10 things you should know about … email marketing

10 Apr 2012
Alasdair Taylor

This article highlights some of the key features of the law governing the use of email for marketing purposes.  It considers only the position under English law. Although much of the UK legislation relating to email marketing is EU-inspired, the laws across the EU are not properly harmonized. The position under US law is also quite different from the position under English law.

(1) What is a marketing email?

English law does not have a core conception of a marketing email. Different sets of rules regulate different kinds of email.

The Privacy and Electronic Communications (EC Directive) Regulations 2003 (the “Privacy Regulations”), the most important piece of legislation in this field, regulate the transmission of “communications for the purposes of direct marketing by means of electronic mail”. The courts can be expected to place a broad interpretation upon these words. However, the key provisions on email marketing apply only to “unsolicited” communications to “individual subscribers”.

The Data Protection Act 1998 regulates emails which contain personal data (e.g. individuals’ names – [email protected]).

Voluntary codes (such as the Direct Marketing Association’s Code of Practice) and the contractual terms of hosting companies tend to cover a wide range of communications. Some hosting terms, for example, cover all unsolicited commercial emails.

(2) Aren’t all unsolicited marketing emails illegal?


Emails sent to corporate subscribers which do not contain any personal information (e.g. [email protected]) are not specifically regulated under English law – save that the emails must contain certain information (see below).

“Corporate subscribers” in this context includes limited companies, PLCs and LLPs; it does not include sole traders or general partnerships.

In all other cases, unsolicited emails sent for direct marketing purposes will be unlawful unless the recipient has in some way consented to receive the email.

(3) Opt-outs, opt-ins and soft opt-ins

Opt-outs, opt-ins and soft opt-ins are three different ways of obtaining consent to send marketing emails.

  • An opt-out is where the email recipient has been given, at the point at which the contact information was submitted, the opportunity to opt-out from receiving the emails, and has not done so (e.g. by not ticking a box in an HTML form).
  • An opt-in is where the email recipient has specifically indicated a desire to receive the emails at the point at which the contact information was submitted (e.g. by ticking a box in an HTML form).
  • There is also a special form of consent under the Privacy Regulations called the “soft opt-in”. This applies where (i) an email address was obtained in the course of the sale or negotiations for the sale of a product or service to that recipient, (ii) the direct marketing is in respect of similar products and services, and (iii) the recipient was given the opportunity to “opt out” when the details were collected and with subsequent communication.

(4) What sort of consent do I need?

There is a good deal of confusion about what kind of consent is required for sending marketing emails.

The position under the Data Protection Act 1998 is that opt-out (or similar) consent is generally thought to be sufficient in the case of marketing emails involving non-sensitive personal data. However, express or opt-in consent would be required for any direct marketing communications which involve the processing of sensitive personal data, such as data relating to ethnicity, politics or medical conditions.

Opt-in or equivalent consent is required under the Privacy Regulations for marketing emails sent to individual subscribers, unless the soft opt-in provisions apply (see above).  (NB the Privacy Regulations do not use the terms “opt-in” and “opt-out”.)

You should also check the requirements of your email service provider’s terms and conditions. These often required a more stringent standard of consent than the general law.

You must comply with each applicable rule set.

(5) Information to be provided before consent is given

If you are collecting contact information which includes or may include personal data, certain information must be notified to the data subject:

  • the identity of the data controller;
  • the purpose(s) for which the data are intended to be processed; and
  • any further information which is necessary, having regard to the specific circumstances in which the data are or are to be processed, to enable processing in respect of the data subject to be fair.

The information should in general be given to data subjects or made readily available to them at the point of collection.

The most common way to meet these requirements in the website context is through the use of fair processing notices and privacy policies.

(6) Information to be provided in all marketing emails

Regulation 23 of the Privacy Regulations says:

“A person shall neither transmit, nor instigate the transmission of, a communication for the purposes of direct marketing by means of electronic mail – (a) where the identity of the person on whose behalf the communication has been sent has been disguised or concealed; (b) where a valid address to which the recipient of the communication may send a request that such communications cease has not been provided; (c) where that electronic mail would contravene regulation 7 of the Electronic Commerce (EC Directive) Regulations 2002(1); or (d) where that electronic mail encourages recipients to visit websites which contravene that regulation”.

Regulation 7 of the Electronic Commerce Regulations says:

“A service provider shall ensure that any commercial communication provided by him and which constitutes or forms part of an information society service shall— (a) be clearly identifiable as a commercial communication; (b) clearly identify the person on whose behalf the commercial communication is made; (c) clearly identify as such any promotional offer (including any discount, premium or gift) and ensure that any conditions which must be met to qualify for it are easily accessible, and presented clearly and unambiguously; and (d) clearly identify as such any promotional competition or game and ensure that any conditions for participation are easily accessible and presented clearly and unambiguously.

In addition, the Companies Act requires all business emails sent by a corporation to include the following information:

  • company name;
  • company registration number;
  • place of registration; and
  • registered office address.

(7) Right to object

Under the Data Protection Act 1998, individuals may object at any time to the processing of their personal data for the purposes of direct marketing. Similarly, the Privacy Regulations have the effect of prohibiting the sending of marketing emails to individual subscribers who have notified the sender that they do not wish to receive such emails.

(8) What is good practice?

The Information Commissioner has stated that, notwithstanding the legal requirements, good practice requires that marketers follow the guidelines set out below.

  • Try to go for opt-in-based marketing as much as possible.
  • Provide a statement of use when you collect details.
  • Make sure you clearly explain what individuals’ details will be used for.
  • Do not have consent boxes already ticked.
  • Provide a simple and quick method for customers to opt out of marketing messages at no cost other than that of sending the message.
  • Promptly comply with opt-out requests from everyone, not just those from individuals.
  • Have a system in place to deal with complaints about unwanted marketing.
  • When you receive an opt-out request, suppress the individual or company details rather than deleting them. (This way you will have a record of who not to contact.)

(9) Is buying lists allowed?

There is nothing in the legislation which expressly prohibits the purchasing of email lists. However, if you are thinking of using such a list, you should only purchase it from a reputable company and you should ask for a warranty that the list has been lawfully collected and may be used as intended.  Even then, you should think twice.

(10) Other risks

The terms of service of most ISPs and email marketing service providers prohibit spamming. However, different sets of terms will define spam in different ways. If you are considering sending unsolicited commercial emails, you should ensure that you do not breach the terms of your contract with your ISP or email marketing service provider.

This is an adapted version of an article originally published on www.website-law.co.uk in March 2007.


Could you let me know if we are allowed to add a button to an online article that says “send to a friend” this would then email a link back to the article. The user initiating the action would also be required to input their email address as the originator. However, this email would be processed through our own mailserver and not the initiator’s email client.

It’s something that can be seen all over the internet, but is this legal?

Thank you

Our club wants to send emails with the events that are going on in the club and outside (with club attendance) These are often paying events. We also have links to our club shop and social media.

This would go to our membership who have all paid to become a member of this club. Do we need an unsubscribe button? (is it, essentially, a marketing email? or something that the club can consider reasonable to send out)

Yes, this would likely be considered to be marketing, so you do need an easy unsubscribe option. NB That is not all you will need, particularly with the GDPR imminent. Eg you should also have an established basis of processing and be providing appropriate information notices. If you decide to base the processing of personal data associated with the marketing on consent, you need a GDPR-grade consent from each recipient.


I run a ltd company as a sole director. I have been receiving emails from a recruitment company now for around 2 years. Around 9 months ago I decided that I no longer wished to receive these emails and as per their instructions replied back with the message to Unsubscribe with my company details attached. However I am still receiving these emails now despite continued requests to unsubscribe. Yesterday I sent an email strongly voicing my opinion and got a reply saying you must be joking and they are continuing to send these emails. Whilst my PC can send these to junk my phone does not. It is highly annoying. I have tried to resolve this but am at a point where this is complete annoyance. Where do I stand? My email is a info @ company . co . uk which I know can be contacted but surely there must be something I can do after requesting to unsubscribed around 20 times in the last 9 months. 

Hi Alasdair,

Our business sells wholesale laptops (business to business). We are actively seeking computer repair people and computer shops to sign up as trade buyers.

We would like to collect email addresses from websites we find via relevant Google searches, then email those addresses with a short and concise description of our business and a link to register for a trade account.

It is very likely that some of these addresses will be [non-limited] sole traders or partnerships, which I understand should be treated as individuals.

1.  As our Google search is targetted, the email address has been willingly placed in a public facing location by the computer repair person/shop, and we are emailing with industry specific products, would we legally be able to email these addresses without any prior contact or opt in?

2.  Could the fact that they have placed their email address in a public location for the purpose of promoting computer services be conceived as a soft opt in, i.e. they have shown an interest in our products, even without knowledge of us specifically?

3.  Do the PECR rules apply to generic email addresses – for example “sales@domain” or “info@domain” – even if the person who owns that address is potentially a sole trader/partnership?


The answers to these questions under the current law are quite clear: no (because of the PECRs), no (the PECRs soft opt-in does not apply here) and yes (where the relevant person is an “individual subscriber”).

NB the law on email marketing is changing, with the GDPR coming into force on 25 May 2018 and the anticipated introduction of the ePrivacy Regulation on (or more likely) at some point after that date.


It’s ok to send mass unsolicited e-mail and give them a newsletter if they want subscribe? (send only once). I am just wondering if this is legal or not. 


In general terms, this is not legal under English/EU law.  A communication asking users whether they want to subscribe will be treated as a direct marketing communication and therefore subject to the PECRs.  Also, you are very likely to be processing personal data when doing this and will need a legal basis for that processing. The ICO has fined companies in similar cases.

Under the GDPR rulings how do the refer a friend links work now, if I the customer generate a link on an ecommerce site then take this link to facebook or twitter or any other social media who is responsible for sharing the data held within that link?

That is the website of an Australian company, and certainly does not state the position under English law.


A group of professionals have got together to create a guild. The guild has a website that lists all the members, and information on how to find an available professional.

The members would now like to pool their collection of work contacts (people who have contacted them in the past as part of a commercial relationship) and send a group mail out to let everyone know about the members list on the website.

Is this legal? 

Many thanks!

It seems most unlikely that all (or any?) of the marketing consents gained when collecting the data would cover this use of the data.

Hi – I am a member of a golf club which has not actively promoted itself very well in the past. I am trying to assist the club by getting the secretary (manager) to promote offers to ex customers (these are typically organisers of Golf Societies who have emailed us in the past with their details; numbers of players, meal requrirements etc) and have on their booking form, included their personal email address, and have used email to contact us or have provided details of their email when making their booking for golf. 

I have noticed that the booking form issued by the club secretary does not have an ‘opt-in’ or ‘opt-out’ of using their details for marketing or sending newsletters to them. I hvae suggested that the booking form now be amended with an opt-in or opt-out for electronic marketing/newsletter purposes.

Question 1: can we use the emails the club has collected to date to send out offers to these Golf Society orgnisers, all of whom have previously contracted with the club, but have not given express consent for us to contact them electrnically for marketing purposes in the future? I suspect not …

Question 2: If the answer to Q1 above in no, can we email them explaining what we’re looking to do (send them a regular newsletter which will also contain offers e.g. reduced fee golf rounds for societies booking more than 20 members? If they reply saying yes, we then have express consent from these people we have previously contracted with, and can then send them the newsletter (with the ability to opt out) in future. Would we be able to telehone them aswell to seek approval, although this would I suspect need to be followed up by them confirming consent in writing (via email/hard copy)?

Kind regards


The laws are very grey on adding marketing to your order confirmation emails. Some say as long as its less than 20% etc. Is there a UK law or guide on this?


Can I telephone my opt outs and ask them if I can send a highly relevant business e-mail to their address which is inviting them to a free event to do with something directly connected to their work?

Hi, I justt wanted to know if schools are classed as corporate entities for email marketing purposes. We are a fencing contractor company and want to email schools to offer our services if required. Can I do this and it not be classed as spam?

We are a company which communicates at least 99% by email. We have a list of some 10,000 individual customers who have send us emails, almost all of them looking for individual jobs. In most cases we do not answer those emails. We now want to send emails to all those individuals, advertising our new monthly blog. This new blog is intended to have as many as possible of those customers sign up to pay us a monthly fee for receipt of the blog. This blog will contain information, some of which could be useful to the customers for finding a paid outlet for their expertise, and also other information which is only of general interest in the field concerned. Could we legally send out a specimen email (this is the blog mentioned above) giving information some of which is useful for these customers, but which also asks those customers to sign up for a fee for the monthly blog. The signing up would involve payment by credit card or PayPal and the customer can stop that payment whenever he or she so wishes. There would also be a perfectly visible “opt-out” tick-box for those customers who do not want anything to do with this blog, etc. Legal or not?

When we gather data from people, they complete an enquiry form, requesting information about the services that we offer.

We are in the process of adding the relevant tick boxes, but in terms of the data we already have, is it legal for us to email them, since the form they have completed is a request for information and they give their email address?

If data hasn’t been obtained in accordance with the legislation, then the use of the data could in principle constitute a further breach of the legislation. Whether there is an actual breach here, and indeed whether there is any real risk, will depend upon all the circumstances.

Hi, I’m a photographer based in the UK and I’m trying to understand the situation regards unsolicited emails. If I were to take a photograph of someones pet cat or dog (in a public place) would I be within the law to email a watermarked copy of the image to the owner’s place of work and offer the image at a set price on the basis that if the image was not wanted both the email details and the image would be immediately deleted and they would receive no further emails?


We have telephoned a number of children’s nurseries to ask if we can collect contact details so we may send them an email about our services. This was done over 12 months ago, we now have decided to act on the information that we obtained over the phone.

Are we still able to send an email to these email addresses? Also, how do we prove that we have telephoned them and requested these details?

Please help as we are very confused.

There is an argument here that the consents you obtained are stale; this is particularly relevant where you are processing personal data (eg personal names as part of email addresses).

In any case, if you haven’t got any contemporaneous evidence that the data was properly collected (eg call recordings) then it will be difficult to defend an claim that the marketing is not lawful. There may also be a question mark over the legality of the initial telephone calls.


I manage a database for a company. We pay to license access to job websites to find CVs for people to come and work for us.

The individual has agreed to the job website’s terms and conditions, of which access to their CV and contact details by employers is one.

As a company, firstly, can we then add the individual’s CV and contact details to our database?

Secondly, can we then email them about future job opportunities?

Thanks in advance. Great article!


I have a list of about 5000 email addresses of individual translators. I got their email addresses from emails they sent to me when they were looking for a translation job. I want to contact all those translators to ask for their opt-in so that I can send them a free of charge translation program (No. 1).  On receipt of emails from translators who want to receive this FOC program, after sending them the FOC program, I will then use their opt-in address in an attempt to sell them a paid translation program (No. 2). Is this legal? Otherwise, what would you suggest as a legal means of contacting all 5000 translation?

… then this is unlikely to be in accordance with the legislation. There’s no obvious workaround, although it might be possible to do something based upon the purpose for which the email addresses were originally provided.

If I run a club where people pay to be members for a year, can I put in my terms and conditions of membership that I will email members with details of club events or services and specify the maximum number of emails e.g 6 per annum (to coincide with the number of club events)?

As the club is voluntary run and not for profit having an opt out would be both time consuming and costly, especially as we are only emailing paid members.

Thanks in advance for your help.

Consent which is a condition of being a club member is arguably not a freely given consent.

There are no special exceptions to the rules for not-for-profits or small organisations.

NB some free services build-in consent mechanisms.  I suggest you try one of these – eg Mail Chimp.


Could you let me know if we are allowed to add a button to an online article that says “send to a friend” this would then email a link back to the article. The user initiating the action would also be required to input their email address as the originator. However, this email would be processed through our own mailserver and not the initiators email client.

It’s something that can be seen all over the internet, but is this legal?

Thank you 

Hi I’m still very confused. I have a small business and I’m trying to use social media etc to increase cusotmer base. I’ve spent weeks looking for email addresses of trades people who aren’t current customers. All the email addresses I’ve collected have been somewhere on the web (eg checkatrade, yell.com, green directories, facebook pages etc) as well as from the websites of these possible customers. Some on my list are sole traders, some are ltd companies etc and there is a variety of business and personal email addresses eg info @ companyname .co.uk or eg joebloggs @ sky .com etc. Sole traders will often use the joebloggs @ sky .com format rather than integrating a trading name and many sole traders just trade under their name anyway. I’m using a 3rd party marketing company to run the campaign and I know there will be an unsubscribe button on the email. Eventually I plan to run monthly campaigns myself via mailchimp. So, my question…..am I legally allowed to run this campaign or am I heading for trouble?? Thank you.

I think your proposed course of action would be legally problematic, in respect of some of the email addresses at least, under the DPA and/or the PECRs.

Hi, if I let people sign up for a newsletter on my website, do i have to register for data protection? The answer is probably yes to this but what if I use a third party tool who collect email address on behalf of my business and I just send out emails to anyone who joined?


If I have obtained a cold list of email addresses, am I allowed to send a one off email to them offering my services and asking then to subscribe / opt-in otherwise they will receive no further communication’s from me?

What do you mean by a “cold list”?

Is this a list you collected, but haven’t used recently – or is it a list collected by someone else?

If a company is hiring and they say IF you provide an email (so, voluntarily) in your application, then we will use it to contact you for all business purposes in the future.

Is is that legal?

I would have thought that a consent gained in this way is invalid, because it is not freely given and is excessively broad.

I enter a lot of competitions and one company’s entry forms has a pop up box that says your details will be passed on for marketing purposes.There is no opportunity to opt out. Can they do this?


Thanks so much for all your help with this very broad subject. We have a question which relates to Irish law on sending licence details to our customers. Basically our customers buy our product from an online store or over the phone etc. and we then send them the licence details to activate our product. They need these details in order to activate the product but we currently have an unsubscribe option for them. However next year when they come back to renew their licence we won’t be able to send them their licence details as they will have unsubscribed and so we want to know if in this instance is it okay to not have any option for them to unsubscribe (relating to the law in Ireland)?

I’m afraid I don’t know what the position is under Irish law. Although the relevant law comes largely from EU law, there are different implementations in different member states.

I wish to email a press release about a software product to a number of small business magazines. My press release is a commercial document and my aim is to have the magazines review my product and perhaps write about it. Do I fall foul of email rules in terms of ‘spam’/unsolicited emails? Some of the magazines use ‘editor’ in their email addresses, others name individuals.

Many thanks.

Hi David, thanks for your question.

Where do you get the email addresses from?  Are they from the magazines’ websites? If so, are they made available, in part, for the purpose of attracting press releases?

Thanks Alasdair. I get the email addresses from the magazine websites. A very few do specify that they’re happy to receive press releases, but most are interested in advertising or simply feedback on the magazine.

In that case, I think you may breach the rules where the magazine is not a legal entity (Ltd, PLC, LLP or similar) or where you use a personal name. If magazines are expecting this kind of unsolicited communication, however, the risk is probably low.

I’ll check their legal status and use ‘editor’ as the contact, to be on the safe side. Thanks very much for your advice, Alasdair,

kind regards.

Dear Sir

Thank you for the website but I fear I remain confused.

I look after the database for a local medical society which is recognised as a charity. We are registered with the ICO. We hold a number of lectures each year. We have asked our members to submit their email addresses “for Society use only” and have been using these to send out reminders about our meetings (lectures, annual dinner, and AGM) through a mass email company. I am not certain whether this counts as “marketing” and whether what we are doing is acceptable. Should we specify to our own members in more detail what we will use the emails for and ask them to opt-in? There is an unsubscribe link on the sent emails which has not been used so far.

We used to send out flyers for the lectures to local post-graduate centres and health centres but I suspect from what you have said that this is not acceptable.

Many thanks for your advice.

This doesn’t sound like a very risky form of email marketing, but it is usually best to assume that these sorts of emails will constitute “marketing” for the purposes of the legislation.

Flyers are not subject to the Privacy and Electronic Communications Regs, although if you are using individual names for the flyers that will constitute personal data processing under the DPA.


Can I collect e-mail addreses on the internet and write them without any kind of marketing reference, but just the permission to contact them with that purpose? Thanks.

If I understand your question correctly, you are asking whether you can collect publicly-available emails and write to them, in each case asking whether they would give you permission for further (presumably marketing-related) contacts. If that is the question, the answer is probably: no.

In my view,  the category of emails “for the purposes of direct marketing” include emails sent for the purpose of getting permission to send further emails for marketing purposes. The alternative view would allow for an unlimited amount of “permission spam”.

Yes, you have understood the question: I understand your point and I agree, it would be a never ending game. Thank you very much!!


Hi, I have been reading through this post looking for some advice on the legalities surrounding consent for email subscriptions. I am wondering if a person in a shop/gym/public setting simply asks for my name and email address without specifying that that email will be used for marketing and spam is this legal? Would the person be giving consent even though they have no idea what they are signing up to? 

Thank you.

I suppose the marketer here could argue that it is obvious that email addresses were being collected for marketing purposes, because: (i) it is common practice to do so; and (ii) they had no other reason to collect the addresses.

However, I doubt such arguments would impress a judge or the ICO.

So, to answer your question: no, unless there are some relevant factors you have not mentioned, I don’t think there is an adequate consent here either under the DPA or the PECRs.

Thank you so much for your reply. So a shop should only be taking my email for marketing with my consent to sign up to the marketing? Thank you, your site is extremely helpful.

Unless your email address is outside the scope of the legislation (ie corporate subscriber + no personal information) then there should always be some form of consent, even if that consent is implied or (under the soft opt-in) takes the form of you being “given a simple means of refusing (free of charge except for the costs of the transmission of the refusal) the use of [your] contact details for the purposes of … direct marketing”.

If a customer has requested a quotation from us and we wish to send it back to him by email, is this classed as marketing? We collect his email address but do not add it to a database, so will only contact him about the quotation he has requested.

“Direct marketing” is defined in the DPA as “the communication (by whatever means) of any advertising or marketing material which is directed to particular individuals”. The PECRs adopt this definition from the DPA: “Expressions used in these Regulations that are not defined in paragraph (1) and are defined in the Data Protection Act 1998 shall have the same meaning as in that Act.”

I usually assume that “marketing material” would be interpreted widely by the ICO and the courts. I’d guess (although I am not sure) that in some circumstances a quotation might be considered to be direct marketing, while in most it would not.

In any case, if a customer has give you his or her email address for the purpose of receiving a quotation, that is surely an adequate consent for you to send the email, whether or not the quotation constitutes “marketing material”, and irrespective of any box-ticking exercises.

Is it illegal to go to company websites and get the email off the site to send a marketing email too? (Not with software, just a person doing it.)

Depending upon a number of factors (including the nature of the email addresses and potential the content of the website T&Cs) this can be unlawful, notwithstanding that no software is used to harvest the email addresses.


We operate an online business where customers may be refunded monies to an account if we were unable to fully deliver the product ordered.

We are looking to inform all customers that have a positive account what their balance is.  If a customer with a positive balance has unsubscribed from receiving emails can we still contact them via email with their account information?

Many thanks 

You should ensure that the unsubscribe function relates only to marketing emails, and ensure that account information emails do not contain any collateral marketing material.

If you do these things, account information emails will not be subject to Regulation 22 of the the Privacy and Electronic Communications Regulations or Section 11 of the Data Protection Act 1998 (because they are not sent for direct marketing purposes) and the processing of personal data in connection with the sending of those emails should be permitted by virtue of certain conditions in Schedule 2 to the DPA – most likely conditions 2(a), 4 and/or 6(1). See:


Hi I’m a local guitar teacher who currently works in one school and I’m approaching others to see if they could use my services. I’ve been using the admin@xxx e-mail addresses used on the schools websites and making it clear in the subject line what the e-mail is about then putting

Dear [headteacher name]

So not using any information that isn’t published on the school website. Is this allowed? 

I think that probably still constitutes processing personal data (the headteacher’s name) without consent – unless the website where the name is published somehow invites commercial approaches to the head. However, regulatory or indeed private action against this type of email is most unlikely. The major risk may be spam reports.

Unless you’re a fairly respectable company willing to only target your market with relevant offers without hide your identity but on the contrary making sure everyone knows exactly who you are and how to find you; and one of those emails goes straight to your competition. They will put the rottweillers after you.

Dear Sir,

It seems that the laws in UK and USA are stricter in regulating unsolicited direct marketing mails than other countries.

In other countries, they are probably not as strict. Even if all countries are very strict, in practice, which recipient of unsolicited mails will spend thousands of USD or pound sterling in legal fees to sue the sender just because of an irritating email keep coming everyday? Nobody will spend the money and spend a lot of time and efforts to work with a lawyer to sue the sender especially the sender is from overseas where the legal cost would be a few times more. Mind you, there are so many such unsolicited mails are coming from every where and from so many countries in the world. You will end up spending millions in legal fees every year and forever in your life!

What the recipients could do is just to complain to the ISP provider to have their mail blacklisted. This works. But then the sender can create many many different names and continue to send again.

Reputation is another risk. This is valid. But Amazon.com is doing very well. 

If the sender company is from Africa, third world countires and other less developed countries and also those in tax haven countries like Seychelles, Cayman island etc and war countries, who care? The laws there are very loose and all these emails, spams etc sent by their citizens or companies will not end up in trouble as the regulators are not strict. Worse is, will any British or Americans spend USD5000-USD10000 to sue the sender from Africa or Seychlelles or Iraq? After winning one case, they still have 1000 in the list and keep increasing. They will be broke or migh as well just give up.



I use to recieve mails from two countries in Africa and invariably those mails always end up on my SPAM box, even if senders had previously exchanged mails with me. It looks like that those countries that Branson Lee mentions by default are already blacklisted without matter which mail account is the sender.

So, to set up things in one of those countries, if it worked in the past now seems to not work anymore for the obvious reason that they became the spammers paradise. 

It’s clear that under several requisites to comply is allowed to send marksting emails to corporate recipients without previous consent under the UK law.

But what if destination recipients belong to US companies which SPAM ACT undoubtely prohibits such emails without previous consent?


1) Sending company is legally registered in UK.

2) Company uses a mail server located at UK.

3) Destination mail recipient belongs to a not given consent US company and therefore able to fill an unsolicited email complaint.

At US sending unsolicited marketing emails under any form is Federal Crime, but for the above example the action that may become crime, takes place out of the American territory.

Question: Is it legal to target US companies with unsolicited marketing emails from UK?

This is probably out of the post’s and your scope, but would be interesting to find out.

Tbh I don’t know the position under US anti-spam laws in this situation. However it’s not uncommon for the US courts (and indeed other countries’ courts) to assert extra-territorial jurisdiction in internet-related cases. Of course the assertion of jurisdiction is one thing, and extra-territorial enforcement another.

US anti-spam law prohibits the sending of any product or service offer by email to any entity without previous given consent unless there’s a proven relation between message sender and message receiver.


You do not specify anywhere what can be done to stop a persistent offender – I am being harassed by someone who despite repreated requests will not stop sending me emails. He is also doing this to many others who likewise have requested him to stop. I also seem to be getting copied in to their emails. My colleagues are also getting mails now…how do I get this person to stop?!!

What, broadly, is content of the emails? Are they purely commerical? Are they being sent by a company, an individual acting in the course of a business, or a private individual?  Where did the sender get the email addresses?

Hi Alasdair, 

Many thanks for the article, have found the information different issues all enlightening yet no less daunting.

I work for a charity that produces learning resources. Would i be right in thinking that we would be OK to contact corporate subscribers (in our case schools) with possible resources that could be of use to them? (Providing the addressess were not personal ones would these be considered corporate subscribers?)

Hi George.

I believe that the legal status of schools in the UK varies somewhat from school to school, but providing a school has a separate legal personality (eg it isn’t an unincorporated association) then it won’t be an individual subscriber for the purposes of the PECRs.

Remember that just because a campaign is legal under the legislation, doesn’t mean that it won’t breach (for instance) email service provider T&Cs, or that it won’t result in blacklisting.

I run a small business, a company limited by shares. We sometimes advertise for more staff, and invariably I soon thereafter either get a call or an email from recruitment agencies, either offering their services in helping us finding the staff we just advertised for or sending us the CVs of a few people who they believe would be suitable for us, along with their T&Cs.

I often also receive cold calls or cold emails from recruiters, without an active job advert on the market, asking for HR or the recruiting manager, again offering their services or sending a few CVs across asking whether we would have a need for any of those people.

Finally, and probably after looking at my LinkedIn profile and deciding that my business is small enough (we are close to 30 people), being called or more frequently emailed with job offers for one of their clients.

What of all this is legal and what is not quite so?

We currently have a mailing list collected (with consent) for one of our restaurants and we were wondering if we can send these recipients details of our new restaurant via email that has opened (different name – not a chain of restaurants etc)

Dear Advice,

Two questions

1) If you send a request information on a ‘free post return’ to an address is this legal? I assume that this allows the target to respond or not?

2) If a survey is sent to an email list of ‘business to business’ contacts stating that no private information will be used (i.e. the survey content will not be matched to the actual email) is this possible?

3) For the clarity of all the other queries, how on earth do you get permission to email someone. I have been given the Telephone number and name of someone by a colleague, can I call them?? According to what I read above with email, I cannot!!!??? Extremely confusing as now I find it only possible to meet with a new contact F2F, by introduction in person or by ??

I received an unsolicited email from a local company who told me (because of what they offered me) that they knew my employment status, what I did for a living and my name. They were inviting me to apply to work with them. I asked them who gave them my details. They say they have no way of tracking who gave them my details “database collected from many sources”. There is no way they could have obtained the data they hold on me from anywhere other than via a current employee or a previous employee (or some random person hacking into the database) of the organisation I currently work for, and I am sure they know this. One of the local company’s staff is a previous employee of the organisation I currently work for and had access to my details. The organisation I currently work for told me their legal department is looking into who gave the local company the data, and assured me they didn’t do it themselves. The pool of people who do the sort of work I do is very, very small (500 people max). Can I insist that the local company tells me where they got my data?

… but what happens if they still refuse?

A compliant to the ICO would probably be the cheapest / easiest line of attack, but whether the ICO would take action, I don’t know.


I have a number of domain names that would be of interest to companies in the UK and the US. Am I allowed, under UK and US law, to send unsolicited emails to a general email address of any types of business offering to sell the domain to them as long as no personal data / name is in the email address, such as info@smithwonderproducts? These companies may well be interested in the domain. If not, how about a letter / leaflet in the post?

Many thanks,

I Osborn

Under English law, then providing that (i) you are not processing personal data (eg individual names), (ii) the recipient is a Ltd company (or other incorporated entity), and (iii) you are not breaching any contractual or other legal undertaking when sending the emails (eg an enforceable legal restriction in website T&Cs), you should be fine from a legal perspective under current law. However, you would inevitably be emailing companies who are not interested in the domain and would still be liable to be blacklisted as a spammer. Letters or leaflets should also be permissible, subject to points (i) and (iii).

I can’t comment on the US legal position.

Many thanks Alasdair,

I may well contact you again seeking your services for domain name assignment contracts!


I Osborn

If I have a group of people who are members of my “club” but who haven’t specifically given permisson to be messaged by member of my staff in another branch, would this be considered illegal?

They will have opted-in to my general emails, but not to specific branch/personal club manager emails.

Do I need a formal written, or electronic “opt-in” from someone who is a member? Also, does it make a difference if I write to them personally, or whether I do so as my business?

Would this apply to non-members who have attended my club/s too? Could I email them if they paid and attened, or would they need to opt-in in some form?

Many thanks,


I am an online retailer and want to use my customers’ email addresses to let them know of new promotions. I don’t keep any personal details other than the email address – although the personal details are available to me online through my payment gateway. Do I need to register with the Data Protection Commissioner?

I run an email marketing company and our users who are all UK-based subscribe to our system and send emails to UK corporate customers (Ltd, Plc and LLP) which is allowed under UK legislation.

Some will be their own customers, some will be opt-in, some may not, but they’re all UK corporates. Our site has been added to a black list that is preventing a significant percentage of our customers’ emails from being delivered and the operators of the black list have cited the CAN SPAM Act, Canadian SPAM legislation and other non-UK legislation as grounds for adding us.

I’ve explained that we are UK based, emailing within the UK only and not governed by that legislation and what our users are doing is perfectly legal yet they refuse to remove us from their list. This is damaging our business financially. I’ve asked for evidence of what they believe to be offending emails and they’ve refused to supply anything making me suspect they don’t have anything. Can I get a cease and desist order to prevent them operating in this manner?

No-one likes spam but indiscriminate adding to blacklists without evidence doesn’t help anyone.

Thanks for your post John. In general terms, it can be difficult to pin a civil action on anti-spam organisation. However, to advise on this question, a lawyer would need to know all the details. As it is causing real loss, I suggest you consult an solicitor specialising in contentious IT/internet law. If you would like the name of someone suitable, send me your email via the website contact form.

Very useful article, thanks!

I run a small gift company in the UK and need to confirm, if I buy a mailing list which the ‘reputable’ seller guarantees the addresses are all opt-in and they supply info of which site their details come from, can I use the list with an unsubscribe option? Ie does the ‘opt-in’ clause relate specifically to my business or product, even if the customer agreed (under the terms) that their details can be used for 3rd parties use. 

If not … in reality … in the UK at the moment, what is the likelihood of actually being prosecuted for sending out a single campaign to test the water for responses? Or would it just be a slap on the wrist for such 1st offence? I’m presuming there’s far bigger fish to fry!

Many thanks

Thanks for your question. The fact that a list seller warrants that a list is “opt-in” does not affect your primary liability in the event that you breach the DPA or PECRs when sending out a campaign. However, if you suffered any loss as a result of such a campaign, eg damages from a private claim, you may (depending upon the precise terms of the warranty) have a right to claim any losses you suffer back from the list supplier. Of course, a right to claim, and actually recovering money, are two quite different things.

A claim that a list is “opt-in” rather begs the question – what have users opted into?  Not many users would opt to receive emails from any company that happens to buy a mailing list containing their data!

As to the risks, I suspect they are lowish for a single campaign, but I don’t have any good data.  If you look on the ICO site they publicise at least some of their enforcement actions, and these do tend to be for more serious breaches.

Hi there – great article!

I have a related question which seems very unclear looking at various websites etc… I’m a web designer and we send marketing emails out to our clients database. The database is stored on our server (which our client rents from us). 

The emails we send are not from our company – but our clients. How do we stand when it comes to registering with IPO? We adhere to the practices mentioned above, but do not have control over some of the opt-in proceedures as these are dealt with by another company.

I’m interested to understand if we are liable for anything?


Under the Data Protection Act 1998, the main duties fall on data controllers. The data controller is the person who determines the purpose or purposes for which data are processed. Often, that would be the client rather than the web designer. However, it is possible for a client and services provider to be joint data controllers.

In any case, if you are merely a data processor rather than a data controller in respect of the email data, then under the current DPA you are probably not liable, even if the client has breached the DPA in the collection / use of the data. The position of data controllers is however expected to change when data protection law is next overhauled.

The ICO maintains a register of data controllers, not data processors: http://ico.org.uk/what_we_cover/register_of_data_controllers. If you are not a data controller with respect to the email data, then you do not need to register with the ICO in respect of that data – which is not to say that you don’t have some independent obligation to register.

The relevant obligations in the PECRs apply to both to those who “transmit” marketing emails and to those who “instigate the transmission” of marketing emails. Arguably, you could fall within one or both of these categories. On the other hand, drafting of the the “soft-opt in” is difficult to square with an interpretation that brings an email service provider within the scope of Reg 22. See: 


I have gained a list published online from a FOI request which states the email contact addresses of every school in the UK, these are generic admin (at) office (at) etc emails.

If I where to now send an email out to all of them with the intention of them visiting my companies website and building a business relationship would this be legal.

The email itself will contain all the relevant opt out and company information and will not be a ‘sales’ email initially, more a news letter explaining we are a new company to the UK and have made available a product previously only available in Canada and to get in touch if they want to talk.

Unless you are subject to some restricting relating to how you obtained the list (e.g. in T&Cs that you agreed to) I think this would not, in itself, be unlawful. However, the sending of the emails may contravene ISP T&Cs.

We’re looking at sending 3rd party emails to our registered database. The client we are looking to send on behalf of has asked if we can supply the data of those who have clicked on a link in this email. We would not supply the email address – just the name, business name and telephone number.

Is this something which is permitted? Is it dependant on the terms and conditions we put in the footer of the email?


Strictly, you would need some form of consent from the persons concerned to do that. The answer probably depends upon the scope of consent you got when you collected the data originally. I don’t think that consent could be manufactured using T&Cs in the email footer where consent is the default.

What about if certain contacts had opted-out from our (B2B) emails, event invitations and white papers etc. but we wanted to personally invite them to a specifc one-off event? Would someone at our firm be able to send them an individual electronic invitation? Does this person have to know them personally?

Thanks for your advice.

1) They sound similar to me, but there is little in the way of authoratative guidance on what counts as “similar” for the purposes of this legislation.

2) Letters (vs emails) are not covered by the PECRs, although there may be an argument under data protection law that the processing of personal data for the purpose direct mailings requires consent. A grey area, with the shade of grey depending upon what exactly you are doing.

3) I think that an email sent for the purpose of requesting consent to direct marketing is an email sent for the purposes of direct marketing, and hence subject to the Regs.

If we have received emails from people who have registered their interest in our product (through a third party web site) about a specific product (which we have spoken/emailed them about) can we then use these same details to email them a further product in the same line?

The answer is probably ‘no’, but I’d need more information to be sure. How exactly were the email addresses collected?  What were the terms of the privacy policy under which they were collected (if any)? Could the initial contact be characterised as “negotiations for the sale of the product”? Were users given the opportunity to opt-out of further marketing at the point of collection of the email addresses?

The emails were collected because we ran a marketing campaign with another company. The people who answered the email campaign had to provide email/telephone etc to get further information. We now have all of their details on file.



I’ve recently statrted a keepsake jewellery business and my target market is parents of young children.

Am I allowed to go online and search for nurseries to email? I’d like to ask the nurseries’ permission to post them discount vouchers for their parents to have if they’d like.

The nurseries won’t have opted in but this won’t be a regular newsletter, just a one off email to see if they’d like the vouchers posted to them.


I have a 25000 email list from a networking site. I use it for my newsletter and also I forward some of my clients’ newsletters to my database in exchange for payment.

Is it illegal to do so??

If your activities are regulated by English law, then yes, this will almost certainly be in breach of both the DPA and the PECRs.

I am the Secretary of an amateur sports league in the North West and we have over 150 teams within the league. I hold the details of all the team secretaries including their email addresses, which is our primary means of communication. I wish to forward e-newsletters from the National Governing Body of our sport on a quarterly basis to all the teams. The registration forms they complete annually includes the statement ‘We do not object to the information given below being stored on computer for mailing and fixture book purposes (Data Protection Act 1984)’

Do we need to give secretaries the option to opt-out of receiving these e-newsletters?


Thanks for the great article, Alasdair. I just wanted to double check something with you.

I work for a small local carer charity and we have a list of our carers’ emails on file. We currently do not have a consent form or a statement read out to them at the time of collecting their email, nor do we have an opt-in/opt-out box for being contacted. We only collect their information when they come to us for case work, which includes details about the health conditions of the person they care for.

Would it be against the law to send them all one email asking them if they want to opt-out of future emails? Or would an opt-in be the correct way to do it? These future emails would be a newsletter containing relevant information, articles, events news etc. 

At the moment we have no way of sending out an e-newsletter so for us this would be a quick way to ascertain who would like to receive information from us.

Many thanks in advance for your help in this!

I’m not sure if there is a black-and-white answer here.

Presumably the email addresses were collected to enable you to communicate something to carers, and an email asking for consent to future marketing emails would to my mind fall within the class of communications that might, in these circumstances, be expected. On the other hand, depending upon the circumstances in which the email addresses were collected, it might be arguable that you didn’t provide enough information to carers to make this particular use of carers’ personal data. Again, it is arguable that a request for consent to marketing is itself marketing, and therefore that the PECR consent requirement applies (” … notified the sender that he consents for the time being … “), and is not satisfied simply by the supply of the email address.

As to the question of opt-in or opt-out, to be confident that consents are real and effective for the purposes of the DPA and the PECRs, you should use opt-in type consents. Silence might not be consent: e.g. the consent requests might themselves be hidden by spam filters. In any case, do you really want to be sending email newsletters to people who might not want them?

ps You should be providing carers with a privacy/data protection statement at the point where you collect data. Health data about an identifiable living individual is “sensitive personal data” for the purposes of the DPA, and is subject to more onerous processing requirements than ordinary personal data. For general information about health information and data protection law, see:


Hi – great thread

While I am aware that hotels need an address for legal purposes, do they have a right to demand my email address, even if there is a tick box to opt out? I don’t feel comfortable giving my email address at any point, to a company who may overlook the tick box.

There is no general legal right to demand the provision of an email address, but some services might only be available to those who have an address. E.g. you cannot purchase a legal template on the SEQ ecommerce site without an email address, because the links to download the templates are set out by email, and without an email address you won’t get your templates.

I think this may be more of a practical than a legal problem, and the solution may be to use one or more junk email management techniques.

In the course of my business I exchange many emails with customers, customers’ customers, suppliers, etc. These are all people therefore with whom I have established some sort of business relationship, even if it just my sending them an email on a particular subject, and their sending a reply.

Is it still against the rules if, for example, I want to send all these people an electronic Christmas card? Or maybe even want to send them a business proposal? In other words, does the law differentiate between sending emails to people that know who I am, and those whose names I have just found on a company website, but who are not known to me personally?

Very much appreciate your professional opinion. Thanks.

The law – by which I mean the DPA and the PECRs – doesn’t specifically differentiate between email recipients who are known to the sender and those who are not.

The soft opt-in under the PECRs might sometimes apply in these circumstances, but it’s not really directed at this sort of relationship.

Under the DPA at least, you could argue that there is some form of implied consent.

I imagine that a judge asked to rule whether an electronic Christmas card to a business contact breached these laws would try quite hard to find that it did not, but the text of the PECRs in particular (“… the recipient of the electronic mail has previously notified the sender that he consents for the time being to such communications being sent …”) would not much help the judge. Another approach would be to exclude Christmas cards etc from the scope of “… purposes of direct marketing …”.

The risk of a complaint would of course usually be low, because most people don’t consider these sorts of emails to be “spam”.

Apologies for the lack of a straight answer.

I just wanted to thank you for your reply: I understand that in this murky area it wasn’t likely to be ‘straight’.

Compliments on your service: I shall certainly book-mark your website for future reference.

And Merry Christmas!

Is it a violation of the DPA for a publisher to have an “unsubscribe” link at the bottom of every email they send out but then to respond to the request to unsubscribe by saying that they can no longer use that method to unsubscribe but that instead one must call their 800 number and request that your email address be deleted from their mailing list?

There is no particular rule in the DPA that says marketing emails have to carry an unsubscribe link, although – assuming the mailing involves personal data processing – you could make the case that a failure to provide an easy opt-out method negates a previously-given consent.

If the Privacy and Electronic Commuincations Regs apply, then Reg 23(b) and possibly Reg 22(3)(c) would be engaged – the latter would certainly and the former would probably require something other than an 0800 number-based opt-out system.

Hello, What is the difference in laws or best practices between mailing to recipients in the US and mailing to the UK?

Whilst the laws are different, best practice will be very similar, demanding more than the law does in each jurisdiction: e.g. in relation to consent – specific, express, informed, verified (e.g. double opt-in) and current consent.

We mail a monthly trade magazine via the Royal Mail by request to our readers and have done so before email even existed; these same readers have given us their email details in order to send them quotes and other information that they have requested, so is it OK for us to e-market these readers?

… is not consent for another.

Email marketing in the situation you describe is unlikely to be lawful, although it does depend upon the specific circumstances – especially, the circumstances in which the email details were obtained.

Would you kindly confirm whether we as a company would be at risk of breaching the Data Protection Act if we use an email marketing company to send out marketing literature by email – or is it down to the email marketing company we use to ensure that the data is “clean”?

So far as the DPA in its current form is concerned, the principal obligations fall upon the “data controller” – that is, the person who (or company that) determines the purposes for which the relevant data are processed.

In the majority of cases, a client rather than an email marketing company will be the data controller. In some cases, however, both will be data controllers. And in some cases, I suppose, the marketing company will be the sole data controller. It all depends upon who ultimately determines the purposes of processing.

In non-technical terms, if it is “your data”, then you are probably the data controller.

We have collected some business cards from the exhibition we conducted. Are we allowed to contact those persons by phone/email/mail? Is there any restrictions while contacting the persons from US or China?


If you collected the business cards on the clear understanding that the contact details would be used for the purpose you propose, this should be OK. Consider what would happen in the event of a complaint, e.g. to the Information Commissioner. Could you prove that details were collected on the basis of such an understanding?

Without doing some checking, I’m not sure of the position under US law. Even with some checking, I doubt I’d be able to establish the position under Chinese law.


Very interesting article. I understand the legal protection against unsolicited emails, but from everything i read above, it almost sounds like it prevents small businesses to be contacted? Imagine there is a small business i want to contact because I want to ask them for a price. So if I send an email to name[at]smallbusiness.extension then that is not allowed? (Because its unsollicited, not a limited company and on top of that I am using a personal name in the email). Clearly, that sounds strange. So why would this be allowed (I would assume it should be allowed to ask questions in an unsolicited way?) and where is the border? Thanks

In the example you give, the first question is: where did you get the name? For instance, if the contact name was published on the business’s website, then you could imply consent to processing for the purpose of getting pricing information etc. Data protection law is relatively abstract and quite flexible, so when interpreting the law you need to take into account the policy objectives of the regulatory authorities: new business enquiries = good; spam = bad.

The charity I work for is bombarded with unsolicited emails from companies. I always ask where they obtained our information from, as we operate a zero-tolerance attitude to spam. The name of a particular operator often comes from the few who respond. One of their customers told me they had been assured that the operator uses only “double opted-in” data (whatever that means). We have never “opted in” to any such list and, as we never advertise ourselves, cannot understand why we should be on these lists without our permission – which would never be given. I have contacted the operator twice in recent weeks asking why we are on their lists and stating clearly that they are not sell or otherwise disseminate our details. They have ignored me.

I should be grateful if you would please explain the law in this situation.

If the charity is a corporate entity (e.g. a company limited by guarantee) and the sending of the emails does not involve any personal data processing, then there will likely be no legal remedy under the DPA or the PECRs as they currently stand.

Thanks for a really interesting article.

Can I check my understanding here as I am still a little confused – especially regarding how LTD companies and PLC’s are treated differently from sole traders etc?

I understand as a company we are permitted to send unsolicited emails to business email addresses on business matters only, and there is no requirement for the recipient to opt-in

For LTD companies and PLC’s it MUST be personal email addresses for people at their place of work (fred.bloggs[at]company.extension)  We  must not use sales@ or info@ or emails that are given out freely to consumers eg Hotmail, googlemail.

Whereas with sole traders or partnerships  we may only use generic emails i.e. info@, sales@. So even if we have the personal email (fred.bloggs[at]company.extension) at their place of work we must not use it.

Have I understood correctly?

Many thanks

Not quite.

There are no statutory prohibitions on sending unsolicited marketing emails to a person who isn’t an “individual subscriber”, providing that no personal data is processed as part of the sending process. If an email address includes a person’s name, that will (or may) constitite personal data, and the sending of an email to that address will (or may) amount to the processing of personal data.

So, sending unsolicited marketing emails to info[at]companyltd.extension is not prohibited by UK legislation. However, sending unsolicited marketing emails to fred.bloggs[a]companyltd.extension may be prohibited under the DPA, while sending unsolicited marketing emails to anything[at]partnership.extension or anything[at]freemailservice.extension will be prohibited under the PECRs, unless the soft opt-in applies.

Even though some unsolicited marketing emails are not prohibited under UK legislation, that doesn’t mean it is a good idea to send them.


Great article above.

I’m trying to find out about contacting an email address who hasn’t signed up to be contacted themselves.

My website runs a referral scheme that allows our members to refer a friend by email address, recommending they become a member themselves. We send them an immediate email to say “your friend has recommended you sign up”. How many times can we email this email address that hasn’t signed up? We’d like to send them a reminder but I can’t find any legal clarity on this.

Many thanks.

Hi there,

I’ve gladly just stumbled across your web page in perfect timing.

I am a qualified professional within the field of child protection.  I have extensive training in Internet safety and child exploitation.  There are major concerns within this area as heavily publicised within the news recently.  I have enquired with some schools of late about developing a news letter for them to forward on to parents, providing advice and latest trends etc.  The news letter however will be an unchanged live webpage rather than a news letter (as it appears to be easier to complete and I am able to do it for free as I will be completing this in my spare time).  So in short:

1) I want to complete a bi-monthly webpage with information

2) Forward it on to local schools

3) Give them the choice to send the link on to their parents

By doing this howver, the parents will not be able to opt out as it will be a mass e-mail sent by the school who already have their e-mail details for when the school want to send them information, so opting out will mean taking away the e-mail address from the school.

I am not an organisation or a business – in fact I work for a Local Authority with close relationship with the schools, hence having access to their details.  Sending this type of information however is not within my job role and am to busy to complete a task like this within my working hours.  It does sound like this maybe an issues, may I ask your advice please?

Kind regards, Jamie

I’d need to know much more (i.e. take you on as a client) to comment authoritatively on this situation. However, I can give you a few pointers:

– In relation to the parents and the DPA 1998 and the PECRs, the primary legal obligations in relation to the emails will fall upon the schools, not you.  They are the data controllers in respect of parents’ personal information; and they are responsible for the sending of the emails to the parents.

– In relation to your emails (or calls or other contacts) to schools, however, there are some obvious potential problems. If you are acting without the authority of the local authority, this could be in breach of your employment contract and perhaps obligations of confidentiality owed to the local authority. Again, it could be a breach of data protection legislation if personal data is being processed (as you imply). It could put the local authority in breach of its obligations too.

– If you are acting with the authority of the local authority, you should ask the local authority’s legal department to advise.

Hi. Thanks for the a prompt response. Still confused.

There is also a special form of consent under the Privacy Regulations called the soft opt-in. This applies where an email address was obtained in the course of the sale or negotiations for the sale of a product or service to that recipient.

Would the soft opt in apply, as the customers were aware that the sale contract was with us as a company? It was via an auction site but all sale related contractual responsibilities were between the customer and us.

Would really appreciate this clarification.

Hi. Also confused. We are a small ltd company and are about to start our marketing campaign.

1. Would we be allowed to send marketing emails with unsubscribe link to customers who purchased from our company online via a third party website and a third party payment gateway in the past?

2. Would it to sufficient to insert a link to a page on our website, which contains a form to enter their email address and select unsubscribe?

Hi Lola – thanks for your questions.

1. Such marketing is only permitted if you obtained an appropriate consent to email marketing from those customers when they made their purchase.

2. I think it is better to have a simple unsubscribe link. Users often have multiple email addresses linked by email redirects, and may not be sure which email address is being used to market to them.

I run a legal consulting business – a lot of the lawyers I target have their email address listed on the firms website. If I do my reserach and collate a list of contacts eg joesmith @ lawfirm.co.uk – and then I send out a group email (with the addresses hidden) am I right in thinking this is SPAM? 

By most definitions, this would be spam – no matter how carefully targeted the marketing activity is.

My leisure centre is demanding that I give them my email for ‘marketing’ purposes. Do they have that right?

Thank you

Is this a condition of joining the leisure centre? What sort of marketing do you think they will do? What about customers who don’t use email? What will they do if you refuse?

While “demanding” email addresses isn’t a specifically regulated activity, the collection of addresses that contain personal data will be subject to the DPA, and the use of the addresses for marketing will be regulated under the DPA and or PECRs.

Sorry this is all getting a little confusing, please can you confirm if this is legal or not?

I mainly cold call companies and introduce myself and ask if it is ok to send them an email with a link to the site,  if they give me their email address I then add them to my campaign list, is this ok?

Am I right that you are NOT allowed to add companies’ email addresses to your campaign list if you have never had contact with them before?

Many thanks

The law on this is a bit confusing, so no need to be sorry.

To answer (or not answer!) your first question: it depends. If your activities involve the processing personal data for marketing purposes (e.g. personal names) or if you are sending emails to “individual subscribers” (including sole traders and partnerships) then those activities are regulated under the legislation and you should have a proper consent.

On the other hand, you can under English law as it currently stands send unsolicited emails to companies (Ltd, PLC, etc) providing you are not processing personal data in doing so – although I wouldn’t recommend doing so for the reasons I give above.

Is it allowable for a firm that I am purchasing from online to give me the option to opt out of electronic marketing material; but insists that I have to write to them to do so?

Assuming the electronic marketing would be regulated by the DPA 1998 (i.e. it involves the processing of personal data) or the PECRs (i.e you constitute an “individual subscriber”) then this kind of opt-out is unlikely to satisfy the rules.

Where you say “Emails sent to corporate subscribers which do not contain any personal information (e.g. admin[@]company.ltd.uk) are not specifically regulated under English law – save that the emails must contain certain information (see below).” – presumably an email to an address such as info[@]cupcakeheaven would not be regulated even if the business was a sole trader business as no personal data is being identified in that email address? So you could in theory send unsolicited marketing emails to that sole trader?

The rules on email marketing in the Privacy and Electronic Communications Regs apply irrespective of whether personal data is being processed. Accordingly, you need consent in the case of emails to subscribers who are sole traders, even where there is no personal data involved.

So if I am reading this correctly I can send unsolicited emails, offering my services, to addresses such as sales @ mycompany.uk, as long as that company is not a sole trader; without getting the company’s consent first. I cannot send the same emails to addresses such as janet @ mycompany.uk as that constitutes an individual.

Basically I am starting my own business and want to advertise my services by email to SMEs in order to get clients but, as I am only just starting out, I do not have any solicited email addresses. There will be no third-party advertisement included.

Whilst the legal rules allow this kind of unsolicited emailing, you also need to take account of:

  • you ISP’s T&Cs;
  • the possibility of getting yourself blacklisted; and
  • the certainty of irritating potential customers.


We are a European-funded, University-run project in Wales offering free ‘consulting-type’ services.  I’m looking to send our first E-Newsletter, but have really limited data to send it to.  Can I legally send it to publicly available email addresses, such as MP’s, Council Chief Execs & Business Clubs, who would ‘probably’ be interested in our work, but from whom I have not received/collected ‘opt-in’ consent??  I would obviously give them an option to ‘unsubscribe’.  We are not ‘selling’ anything, as no money changes hands, so the informatoin would largely be generic news, updates, case studies etc. etc.  

Thanks very much.  I’m finding this all very confusing and really want to do the right thing!!


On the basis of the information you have provided, I would advise against sending unsolicited emails to publicly available email addresses. There are three main issues.

  • If an email address (or email content) includes personal data (e.g. joebloggsmp[at]parliament.gov.uk), then you need consent to use that personal data under the DPA.
  • Even if you are not processing personal data, there is a risk that your activities could constitute “marketing” for the purposes of the PECRs – which according to the ICO extends beyond the selling of goods to matters such as charity fundraising. This will create a liabiliy under the PECRs if you are “marketing” to “individual subscribers”.
  • Even if a given email is strictly lawful, you are liable to run into practical problems: reputable mass mailing service providers usually require opt-ins; recipients may well become annoyed; the practice could damage the reputation of your organisation; and the email servers you use could end up blacklisted.

If you would like detailed advice on this, please do get in touch. 

Is there a specified timeframe within which a site operator must action an unsubscribe request? I have submitted the same request several times over the last 3 weeks – received an initial acknowledgement which said to bear with them for a few days.  I keep getting the marketing messages though and it’s getting very irritating.  Surely a few days shouldn’t extend to weeks?!  Thanks

There are no specified time limits, either in the original Directive of the implementing Regulations. However, for the legislation – specifically Regs 22(3)(c) and 23(b) – to make sense you must imply a some kind of time limitation.

The ICO guidance (which of course is not itself legally enforceable) say that: “… you must comply with any opt-out requests promptly.


That seems sensible.

Give that we are talking about updating a database entry – not a major investment of effort – a few weeks is not, in my view, quick enough. 

So, just to clarify, if I have an email list from an unknown source which is not opt-in and I then email this list, is that still illiegal even if the email includes an unsubscribe option, a sender reply email and a physical address? Thanks.

In practical terms, this mailing would almost certainly be prohibited by the Data Protection Act and/or the Privacy and Electronic Communications Regs.

Can I ask why someone opted out from my email with standard questions such as:

– I am not the right contact, and

– I am not interested in the content?

You can ask these questions, but you shouldn’t make unsubscribes conditional upon the provision of an answer. If you did, the data would likely be devalued anyway.

First time buyers from the site can’t opt out of email marketing when their address is collected. After they have registered by supplying an email address and password they must to go to the My Account section and  select a checkbox to change from ” Send me notifications from the following categories” where all categories are already checked. I thought that under the soft opt-in rule a customer had to be given the ability to opt out of email marketing at the point at which the information was collected. The Amazon.co.uk system appears to be after collection. Thanks.

The UK Information Commissioner’s Office is responsible for enforcement of the relevant legislation.

Add a new comment

Your email address will not be published. Required fields are marked *

SEQ Legal
Copyright © 2023 Docular Limited | All rights reserved