B2C Email Marketing Rules

A guide to the B2C Email Marketing Rules in UK's PECR

If you’re confused about the UK’s rules on B2C email marketing, in the time it takes to have a cup of tea, we’re going to set them out really clearly.

And stick with us, because at the end we’re going to put up a fantastic summary table straight from the UK ICO.

Following on from our post clarifying that email marketing rules are in PECR not GDPR, this blog and its accompanying video looks at the B2C Email Marketing Rules.  This is all part of Privacy Kitchen – FREE video help with GDPR and all things Privacy.  If you’re new to Privacy Kitchen, please do check it out here – and click subscribe and notify to hear about awesome Privacy Kitchen videos.

Right, let’s get to it.

B2C Email Marketing Rules in the UK

Now, we saw in another video that the rules on email marketing are in PECR – the UK’s Privacy and Electronic Communications Regulations – why everyone calls it PECR – not GDPR.  And PECR’s a UK law, so it will be with us post Brexit.

Yes, GDPR always applies when you process personal data.  It defines consent, and it sets out the legitimate interest test, for example.

But the rule’s in PECR, which takes precedence.

The rule

In summary, you cannot send B2C marketing emails (namely to consumers, sole practitioners and unincorporated partnerships) without consent, subject to the soft opt-in exception.

The details

The detailed rule is in PECR’s Regulation 22 which says you cannot send ‘unsolicited emails’ for the purpose of ‘direct marketing’ to an ‘individual subscriber’ without their prior consent, unless the ‘soft opt-in’ exemption applies.  Here’s Regulation 22 in full:

Unsolicited emails

So, ‘unsolicited emails‘ is easy: it’s emails the recipient didn’t ask for.

An example from the UK ICO – we love examples!

  • A customer submits an online form requesting a double glazing quote.  Sending the quote to them is solicited marketing but any further contact would be unsolicited.

Direct marketing

For the purpose of ‘direct marketing‘ is pretty clear too.  Helpfully, it means the rules don’t apply to other purposes.  So, for example contacting a customer solely to:

  • remind them how to contact you in case of a problem,
  • check their details are correct, and
  • update them on your terms and conditions.

These are all examples from regulators.

Service messages

The UK ICO’s draft guidance calls these ‘service messages‘ and gives two further examples:

  • A bank calls a customer about the administration of their bank account.  The purpose of the call is simply to advise the customer that there’s a problem with one of their standing orders.  This isn’t direct marketing.
  • Secondly, an individual’s credit card has variable balance transfer rates.  Their card provider emails them to tell them the rate’s changing for a limited period: it’s a service message.

But if you add any marketing aspects to those emails, even tacking on a single sentence, you’ve transformed that service or other message into a marketing email and you need to check if PECR’s rule applies.

  • So, for example, that credit card provider we just mentioned, if they actively encouraged the individuals to make use of that rate change offer, then this would fall within the definition of direct marketing as they’re promoting that rate in order to gain further business from the individual.

And another one.

  • A mobile provider sends a text message to a customer that they’re reaching their monthly data limit and advises what the data charges are under its contract if they exceed that limit. Because that message is purely informational about the account, it’s likely to be viewed as a service message.
  • But if that mobile provider also uses the message to encourage the customer to take up a special offer to buy more data, then that constitutes direct marketing.  You’ve got to apply PECR to the whole email.

Now, bear in mind that ‘for direct marketing purposes’ is almost anything promoting your aims or ideals so it’s pretty broad.

Individual subscriber

Okay, ‘individual subscriber’.  This is the part that we think causes the most issues.

Individuals‘ has an immediately clear meaning.  We’re not talking about legal entities like a limited company, PLC and LLP. Here also, though, for these laws it includes sole traders and unincorporated partnerships.  Think of it that there’s no legal entity in the way when you’re doing the marketing, so the marketing’s basically directed at one of those individuals.

Now, ‘subscriber‘s trickier because it’s not a subscriber to your services – it’s the person party to a contract for public electronic communication services for the supply of those services.  Basically, the person who’s the customer of the comms service over which they’re getting the email.

So let’s look at two examples here.

  • Take the email firstname.surname@companyA.com.  That person works at Company A and Limited Company A will be the subscriber for the comms services, not the individual person.  Yes, that email is personal data because that identifies a living person. GDPR will apply to how you handle it.  But it’s not the email of an individual subscriber – the subscriber is the legal entity.

Now, granted, not all business.com emails are definitely legal entities, but it’s a strong indication.  Maybe you’ve got a policy of only selling or marketing to legal entities – you don’t add them to your database if you’re not sure.

And, just to note, emails such as info@keepabl.com are not personal data because info@ – there’s no personal data there, so PECR and GDPR do not apply.

  • On the other hand, with the email firstname.lastname@hotmail.com, it’s most likely that it’s an individual who’s the subscriber, and PECR’s rules will apply again.

Again, yes, businesses may well use Hotmail or Gmail so, in practice, it’s safer to just assume that everyone with a Hotmail or Gmail is an individual subscriber until you find out otherwise.

Prior consent

Prior consent is where GDPR comes in as PECR expressly states that consent is as defined in GDPR – and GDPR defines that as:

  • a freely given, specific, informed, unambiguous indication of the data subject’s wishes by which he or she, with a statement or clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

In other words:

  • no pre-ticked boxes, inaction or silence is not consent, say who you are, you’re going to use the email to send marking to them, that they can withdraw consent at any time.  Give a link to your Privacy Policy for more details.  The standard sort of Data Collection Notice.

Soft-opt in

Right, the last part of the rule is the soft opt-in exemption, and this is pretty well known. It means you don’t need consent to send B2C marketing emails if you satisfy a five part test.

#1:  You obtain the email

You can’t get the email from anyone else. You have to have collected it yourself.

#2:  In the course of the sale or negotiations for the sale of a product or service to that person

You need to have obtained the email in the course of the sale or negotiations for the sale of a product or service.  Now, sale is clear – the person’s a customer.  But what about negotiations for sale as that can mean leads too?

The UK ICO notes, it’s not enough simply to send any query.  The individual should have actively expressed an interest in buying your products or services by some form of express communication.

Helpfully, the UK ICO gives three examples, we all love examples, of what might qualify:

  • requesting a quote,
  • asking for more details of what you offer, and
  • sending an online inquiry to ask if you can order a particular product.

And the UK ICO gives two that probably don’t:

  • asking if you’re going to open more branches in a particular location, and
  • just going to your website and browsing through your site looking at products.

#3:  You market your own similar products and services only

You can only use that email to market your own similar goods or services, not someone else’s.  And the ‘you’ part is interpreted strictly, by legal entity, so other group companies, for example, can’t rely on your soft opt in.

As to ‘a similar good or service’, the UK ICO has given some great examples again and suggests this depends on the reasonable expectations of the data subject, which in turn depends on the context, including the type of business and category of product.  And they give two examples.

  • A customer buys groceries online from a large supermarket chain.  Although for some reason they only bought bread and bananas on that occasion, they might reasonably expect emails about a wide range of products, including bread and fruit, other groceries and also books, DVDs, kitchen equipment and other everyday goods commonly sold in supermarkets.
  • However, they’re unlikely to expect emails about banking or insurance products sold under the supermarket brand. These products are not bought or sold in a similar context.

#4 & #5:  opt-out on collection and each email

And, lastly, you need to have given the recipient an easy, free way to refuse, both at the time you collected the email and in each marketing email you send.  The last bit’s easy – you can allow for unsubscribe. But it’s the first part that needs careful drafting, when you collect that email.


So, you can see that, under UK’s PECR, you only need consent for B2C marketing emails.

You do not need consent for B2B marketing emails, to those at legal entities.  This is an explosive topic and Europe’s basically split on this point.  We’ll deal with B2B marketing email in a separate blog and video.

Now we’re still waiting on this European e-Privacy Regulation to give greater consistency across Europe, and we really need it.  We’d welcome the full clarity here.

The rules are quite different across Europe, but at least for now, the situation in the UK and the UK ICO is very clear.

And here is that guide from the UK ICO, it’s their ‘At a Glance Guide’ from 2019 with all the rules on there.  Again, the link is in the notes below.

So, there you go!  The UK’s B2C email marketing rules – very straightforward.

Please do visit us at keepabl.com.  Please like if you enjoyed the video, look at our other videos, including on B2B email marketing and why the rules are in PECR in the first place.

Do get involved – please use #privacykitchen to tell us the questions and topics you want covered.

So stay well in the meantime, and I look forward to seeing you in the Privacy Kitchen soon!


UK ICO’s Guide to Email Marketing

UK ICO’s Draft Direct Marketing Code of Practice (in particular, pages 78 to 82)

UK ICO’s Guide to Direct Marketing (in particular, page 44)

UK’s Direct Marketing Checklist


The UK ICO’s Guide to PECR

The 2002 EU e-Privacy Directive (2002/58)

The 2009 EU Directive amending the e-Privacy Directive (2009/136)

The UK ICO’s Guidance on Spam Emails


Related Articles

UK ICO Accountability Framework with Tash Whitaker
Privacy Kitchen
UK ICO Accountability Framework: Tash Whitaker joins us in Privacy Kitchen

The UK Information Commissioner’s Office (ICO) is justifiably famous for publishing very practical and helpful guidance. We invited Data Superhero Tash Whitaker to join us again in Privacy Kitchen to…

Read More
Privacy Kitchen
Security & Identity: IAM from the ground up!

Identity & Security Identity is core to Security, which is fundamental to GDPR compliance. Watch as a fantastic MSP takes our panel through Identity & Access Management, or IAM, from…

Read More