UK guide to B2B email marketing laws (warning, it's tricky)

UK guide to B2B email marketing laws (warning, it’s tricky)

There are email marketing laws. Surprise! Yet few marketing departments understand or implement them correctly. The result? Damaged reputation and (sometimes) heavy fines.

I’ve often argued that marketing is a science, not an art. But too often execs concentrate on the creative side of marketing (art) and ignore the ‘dull’ email marketing laws (science).

So here is a quick round-up of what you need to do on your next email campaign to ensure you stay legal and don’t blemish your name. Try not to fall asleep đŸ™‚

You’ve heard of GDPR, what about PECR?

I just Googled “GDPR UK Law” and got 28,800,000 results. Did the same for “PECR UK Law” and got just 99,200 results. I guess not many people write about PECR… but what is it?

Data for email campaigns in the UK is governed by two laws; GDPR and PECR. Their full titles are the ‘General Data Protection Regulation‘ and the ‘Privacy & Electronic Communication Regulation’.

GDPR governs how you store a person’s data, PECR governs how you contact them electronically.

Individual vs Corporate emails

GDPR does not distinguish between individual data (e.g. and corporate data (e.g. To store any personal data you will either need consent or be able to prove you have a legitimate interest. For more information see my article ‘GDPR: Which is best, ‘Legitimate Interest’ or ‘Consent’?‘.

If you can prove you have a legal right to store a person’s full name and email address, the next thing to do is prove you have the right to send them an email. That’s governed by PECR.

If you contact them as an individual (e.g. or you will need their permission (opt-in) before you send the email.

However, if you email them as a corporate (e.g. you do not need their permission and can continue emailing them until they tell you to stop (unsubscribe).

Either way (individual or corporate), you must ensure your marketing emails have an unsubscribe link.

Regardless of whether they are an individual or corporate, if they unsubscribe you must do it without delay and ensure you have the mechanisms in place to avoid them being emailed by you in the future.

Beware! Sole traders and partnerships will be regarded as individuals. Therefore you will need permission before you email them. As an example, many Accountancy firms and Solicitors are partnerships.

Do not assume that because they have a .com or email address that they are an Ltd or Plc company. Also note that Schools, Hospitals and Government Departments would be regarded as corporate.

UK law vs International law – which one applies?

Fancy another complication? OK. How about whether the UK or International law applies to your email marketing?

Answer? It depends.

It depends on which law your email marketing platform is using and where your customers/prospects live. For example, MailChimp applies the USA CAN-SPAM (Controlling the Assault of Non-Solicited Pornography and Marketing Act) law to any email campaign using its platform.

But if you are using a list on MailChimp that contains the names of UK or EU citizens then the GDPR law also applies.

Note, PECR states that if you are emailing, and it is an Ltd or Plc organisation, you do not need prior permission – by contrast, the USA CAN-SPAM law states you do need permission before sending marketing emails to any address, including corporates.

Don’t you just love B2B email marketing laws?

What happens if you break the law?

Besides the damage to your organisation’s reputation, you may also be fined. Fines in the UK are issued by the Information Commissioner’s Office (ICO).

GDPR states fines can be as high as €20 million or 4% of global turnover (Cathay Pacific airline was fined £500,000 by the ICO for a GDPR failure). PECR has a maximum figure of £500,000 (Telecoms giant EE was fined £100,000 for sending 2.5 million emails without consent).

You may be thinking that you will never get caught. While it’s true that many consider the CAN-SPAM law is a toothless dog (there haven’t been that many prosecutions by the FTC since 2003), the ICO in the UK has been more active, issuing over £50m worth of fines in the first 6 months of 2020.

It’s not just the ICO you need to worry about. Spam emails get dumped in the Junk folder and you may find your email domain gets blacklisted or your email platform closes your account.

And don’t think that outsourcing your email campaigns to an agency lets you off the hook. As the ‘instigator’ of the email, the ICO will come after you first.

Do any other laws apply?

Yep. The UK Companies Act 2006 states you must include the following information on your letterheads, order forms, company website and… business emails:

  • Company name;
  • Your company registration number;
  • Place of registration (e.g. Scotland or England & Wales); and
  • Registered office address

The best way to get consent (opt-in)

I use ‘legitimate interest’ under GDPR to store personal data in CRMs, and I abide by the rules of PECR so I don’t need prior opt-in most of the time.

However, all experienced marketers know that ‘permission marketing’ is the most effective (thanks Seth Godin). That’s why I include the following text on all my website forms with a tick box – it gives me both GDPR and PECR opt-in.

Yes, please send me the Marketing Graham Bulletin no more than 8 times per year. I understand that I can unsubscribe at any time by clicking the link in the footer of your emails, and you will store my data but never sell it to third-parties.

The tick box is important as GDPR states that if you are asking for consent it needs to be ‘unambiguous’ by using ‘affirmative’ action (note, you cannot pre-tick the box).

Setting up your CRM for email

First, make sure you capture the date a person subscribes to email marketing. Opt-in does not last forever, but unfortunately, neither GDPR nor PECR stipulates a time period.

Next, make sure your CRM and email platform are connected so that any unsubscribes are automatically noted in your database.

Finally, be clear about what they opt-in for – is it just contact by email or have they also consented to a phone call? And if they unsubscribe, have they opted-out of both or just telephone calls?

The new ePrivacy law

Oh, and just to make things a little more interesting there’s a new law on the horizon that will replace PECR. It’s called the ePrivacy Regulation and was supposed to be introduced alongside GDPR. That didn’t happen.

The likelihood is that although it’s an EU law, the UK Parliament will introduce a carbon copy (much like they did with GDPR). The final wording is yet to be agreed upon, but it seems you may need to get opt-in before emailing both individual and corporate email addresses. Another complication of the B2B email marketing laws.

When will it happen? My guess is the text will be finalised in 2021 and it will be enforced during 2023.

Final word

Any questions? Drop me an email. I’ll do my best to answer.

Get my latest blog posts, reports and videos delivered straight to your Inbox, just 8 times a year. It’s free but not cheap. Complete the form below to receive the Marketing Graham Bulletin; you can unsubscribe at any time.

Marketing Graham Bulletin
You can unsubscribe at any time and I will never sell your data to third-parties. For information on how I care for your data, check the Privacy Notice.