10 things you should know about ... email marketing

This article highlights some of the key features of the law governing the use of email for marketing purposes.  It considers only the position under English law. Although much of the UK legislation relating to email marketing is EU-inspired, the laws across the EU are not properly harmonized. The position under US law is also quite different from the position under English law.

(1) What is a marketing email?

English law does not have a core conception of a marketing email. Different sets of rules regulate different kinds of email.

The Privacy and Electronic Communications (EC Directive) Regulations 2003 (the "Privacy Regulations"), the most important piece of legislation in this field, regulate the transmission of "communications for the purposes of direct marketing by means of electronic mail". The courts can be expected to place a broad interpretation upon these words. However, the key provisions on email marketing apply only to "unsolicited" communications to "individual subscribers".

The Data Protection Act 1998 regulates emails which contain personal data (e.g. individuals' names - [email protected]).

Voluntary codes (such as the Direct Marketing Association's Code of Practice) and the contractual terms of hosting companies tend to cover a wide range of communications. Some hosting terms, for example, cover all unsolicited commercial emails.

(2) Aren't all unsolicited marketing emails illegal?


Emails sent to corporate subscribers which do not contain any personal information (e.g. [email protected]) are not specifically regulated under English law - save that the emails must contain certain information (see below).

"Corporate subscribers" in this context includes limited companies, PLCs and LLPs; it does not include sole traders or general partnerships.

In all other cases, unsolicited emails sent for direct marketing purposes will be unlawful unless the recipient has in some way consented to receive the email.

(3) Opt-outs, opt-ins and soft opt-ins

Opt-outs, opt-ins and soft opt-ins are three different ways of obtaining consent to send marketing emails.

  • An opt-out is where the email recipient has been given, at the point at which the contact information was submitted, the opportunity to opt-out from receiving the emails, and has not done so (e.g. by not ticking a box in an HTML form).
  • An opt-in is where the email recipient has specifically indicated a desire to receive the emails at the point at which the contact information was submitted (e.g. by ticking a box in an HTML form).
  • There is also a special form of consent under the Privacy Regulations called the "soft opt-in". This applies where (i) an email address was obtained in the course of the sale or negotiations for the sale of a product or service to that recipient, (ii) the direct marketing is in respect of similar products and services, and (iii) the recipient was given the opportunity to "opt out" when the details were collected and with subsequent communication.

(4) What sort of consent do I need?

There is a good deal of confusion about what kind of consent is required for sending marketing emails.

The position under the Data Protection Act 1998 is that opt-out (or similar) consent is generally thought to be sufficient in the case of marketing emails involving non-sensitive personal data. However, express or opt-in consent would be required for any direct marketing communications which involve the processing of sensitive personal data, such as data relating to ethnicity, politics or medical conditions.

Opt-in or equivalent consent is required under the Privacy Regulations for marketing emails sent to individual subscribers, unless the soft opt-in provisions apply (see above).  (NB the Privacy Regulations do not use the terms "opt-in" and "opt-out".)

You should also check the requirements of your email service provider's terms and conditions. These often required a more stringent standard of consent than the general law.

You must comply with each applicable rule set.

(5) Information to be provided before consent is given

If you are collecting contact information which includes or may include personal data, certain information must be notified to the data subject:

  • the identity of the data controller;
  • the purpose(s) for which the data are intended to be processed; and
  • any further information which is necessary, having regard to the specific circumstances in which the data are or are to be processed, to enable processing in respect of the data subject to be fair.

The information should in general be given to data subjects or made readily available to them at the point of collection.

The most common way to meet these requirements in the website context is through the use of fair processing notices and privacy policies.

(6) Information to be provided in all marketing emails

Regulation 23 of the Privacy Regulations says:

"A person shall neither transmit, nor instigate the transmission of, a communication for the purposes of direct marketing by means of electronic mail - (a) where the identity of the person on whose behalf the communication has been sent has been disguised or concealed; (b) where a valid address to which the recipient of the communication may send a request that such communications cease has not been provided; (c) where that electronic mail would contravene regulation 7 of the Electronic Commerce (EC Directive) Regulations 2002(1); or (d) where that electronic mail encourages recipients to visit websites which contravene that regulation".

Regulation 7 of the Electronic Commerce Regulations says:

"A service provider shall ensure that any commercial communication provided by him and which constitutes or forms part of an information society service shall— (a) be clearly identifiable as a commercial communication; (b) clearly identify the person on whose behalf the commercial communication is made; (c) clearly identify as such any promotional offer (including any discount, premium or gift) and ensure that any conditions which must be met to qualify for it are easily accessible, and presented clearly and unambiguously; and (d) clearly identify as such any promotional competition or game and ensure that any conditions for participation are easily accessible and presented clearly and unambiguously."

In addition, the Companies Act requires all business emails sent by a corporation to include the following information:

  • company name;
  • company registration number;
  • place of registration; and
  • registered office address.

(7) Right to object

Under the Data Protection Act 1998, individuals may object at any time to the processing of their personal data for the purposes of direct marketing. Similarly, the Privacy Regulations have the effect of prohibiting the sending of marketing emails to individual subscribers who have notified the sender that they do not wish to receive such emails.

(8) What is good practice?

The Information Commissioner has stated that, notwithstanding the legal requirements, good practice requires that marketers follow the guidelines set out below.

  • Try to go for opt-in-based marketing as much as possible.
  • Provide a statement of use when you collect details.
  • Make sure you clearly explain what individuals' details will be used for.
  • Do not have consent boxes already ticked.
  • Provide a simple and quick method for customers to opt out of marketing messages at no cost other than that of sending the message.
  • Promptly comply with opt-out requests from everyone, not just those from individuals.
  • Have a system in place to deal with complaints about unwanted marketing.
  • When you receive an opt-out request, suppress the individual or company details rather than deleting them. (This way you will have a record of who not to contact.)

(9) Is buying lists allowed?

There is nothing in the legislation which expressly prohibits the purchasing of email lists. However, if you are thinking of using such a list, you should only purchase it from a reputable company and you should ask for a warranty that the list has been lawfully collected and may be used as intended.  Even then, you should think twice.

(10) Other risks

The terms of service of most ISPs and email marketing service providers prohibit spamming. However, different sets of terms will define spam in different ways. If you are considering sending unsolicited commercial emails, you should ensure that you do not breach the terms of your contract with your ISP or email marketing service provider.

This is an adapted version of an article originally published on www.website-law.co.uk in March 2007.


If data hasn't been obtained in accordance with the legislation, then the use of the data could in principle constitute a further breach of the legislation. Whether there is an actual breach here, and indeed whether there is any real risk, will depend upon all the circumstances.

We are a company which communicates at least 99% by email. We have a list of some 10,000 individual customers who have send us emails, almost all of them looking for individual jobs. In most cases we do not answer those emails. We now want to send emails to all those individuals, advertising our new monthly blog. This new blog is intended to have as many as possible of those customers sign up to pay us a monthly fee for receipt of the blog. This blog will contain information, some of which could be useful to the customers for finding a paid outlet for their expertise, and also other information which is only of general interest in the field concerned. Could we legally send out a specimen email (this is the blog mentioned above) giving information some of which is useful for these customers, but which also asks those customers to sign up for a fee for the monthly blog. The signing up would involve payment by credit card or PayPal and the customer can stop that payment whenever he or she so wishes. There would also be a perfectly visible "opt-out" tick-box for those customers who do not want anything to do with this blog, etc. Legal or not?

Not, in my view.

Sending your company an email does not amount to consent to marketing.

Hi, I justt wanted to know if schools are classed as corporate entities for email marketing purposes. We are a fencing contractor company and want to email schools to offer our services if required. Can I do this and it not be classed as spam?


Can I telephone my opt outs and ask them if I can send a highly relevant business e-mail to their address which is inviting them to a free event to do with something directly connected to their work?

The laws are very grey on adding marketing to your order confirmation emails. Some say as long as its less than 20% etc. Is there a UK law or guide on this?

Hi - I am a member of a golf club which has not actively promoted itself very well in the past. I am trying to assist the club by getting the secretary (manager) to promote offers to ex customers (these are typically organisers of Golf Societies who have emailed us in the past with their details; numbers of players, meal requrirements etc) and have on their booking form, included their personal email address, and have used email to contact us or have provided details of their email when making their booking for golf. 

I have noticed that the booking form issued by the club secretary does not have an 'opt-in' or 'opt-out' of using their details for marketing or sending newsletters to them. I hvae suggested that the booking form now be amended with an opt-in or opt-out for electronic marketing/newsletter purposes.

Question 1: can we use the emails the club has collected to date to send out offers to these Golf Society orgnisers, all of whom have previously contracted with the club, but have not given express consent for us to contact them electrnically for marketing purposes in the future? I suspect not ...

Question 2: If the answer to Q1 above in no, can we email them explaining what we're looking to do (send them a regular newsletter which will also contain offers e.g. reduced fee golf rounds for societies booking more than 20 members? If they reply saying yes, we then have express consent from these people we have previously contracted with, and can then send them the newsletter (with the ability to opt out) in future. Would we be able to telehone them aswell to seek approval, although this would I suspect need to be followed up by them confirming consent in writing (via email/hard copy)?

Kind regards



A group of professionals have got together to create a guild. The guild has a website that lists all the members, and information on how to find an available professional.

The members would now like to pool their collection of work contacts (people who have contacted them in the past as part of a commercial relationship) and send a group mail out to let everyone know about the members list on the website.

Is this legal? 

Many thanks!

It seems most unlikely that all (or any?) of the marketing consents gained when collecting the data would cover this use of the data.

There was no consent gathered, but I thought the following description would cover it as all concerned are active members of a freelance community and also past and current customers?

'You have implied permission to email somebody if you have an existing business relationship with them. This could mean they are a current customer, donate to your charity, or are an active member of your website, club or community.'


That is the website of an Australian company, and certainly does not state the position under English law.

Under the GDPR rulings how do the refer a friend links work now, if I the customer generate a link on an ecommerce site then take this link to facebook or twitter or any other social media who is responsible for sharing the data held within that link?


It's ok to send mass unsolicited e-mail and give them a newsletter if they want subscribe? (send only once). I am just wondering if this is legal or not. 


In general terms, this is not legal under English/EU law.  A communication asking users whether they want to subscribe will be treated as a direct marketing communication and therefore subject to the PECRs.  Also, you are very likely to be processing personal data when doing this and will need a legal basis for that processing. The ICO has fined companies in similar cases.

Hi Alasdair,

Our business sells wholesale laptops (business to business). We are actively seeking computer repair people and computer shops to sign up as trade buyers.

We would like to collect email addresses from websites we find via relevant Google searches, then email those addresses with a short and concise description of our business and a link to register for a trade account.

It is very likely that some of these addresses will be [non-limited] sole traders or partnerships, which I understand should be treated as individuals.

1.  As our Google search is targetted, the email address has been willingly placed in a public facing location by the computer repair person/shop, and we are emailing with industry specific products, would we legally be able to email these addresses without any prior contact or opt in?

2.  Could the fact that they have placed their email address in a public location for the purpose of promoting computer services be conceived as a soft opt in, i.e. they have shown an interest in our products, even without knowledge of us specifically?

3.  Do the PECR rules apply to generic email addresses - for example "[email protected]" or "[email protected]" - even if the person who owns that address is potentially a sole trader/partnership?


The answers to these questions under the current law are quite clear: no (because of the PECRs), no (the PECRs soft opt-in does not apply here) and yes (where the relevant person is an "individual subscriber").

NB the law on email marketing is changing, with the GDPR coming into force on 25 May 2018 and the anticipated introduction of the ePrivacy Regulation on (or more likely) at some point after that date.


I run a ltd company as a sole director. I have been receiving emails from a recruitment company now for around 2 years. Around 9 months ago I decided that I no longer wished to receive these emails and as per their instructions replied back with the message to Unsubscribe with my company details attached. However I am still receiving these emails now despite continued requests to unsubscribe. Yesterday I sent an email strongly voicing my opinion and got a reply saying you must be joking and they are continuing to send these emails. Whilst my PC can send these to junk my phone does not. It is highly annoying. I have tried to resolve this but am at a point where this is complete annoyance. Where do I stand? My email is a info @ company . co . uk which I know can be contacted but surely there must be something I can do after requesting to unsubscribed around 20 times in the last 9 months. 

Who has the contract with your email services provider? Is it you or your ltd co?

Our club wants to send emails with the events that are going on in the club and outside (with club attendance) These are often paying events. We also have links to our club shop and social media.

This would go to our membership who have all paid to become a member of this club. Do we need an unsubscribe button? (is it, essentially, a marketing email? or something that the club can consider reasonable to send out)

Yes, this would likely be considered to be marketing, so you do need an easy unsubscribe option. NB That is not all you will need, particularly with the GDPR imminent. Eg you should also have an established basis of processing and be providing appropriate information notices. If you decide to base the processing of personal data associated with the marketing on consent, you need a GDPR-grade consent from each recipient.

Add new comment