10 things you should know about ... email marketing

This article highlights some of the key features of the law governing the use of email for marketing purposes.  It considers only the position under English law. Although much of the UK legislation relating to email marketing is EU-inspired, the laws across the EU are not properly harmonized. The position under US law is also quite different from the position under English law.

(1) What is a marketing email?

English law does not have a core conception of a marketing email. Different sets of rules regulate different kinds of email.

The Privacy and Electronic Communications (EC Directive) Regulations 2003 (the "Privacy Regulations"), the most important piece of legislation in this field, regulate the transmission of "communications for the purposes of direct marketing by means of electronic mail". The courts can be expected to place a broad interpretation upon these words. However, the key provisions on email marketing apply only to "unsolicited" communications to "individual subscribers".

The Data Protection Act 1998 regulates emails which contain personal data (e.g. individuals' names - [email protected]).

Voluntary codes (such as the Direct Marketing Association's Code of Practice) and the contractual terms of hosting companies tend to cover a wide range of communications. Some hosting terms, for example, cover all unsolicited commercial emails.

(2) Aren't all unsolicited marketing emails illegal?


Emails sent to corporate subscribers which do not contain any personal information (e.g. [email protected]) are not specifically regulated under English law - save that the emails must contain certain information (see below).

"Corporate subscribers" in this context includes limited companies, PLCs and LLPs; it does not include sole traders or general partnerships.

In all other cases, unsolicited emails sent for direct marketing purposes will be unlawful unless the recipient has in some way consented to receive the email.

(3) Opt-outs, opt-ins and soft opt-ins

Opt-outs, opt-ins and soft opt-ins are three different ways of obtaining consent to send marketing emails.

  • An opt-out is where the email recipient has been given, at the point at which the contact information was submitted, the opportunity to opt-out from receiving the emails, and has not done so (e.g. by not ticking a box in an HTML form).
  • An opt-in is where the email recipient has specifically indicated a desire to receive the emails at the point at which the contact information was submitted (e.g. by ticking a box in an HTML form).
  • There is also a special form of consent under the Privacy Regulations called the "soft opt-in". This applies where (i) an email address was obtained in the course of the sale or negotiations for the sale of a product or service to that recipient, (ii) the direct marketing is in respect of similar products and services, and (iii) the recipient was given the opportunity to "opt out" when the details were collected and with subsequent communication.

(4) What sort of consent do I need?

There is a good deal of confusion about what kind of consent is required for sending marketing emails.

The position under the Data Protection Act 1998 is that opt-out (or similar) consent is generally thought to be sufficient in the case of marketing emails involving non-sensitive personal data. However, express or opt-in consent would be required for any direct marketing communications which involve the processing of sensitive personal data, such as data relating to ethnicity, politics or medical conditions.

Opt-in or equivalent consent is required under the Privacy Regulations for marketing emails sent to individual subscribers, unless the soft opt-in provisions apply (see above).  (NB the Privacy Regulations do not use the terms "opt-in" and "opt-out".)

You should also check the requirements of your email service provider's terms and conditions. These often required a more stringent standard of consent than the general law.

You must comply with each applicable rule set.

(5) Information to be provided before consent is given

If you are collecting contact information which includes or may include personal data, certain information must be notified to the data subject:

  • the identity of the data controller;
  • the purpose(s) for which the data are intended to be processed; and
  • any further information which is necessary, having regard to the specific circumstances in which the data are or are to be processed, to enable processing in respect of the data subject to be fair.

The information should in general be given to data subjects or made readily available to them at the point of collection.

The most common way to meet these requirements in the website context is through the use of fair processing notices and privacy policies.

(6) Information to be provided in all marketing emails

Regulation 23 of the Privacy Regulations says:

"A person shall neither transmit, nor instigate the transmission of, a communication for the purposes of direct marketing by means of electronic mail - (a) where the identity of the person on whose behalf the communication has been sent has been disguised or concealed; (b) where a valid address to which the recipient of the communication may send a request that such communications cease has not been provided; (c) where that electronic mail would contravene regulation 7 of the Electronic Commerce (EC Directive) Regulations 2002(1); or (d) where that electronic mail encourages recipients to visit websites which contravene that regulation".

Regulation 7 of the Electronic Commerce Regulations says:

"A service provider shall ensure that any commercial communication provided by him and which constitutes or forms part of an information society service shall— (a) be clearly identifiable as a commercial communication; (b) clearly identify the person on whose behalf the commercial communication is made; (c) clearly identify as such any promotional offer (including any discount, premium or gift) and ensure that any conditions which must be met to qualify for it are easily accessible, and presented clearly and unambiguously; and (d) clearly identify as such any promotional competition or game and ensure that any conditions for participation are easily accessible and presented clearly and unambiguously."

In addition, the Companies Act requires all business emails sent by a corporation to include the following information:

  • company name;
  • company registration number;
  • place of registration; and
  • registered office address.

(7) Right to object

Under the Data Protection Act 1998, individuals may object at any time to the processing of their personal data for the purposes of direct marketing. Similarly, the Privacy Regulations have the effect of prohibiting the sending of marketing emails to individual subscribers who have notified the sender that they do not wish to receive such emails.

(8) What is good practice?

The Information Commissioner has stated that, notwithstanding the legal requirements, good practice requires that marketers follow the guidelines set out below.

  • Try to go for opt-in-based marketing as much as possible.
  • Provide a statement of use when you collect details.
  • Make sure you clearly explain what individuals' details will be used for.
  • Do not have consent boxes already ticked.
  • Provide a simple and quick method for customers to opt out of marketing messages at no cost other than that of sending the message.
  • Promptly comply with opt-out requests from everyone, not just those from individuals.
  • Have a system in place to deal with complaints about unwanted marketing.
  • When you receive an opt-out request, suppress the individual or company details rather than deleting them. (This way you will have a record of who not to contact.)

(9) Is buying lists allowed?

There is nothing in the legislation which expressly prohibits the purchasing of email lists. However, if you are thinking of using such a list, you should only purchase it from a reputable company and you should ask for a warranty that the list has been lawfully collected and may be used as intended.  Even then, you should think twice.

(10) Other risks

The terms of service of most ISPs and email marketing service providers prohibit spamming. However, different sets of terms will define spam in different ways. If you are considering sending unsolicited commercial emails, you should ensure that you do not breach the terms of your contract with your ISP or email marketing service provider.

This is an adapted version of an article originally published on www.website-law.co.uk in March 2007.


I use to recieve mails from two countries in Africa and invariably those mails always end up on my SPAM box, even if senders had previously exchanged mails with me. It looks like that those countries that Branson Lee mentions by default are already blacklisted without matter which mail account is the sender.

So, to set up things in one of those countries, if it worked in the past now seems to not work anymore for the obvious reason that they became the spammers paradise. 

Unless you're a fairly respectable company willing to only target your market with relevant offers without hide your identity but on the contrary making sure everyone knows exactly who you are and how to find you; and one of those emails goes straight to your competition. They will put the rottweillers after you.

Hi I'm a local guitar teacher who currently works in one school and I'm approaching others to see if they could use my services. I've been using the [email protected] e-mail addresses used on the schools websites and making it clear in the subject line what the e-mail is about then putting

Dear [headteacher name]

So not using any information that isn't published on the school website. Is this allowed? 

I think that probably still constitutes processing personal data (the headteacher's name) without consent - unless the website where the name is published somehow invites commercial approaches to the head. However, regulatory or indeed private action against this type of email is most unlikely. The major risk may be spam reports.

Thanks I'll be more careful in future.


We operate an online business where customers may be refunded monies to an account if we were unable to fully deliver the product ordered.

We are looking to inform all customers that have a positive account what their balance is.  If a customer with a positive balance has unsubscribed from receiving emails can we still contact them via email with their account information?

Many thanks 

You should ensure that the unsubscribe function relates only to marketing emails, and ensure that account information emails do not contain any collateral marketing material.

If you do these things, account information emails will not be subject to Regulation 22 of the the Privacy and Electronic Communications Regulations or Section 11 of the Data Protection Act 1998 (because they are not sent for direct marketing purposes) and the processing of personal data in connection with the sending of those emails should be permitted by virtue of certain conditions in Schedule 2 to the DPA - most likely conditions 2(a), 4 and/or 6(1). See:


Is it illegal to go to company websites and get the email off the site to send a marketing email too? (Not with software, just a person doing it.)

Depending upon a number of factors (including the nature of the email addresses and potential the content of the website T&Cs) this can be unlawful, notwithstanding that no software is used to harvest the email addresses.

If a customer has requested a quotation from us and we wish to send it back to him by email, is this classed as marketing? We collect his email address but do not add it to a database, so will only contact him about the quotation he has requested.

"Direct marketing" is defined in the DPA as "the communication (by whatever means) of any advertising or marketing material which is directed to particular individuals". The PECRs adopt this definition from the DPA: "Expressions used in these Regulations that are not defined in paragraph (1) and are defined in the Data Protection Act 1998 shall have the same meaning as in that Act."

I usually assume that "marketing material" would be interpreted widely by the ICO and the courts. I'd guess (although I am not sure) that in some circumstances a quotation might be considered to be direct marketing, while in most it would not.

In any case, if a customer has give you his or her email address for the purpose of receiving a quotation, that is surely an adequate consent for you to send the email, whether or not the quotation constitutes "marketing material", and irrespective of any box-ticking exercises.

Hi, I have been reading through this post looking for some advice on the legalities surrounding consent for email subscriptions. I am wondering if a person in a shop/gym/public setting simply asks for my name and email address without specifying that that email will be used for marketing and spam is this legal? Would the person be giving consent even though they have no idea what they are signing up to? 

Thank you.

I suppose the marketer here could argue that it is obvious that email addresses were being collected for marketing purposes, because: (i) it is common practice to do so; and (ii) they had no other reason to collect the addresses.

However, I doubt such arguments would impress a judge or the ICO.

So, to answer your question: no, unless there are some relevant factors you have not mentioned, I don't think there is an adequate consent here either under the DPA or the PECRs.

Thank you so much for your reply. So a shop should only be taking my email for marketing with my consent to sign up to the marketing? Thank you, your site is extremely helpful.

Unless your email address is outside the scope of the legislation (ie corporate subscriber + no personal information) then there should always be some form of consent, even if that consent is implied or (under the soft opt-in) takes the form of you being "given a simple means of refusing (free of charge except for the costs of the transmission of the refusal) the use of [your] contact details for the purposes of ... direct marketing".


Can I collect e-mail addreses on the internet and write them without any kind of marketing reference, but just the permission to contact them with that purpose? Thanks.

If I understand your question correctly, you are asking whether you can collect publicly-available emails and write to them, in each case asking whether they would give you permission for further (presumably marketing-related) contacts. If that is the question, the answer is probably: no.

In my view,  the category of emails "for the purposes of direct marketing" include emails sent for the purpose of getting permission to send further emails for marketing purposes. The alternative view would allow for an unlimited amount of "permission spam".

Yes, you have understood the question: I understand your point and I agree, it would be a never ending game. Thank you very much!!


Dear Sir

Thank you for the website but I fear I remain confused.

I look after the database for a local medical society which is recognised as a charity. We are registered with the ICO. We hold a number of lectures each year. We have asked our members to submit their email addresses "for Society use only" and have been using these to send out reminders about our meetings (lectures, annual dinner, and AGM) through a mass email company. I am not certain whether this counts as "marketing" and whether what we are doing is acceptable. Should we specify to our own members in more detail what we will use the emails for and ask them to opt-in? There is an unsubscribe link on the sent emails which has not been used so far.

We used to send out flyers for the lectures to local post-graduate centres and health centres but I suspect from what you have said that this is not acceptable.

Many thanks for your advice.

This doesn't sound like a very risky form of email marketing, but it is usually best to assume that these sorts of emails will constitute "marketing" for the purposes of the legislation.

Flyers are not subject to the Privacy and Electronic Communications Regs, although if you are using individual names for the flyers that will constitute personal data processing under the DPA.

I wish to email a press release about a software product to a number of small business magazines. My press release is a commercial document and my aim is to have the magazines review my product and perhaps write about it. Do I fall foul of email rules in terms of 'spam'/unsolicited emails? Some of the magazines use 'editor' in their email addresses, others name individuals.

Many thanks.

Hi David, thanks for your question.

Where do you get the email addresses from?  Are they from the magazines' websites? If so, are they made available, in part, for the purpose of attracting press releases?

Thanks Alasdair. I get the email addresses from the magazine websites. A very few do specify that they're happy to receive press releases, but most are interested in advertising or simply feedback on the magazine.

In that case, I think you may breach the rules where the magazine is not a legal entity (Ltd, PLC, LLP or similar) or where you use a personal name. If magazines are expecting this kind of unsolicited communication, however, the risk is probably low.

I'll check their legal status and use 'editor' as the contact, to be on the safe side. Thanks very much for your advice, Alasdair,

kind regards.


Thanks so much for all your help with this very broad subject. We have a question which relates to Irish law on sending licence details to our customers. Basically our customers buy our product from an online store or over the phone etc. and we then send them the licence details to activate our product. They need these details in order to activate the product but we currently have an unsubscribe option for them. However next year when they come back to renew their licence we won't be able to send them their licence details as they will have unsubscribed and so we want to know if in this instance is it okay to not have any option for them to unsubscribe (relating to the law in Ireland)?

I'm afraid I don't know what the position is under Irish law. Although the relevant law comes largely from EU law, there are different implementations in different member states.

I enter a lot of competitions and one company's entry forms has a pop up box that says your details will be passed on for marketing purposes.There is no opportunity to opt out. Can they do this?

If a company is hiring and they say IF you provide an email (so, voluntarily) in your application, then we will use it to contact you for all business purposes in the future.

Is is that legal?

I would have thought that a consent gained in this way is invalid, because it is not freely given and is excessively broad.

If I have obtained a cold list of email addresses, am I allowed to send a one off email to them offering my services and asking then to subscribe / opt-in otherwise they will receive no further communication's from me?

What do you mean by a "cold list"?

Is this a list you collected, but haven't used recently - or is it a list collected by someone else?

Hi, if I let people sign up for a newsletter on my website, do i have to register for data protection? The answer is probably yes to this but what if I use a third party tool who collect email address on behalf of my business and I just send out emails to anyone who joined?


Hi I'm still very confused. I have a small business and I'm trying to use social media etc to increase cusotmer base. I've spent weeks looking for email addresses of trades people who aren't current customers. All the email addresses I've collected have been somewhere on the web (eg checkatrade, yell.com, green directories, facebook pages etc) as well as from the websites of these possible customers. Some on my list are sole traders, some are ltd companies etc and there is a variety of business and personal email addresses eg info @ companyname .co.uk or eg joebloggs @ sky .com etc. Sole traders will often use the joebloggs @ sky .com format rather than integrating a trading name and many sole traders just trade under their name anyway. I'm using a 3rd party marketing company to run the campaign and I know there will be an unsubscribe button on the email. Eventually I plan to run monthly campaigns myself via mailchimp. So, my question.....am I legally allowed to run this campaign or am I heading for trouble?? Thank you.

I think your proposed course of action would be legally problematic, in respect of some of the email addresses at least, under the DPA and/or the PECRs.


Could you let me know if we are allowed to add a button to an online article that says "send to a friend" this would then email a link back to the article. The user initiating the action would also be required to input their email address as the originator. However, this email would be processed through our own mailserver and not the initiators email client.

It's something that can be seen all over the internet, but is this legal?

Thank you 

I appreciate that this technique is widely used on both UK and overseas websites, but see the ICO guidance on viral marketing, here:


If I run a club where people pay to be members for a year, can I put in my terms and conditions of membership that I will email members with details of club events or services and specify the maximum number of emails e.g 6 per annum (to coincide with the number of club events)?

As the club is voluntary run and not for profit having an opt out would be both time consuming and costly, especially as we are only emailing paid members.

Thanks in advance for your help.

Consent which is a condition of being a club member is arguably not a freely given consent.

There are no special exceptions to the rules for not-for-profits or small organisations.

NB some free services build-in consent mechanisms.  I suggest you try one of these - eg Mail Chimp.

I have a list of about 5000 email addresses of individual translators. I got their email addresses from emails they sent to me when they were looking for a translation job. I want to contact all those translators to ask for their opt-in so that I can send them a free of charge translation program (No. 1).  On receipt of emails from translators who want to receive this FOC program, after sending them the FOC program, I will then use their opt-in address in an attempt to sell them a paid translation program (No. 2). Is this legal? Otherwise, what would you suggest as a legal means of contacting all 5000 translation?

... then this is unlikely to be in accordance with the legislation. There's no obvious workaround, although it might be possible to do something based upon the purpose for which the email addresses were originally provided.


I manage a database for a company. We pay to license access to job websites to find CVs for people to come and work for us.

The individual has agreed to the job website's terms and conditions, of which access to their CV and contact details by employers is one.

As a company, firstly, can we then add the individual's CV and contact details to our database?

Secondly, can we then email them about future job opportunities?

Thanks in advance. Great article!


In each case, not without the consent of the individual to the particular action.

Thanks for teh quick reply Alasdair, it is appreciated.


We have telephoned a number of children's nurseries to ask if we can collect contact details so we may send them an email about our services. This was done over 12 months ago, we now have decided to act on the information that we obtained over the phone.

Are we still able to send an email to these email addresses? Also, how do we prove that we have telephoned them and requested these details?

Please help as we are very confused.

There is an argument here that the consents you obtained are stale; this is particularly relevant where you are processing personal data (eg personal names as part of email addresses).

In any case, if you haven't got any contemporaneous evidence that the data was properly collected (eg call recordings) then it will be difficult to defend an claim that the marketing is not lawful. There may also be a question mark over the legality of the initial telephone calls.

Hi, I'm a photographer based in the UK and I'm trying to understand the situation regards unsolicited emails. If I were to take a photograph of someones pet cat or dog (in a public place) would I be within the law to email a watermarked copy of the image to the owner's place of work and offer the image at a set price on the basis that if the image was not wanted both the email details and the image would be immediately deleted and they would receive no further emails?

How will you get hold of the work email address?

When we gather data from people, they complete an enquiry form, requesting information about the services that we offer.

We are in the process of adding the relevant tick boxes, but in terms of the data we already have, is it legal for us to email them, since the form they have completed is a request for information and they give their email address?

Add new comment