategy and GDPR training for SMEs. Our digital training programmes give marketing teams the working knowledge to run compliant, effective email campaigns from the ground up.
FAQs
1. Does GDPR apply to small businesses for email marketing?
Yes. There is no minimum size threshold under UK GDPR or PECR for GDPR compliant email marketing. Both apply to any business that processes the personal data of UK or EU residents, regardless of turnover or employee count. The ICO’s enforcement approach does take proportionality into account when determining penalties: a micro-business making a good-faith effort to comply will typically be treated differently from a large organisation acting recklessly. The legal obligations themselves apply equally to all.
2. What is the difference between UK GDPR and PECR for email marketing?
UK GDPR governs how you collect, store, and protect personal data, including subscriber records. PECR governs the act of sending marketing emails. For most GDPR email marketing decisions, PECR is the more directly relevant regulation because it sets the rules about whether you can send a message in the first place. You need to comply with both: GDPR for data handling, PECR for the send itself.
3. Can I email existing customers without getting new consent?
Yes, in specific circumstances. The soft opt-in rule under PECR allows you to send marketing emails to existing customers without new explicit consent, provided they gave you their contact details in the context of a sale or sale negotiation, you are only marketing similar products or services, they were given a clear opt-out at the point of data collection, and every subsequent email includes a working unsubscribe link. This does not apply to prospects who only enquired without purchasing.
4. Is B2B email marketing subject to GDPR?
It depends on who you’re emailing. GDPR B2B email marketing works differently depending on the entity type. Emails sent to corporate email addresses at limited companies are not subject to PECR’s opt-in requirement in the same way as individual subscribers, though UK GDPR still applies to any personal data involved. The critical exception is sole traders and most partnerships, which are treated as individual subscribers under PECR. If your B2B list includes sole traders, you need consent or a valid soft opt-in for those contacts, not just a legitimate interest assumption.
5. What should I do with an email list built before GDPR came into force?
Audit it. Identify what evidence you have of how each segment was collected. This is a core step in achieving GDPR compliance for email marketing: contacts with a clear purchase history and a defensible soft opt-in argument are lower risk. Contacts with no consent record and no purchase relationship are high risk and should generally be removed. For contacts in a grey area, a one-off re-permission campaign can recover legitimate subscribers while clearing the rest. Do not assume silence means consent, and do not carry old lists into a new platform without addressing the consent position.