10 things you should know about ... email marketing

This article highlights some of the key features of the law governing the use of email for marketing purposes.  It considers only the position under English law. Although much of the UK legislation relating to email marketing is EU-inspired, the laws across the EU are not properly harmonized. The position under US law is also quite different from the position under English law.

(1) What is a marketing email?

English law does not have a core conception of a marketing email. Different sets of rules regulate different kinds of email.

The Privacy and Electronic Communications (EC Directive) Regulations 2003 (the "Privacy Regulations"), the most important piece of legislation in this field, regulate the transmission of "communications for the purposes of direct marketing by means of electronic mail". The courts can be expected to place a broad interpretation upon these words. However, the key provisions on email marketing apply only to "unsolicited" communications to "individual subscribers".

The Data Protection Act 1998 regulates emails which contain personal data (e.g. individuals' names - [email protected]).

Voluntary codes (such as the Direct Marketing Association's Code of Practice) and the contractual terms of hosting companies tend to cover a wide range of communications. Some hosting terms, for example, cover all unsolicited commercial emails.

(2) Aren't all unsolicited marketing emails illegal?


Emails sent to corporate subscribers which do not contain any personal information (e.g. [email protected]) are not specifically regulated under English law - save that the emails must contain certain information (see below).

"Corporate subscribers" in this context includes limited companies, PLCs and LLPs; it does not include sole traders or general partnerships.

In all other cases, unsolicited emails sent for direct marketing purposes will be unlawful unless the recipient has in some way consented to receive the email.

(3) Opt-outs, opt-ins and soft opt-ins

Opt-outs, opt-ins and soft opt-ins are three different ways of obtaining consent to send marketing emails.

  • An opt-out is where the email recipient has been given, at the point at which the contact information was submitted, the opportunity to opt-out from receiving the emails, and has not done so (e.g. by not ticking a box in an HTML form).
  • An opt-in is where the email recipient has specifically indicated a desire to receive the emails at the point at which the contact information was submitted (e.g. by ticking a box in an HTML form).
  • There is also a special form of consent under the Privacy Regulations called the "soft opt-in". This applies where (i) an email address was obtained in the course of the sale or negotiations for the sale of a product or service to that recipient, (ii) the direct marketing is in respect of similar products and services, and (iii) the recipient was given the opportunity to "opt out" when the details were collected and with subsequent communication.

(4) What sort of consent do I need?

There is a good deal of confusion about what kind of consent is required for sending marketing emails.

The position under the Data Protection Act 1998 is that opt-out (or similar) consent is generally thought to be sufficient in the case of marketing emails involving non-sensitive personal data. However, express or opt-in consent would be required for any direct marketing communications which involve the processing of sensitive personal data, such as data relating to ethnicity, politics or medical conditions.

Opt-in or equivalent consent is required under the Privacy Regulations for marketing emails sent to individual subscribers, unless the soft opt-in provisions apply (see above).  (NB the Privacy Regulations do not use the terms "opt-in" and "opt-out".)

You should also check the requirements of your email service provider's terms and conditions. These often required a more stringent standard of consent than the general law.

You must comply with each applicable rule set.

(5) Information to be provided before consent is given

If you are collecting contact information which includes or may include personal data, certain information must be notified to the data subject:

  • the identity of the data controller;
  • the purpose(s) for which the data are intended to be processed; and
  • any further information which is necessary, having regard to the specific circumstances in which the data are or are to be processed, to enable processing in respect of the data subject to be fair.

The information should in general be given to data subjects or made readily available to them at the point of collection.

The most common way to meet these requirements in the website context is through the use of fair processing notices and privacy policies.

(6) Information to be provided in all marketing emails

Regulation 23 of the Privacy Regulations says:

"A person shall neither transmit, nor instigate the transmission of, a communication for the purposes of direct marketing by means of electronic mail - (a) where the identity of the person on whose behalf the communication has been sent has been disguised or concealed; (b) where a valid address to which the recipient of the communication may send a request that such communications cease has not been provided; (c) where that electronic mail would contravene regulation 7 of the Electronic Commerce (EC Directive) Regulations 2002(1); or (d) where that electronic mail encourages recipients to visit websites which contravene that regulation".

Regulation 7 of the Electronic Commerce Regulations says:

"A service provider shall ensure that any commercial communication provided by him and which constitutes or forms part of an information society service shall— (a) be clearly identifiable as a commercial communication; (b) clearly identify the person on whose behalf the commercial communication is made; (c) clearly identify as such any promotional offer (including any discount, premium or gift) and ensure that any conditions which must be met to qualify for it are easily accessible, and presented clearly and unambiguously; and (d) clearly identify as such any promotional competition or game and ensure that any conditions for participation are easily accessible and presented clearly and unambiguously."

In addition, the Companies Act requires all business emails sent by a corporation to include the following information:

  • company name;
  • company registration number;
  • place of registration; and
  • registered office address.

(7) Right to object

Under the Data Protection Act 1998, individuals may object at any time to the processing of their personal data for the purposes of direct marketing. Similarly, the Privacy Regulations have the effect of prohibiting the sending of marketing emails to individual subscribers who have notified the sender that they do not wish to receive such emails.

(8) What is good practice?

The Information Commissioner has stated that, notwithstanding the legal requirements, good practice requires that marketers follow the guidelines set out below.

  • Try to go for opt-in-based marketing as much as possible.
  • Provide a statement of use when you collect details.
  • Make sure you clearly explain what individuals' details will be used for.
  • Do not have consent boxes already ticked.
  • Provide a simple and quick method for customers to opt out of marketing messages at no cost other than that of sending the message.
  • Promptly comply with opt-out requests from everyone, not just those from individuals.
  • Have a system in place to deal with complaints about unwanted marketing.
  • When you receive an opt-out request, suppress the individual or company details rather than deleting them. (This way you will have a record of who not to contact.)

(9) Is buying lists allowed?

There is nothing in the legislation which expressly prohibits the purchasing of email lists. However, if you are thinking of using such a list, you should only purchase it from a reputable company and you should ask for a warranty that the list has been lawfully collected and may be used as intended.  Even then, you should think twice.

(10) Other risks

The terms of service of most ISPs and email marketing service providers prohibit spamming. However, different sets of terms will define spam in different ways. If you are considering sending unsolicited commercial emails, you should ensure that you do not breach the terms of your contract with your ISP or email marketing service provider.

This is an adapted version of an article originally published on www.website-law.co.uk in March 2007.


If you opt out and they to not stop, who do you report them to ?

The UK Information Commissioner's Office is responsible for enforcement of the relevant legislation.

First time buyers from the site can't opt out of email marketing when their address is collected. After they have registered by supplying an email address and password they must to go to the My Account section and  select a checkbox to change from " Send me notifications from the following categories" where all categories are already checked. I thought that under the soft opt-in rule a customer had to be given the ability to opt out of email marketing at the point at which the information was collected. The Amazon.co.uk system appears to be after collection. Thanks.

Regulation 22(3) of the Privacy and Electronic Communications (EC Diretive) Regulations 2003, which sets out the UK implementation of the soft top-in, says:

A person may send or instigate the sending of electronic mail for the purposes of direct marketing where — (a) that person has obtained the contact details of the recipient of that electronic mail in the course of the sale or negotiations for the sale of a product or service to that recipient; (b) the direct marketing is in respect of that person’s similar products and services only; and (c) the recipient has been given a simple means of refusing (free of charge except for the costs of the transmission of the refusal) the use of his contact details for the purposes of such direct marketing, at the time that the details were initially collected, and, where he did not initially refuse the use of the details, at the time of each subsequent communication.

Assuming the Amazon.co.uk login process is as you describe, Amazon may argue that going to the "My Account" section to manage email marketing options isn't especially onerous, and constitutes a "simple means of refusing" that is given "at the time that the details were initially collected". However, I think that would be stretching the meaning of the words "at the time" - and I would be surprised if a court agreed with that sort of argument. TBH, it's not that obvious where to find the relevant page either.

Also, if all the categories are pre-checked, it's hard to see how the requirements of 22(3)(b) would met: looking at my Amazon account, the categories listed cover a very wide range of different goods and services, everything from "baby" to "Kindle books" to "groceries".

The Amazon privacy policy doesn't help much here either. It simply says:
If you do not want to receive e-mail or other mail from us, please adjust your Customer Communication Preferences.
A question to raise with Amazon, perhaps?

Can I ask why someone opted out from my email with standard questions such as:

- I am not the right contact, and

- I am not interested in the content?

You can ask these questions, but you shouldn't make unsubscribes conditional upon the provision of an answer. If you did, the data would likely be devalued anyway.

So, just to clarify, if I have an email list from an unknown source which is not opt-in and I then email this list, is that still illiegal even if the email includes an unsubscribe option, a sender reply email and a physical address? Thanks.

In practical terms, this mailing would almost certainly be prohibited by the Data Protection Act and/or the Privacy and Electronic Communications Regs.

Is there a specified timeframe within which a site operator must action an unsubscribe request? I have submitted the same request several times over the last 3 weeks - received an initial acknowledgement which said to bear with them for a few days.  I keep getting the marketing messages though and it's getting very irritating.  Surely a few days shouldn't extend to weeks?!  Thanks

There are no specified time limits, either in the original Directive of the implementing Regulations. However, for the legislation - specifically Regs 22(3)(c) and 23(b) - to make sense you must imply a some kind of time limitation.

The ICO guidance (which of course is not itself legally enforceable) say that: "... you must comply with any opt-out requests promptly."


That seems sensible.

Give that we are talking about updating a database entry - not a major investment of effort - a few weeks is not, in my view, quick enough. 


We are a European-funded, University-run project in Wales offering free 'consulting-type' services.  I'm looking to send our first E-Newsletter, but have really limited data to send it to.  Can I legally send it to publicly available email addresses, such as MP's, Council Chief Execs & Business Clubs, who would 'probably' be interested in our work, but from whom I have not received/collected 'opt-in' consent??  I would obviously give them an option to 'unsubscribe'.  We are not 'selling' anything, as no money changes hands, so the informatoin would largely be generic news, updates, case studies etc. etc.  

Thanks very much.  I'm finding this all very confusing and really want to do the right thing!!


On the basis of the information you have provided, I would advise against sending unsolicited emails to publicly available email addresses. There are three main issues.

  • If an email address (or email content) includes personal data (e.g. joebloggsmp[at]parliament.gov.uk), then you need consent to use that personal data under the DPA.
  • Even if you are not processing personal data, there is a risk that your activities could constitute "marketing" for the purposes of the PECRs - which according to the ICO extends beyond the selling of goods to matters such as charity fundraising. This will create a liabiliy under the PECRs if you are "marketing" to "individual subscribers".
  • Even if a given email is strictly lawful, you are liable to run into practical problems: reputable mass mailing service providers usually require opt-ins; recipients may well become annoyed; the practice could damage the reputation of your organisation; and the email servers you use could end up blacklisted.

If you would like detailed advice on this, please do get in touch. 

So if I am reading this correctly I can send unsolicited emails, offering my services, to addresses such as sales @ mycompany.uk, as long as that company is not a sole trader; without getting the company's consent first. I cannot send the same emails to addresses such as janet @ mycompany.uk as that constitutes an individual.

Basically I am starting my own business and want to advertise my services by email to SMEs in order to get clients but, as I am only just starting out, I do not have any solicited email addresses. There will be no third-party advertisement included.

Whilst the legal rules allow this kind of unsolicited emailing, you also need to take account of:

  • you ISP's T&Cs;
  • the possibility of getting yourself blacklisted; and
  • the certainty of irritating potential customers.

Where you say "Emails sent to corporate subscribers which do not contain any personal information (e.g. admin[@]company.ltd.uk) are not specifically regulated under English law - save that the emails must contain certain information (see below)." - presumably an email to an address such as info[@]cupcakeheaven would not be regulated even if the business was a sole trader business as no personal data is being identified in that email address? So you could in theory send unsolicited marketing emails to that sole trader?

The rules on email marketing in the Privacy and Electronic Communications Regs apply irrespective of whether personal data is being processed. Accordingly, you need consent in the case of emails to subscribers who are sole traders, even where there is no personal data involved.

Is it allowable for a firm that I am purchasing from online to give me the option to opt out of electronic marketing material; but insists that I have to write to them to do so?

Assuming the electronic marketing would be regulated by the DPA 1998 (i.e. it involves the processing of personal data) or the PECRs (i.e you constitute an "individual subscriber") then this kind of opt-out is unlikely to satisfy the rules.

Sorry this is all getting a little confusing, please can you confirm if this is legal or not?

I mainly cold call companies and introduce myself and ask if it is ok to send them an email with a link to the site,  if they give me their email address I then add them to my campaign list, is this ok?

Am I right that you are NOT allowed to add companies' email addresses to your campaign list if you have never had contact with them before?

Many thanks

The law on this is a bit confusing, so no need to be sorry.

To answer (or not answer!) your first question: it depends. If your activities involve the processing personal data for marketing purposes (e.g. personal names) or if you are sending emails to "individual subscribers" (including sole traders and partnerships) then those activities are regulated under the legislation and you should have a proper consent.

On the other hand, you can under English law as it currently stands send unsolicited emails to companies (Ltd, PLC, etc) providing you are not processing personal data in doing so - although I wouldn't recommend doing so for the reasons I give above.

My leisure centre is demanding that I give them my email for 'marketing' purposes. Do they have that right?

Thank you

Is this a condition of joining the leisure centre? What sort of marketing do you think they will do? What about customers who don't use email? What will they do if you refuse?

While "demanding" email addresses isn't a specifically regulated activity, the collection of addresses that contain personal data will be subject to the DPA, and the use of the addresses for marketing will be regulated under the DPA and or PECRs.

I run a legal consulting business - a lot of the lawyers I target have their email address listed on the firms website. If I do my reserach and collate a list of contacts eg joesmith @ lawfirm.co.uk - and then I send out a group email (with the addresses hidden) am I right in thinking this is SPAM? 

By most definitions, this would be spam - no matter how carefully targeted the marketing activity is.

Hi. Also confused. We are a small ltd company and are about to start our marketing campaign.

1. Would we be allowed to send marketing emails with unsubscribe link to customers who purchased from our company online via a third party website and a third party payment gateway in the past?

2. Would it to sufficient to insert a link to a page on our website, which contains a form to enter their email address and select unsubscribe?

Hi Lola - thanks for your questions.

1. Such marketing is only permitted if you obtained an appropriate consent to email marketing from those customers when they made their purchase.

2. I think it is better to have a simple unsubscribe link. Users often have multiple email addresses linked by email redirects, and may not be sure which email address is being used to market to them.

Hi. Thanks for the a prompt response. Still confused.

There is also a special form of consent under the Privacy Regulations called the soft opt-in. This applies where an email address was obtained in the course of the sale or negotiations for the sale of a product or service to that recipient.

Would the soft opt in apply, as the customers were aware that the sale contract was with us as a company? It was via an auction site but all sale related contractual responsibilities were between the customer and us.

Would really appreciate this clarification.

Hence my reference to "appropriate consent". To rely upon the soft opt-in, you still need consent of sorts.  The conditions are set out in Reg 22(3):

(3) A person may send or instigate the sending of electronic mail for the purposes of direct marketing where—

(a) that person has obtained the contact details of the recipient of that electronic mail in the course of the sale or negotiations for the sale of a product or service to that recipient;

(b) the direct marketing is in respect of that person’s similar products and services only; and

(c) the recipient has been given a simple means of refusing (free of charge except for the costs of the transmission of the refusal) the use of his contact details for the purposes of such direct marketing, at the time that the details were initially collected, and, where he did not initially refuse the use of the details, at the time of each subsequent communication.

 3(c) requires that there was a means of refusing (opting out) of marketing at the time the details were collected.

If you didn't give customers that opportunity, you cannot rely upon the soft opt-in.

Hi there,

I've gladly just stumbled across your web page in perfect timing.

I am a qualified professional within the field of child protection.  I have extensive training in Internet safety and child exploitation.  There are major concerns within this area as heavily publicised within the news recently.  I have enquired with some schools of late about developing a news letter for them to forward on to parents, providing advice and latest trends etc.  The news letter however will be an unchanged live webpage rather than a news letter (as it appears to be easier to complete and I am able to do it for free as I will be completing this in my spare time).  So in short:

1) I want to complete a bi-monthly webpage with information

2) Forward it on to local schools

3) Give them the choice to send the link on to their parents

By doing this howver, the parents will not be able to opt out as it will be a mass e-mail sent by the school who already have their e-mail details for when the school want to send them information, so opting out will mean taking away the e-mail address from the school.

I am not an organisation or a business - in fact I work for a Local Authority with close relationship with the schools, hence having access to their details.  Sending this type of information however is not within my job role and am to busy to complete a task like this within my working hours.  It does sound like this maybe an issues, may I ask your advice please?

Kind regards, Jamie

I'd need to know much more (i.e. take you on as a client) to comment authoritatively on this situation. However, I can give you a few pointers:

- In relation to the parents and the DPA 1998 and the PECRs, the primary legal obligations in relation to the emails will fall upon the schools, not you.  They are the data controllers in respect of parents' personal information; and they are responsible for the sending of the emails to the parents.

- In relation to your emails (or calls or other contacts) to schools, however, there are some obvious potential problems. If you are acting without the authority of the local authority, this could be in breach of your employment contract and perhaps obligations of confidentiality owed to the local authority. Again, it could be a breach of data protection legislation if personal data is being processed (as you imply). It could put the local authority in breach of its obligations too.

- If you are acting with the authority of the local authority, you should ask the local authority's legal department to advise.


Great article above.

I'm trying to find out about contacting an email address who hasn't signed up to be contacted themselves.

My website runs a referral scheme that allows our members to refer a friend by email address, recommending they become a member themselves. We send them an immediate email to say "your friend has recommended you sign up". How many times can we email this email address that hasn't signed up? We'd like to send them a reminder but I can't find any legal clarity on this.

Many thanks.

... none, I'm afraid.

Regarding the operation of 'refer a friend' schemes, see the ICO's guidance on viral marketing here:


Thanks for a really interesting article.

Can I check my understanding here as I am still a little confused - especially regarding how LTD companies and PLC's are treated differently from sole traders etc?

I understand as a company we are permitted to send unsolicited emails to business email addresses on business matters only, and there is no requirement for the recipient to opt-in

For LTD companies and PLC's it MUST be personal email addresses for people at their place of work (fred.bloggs[at]company.extension)  We  must not use [email protected] or [email protected] or emails that are given out freely to consumers eg Hotmail, googlemail.

Whereas with sole traders or partnerships  we may only use generic emails i.e. [email protected], [email protected] So even if we have the personal email (fred.bloggs[at]company.extension) at their place of work we must not use it.

Have I understood correctly?

Many thanks

Not quite.

There are no statutory prohibitions on sending unsolicited marketing emails to a person who isn't an "individual subscriber", providing that no personal data is processed as part of the sending process. If an email address includes a person's name, that will (or may) constitite personal data, and the sending of an email to that address will (or may) amount to the processing of personal data.

So, sending unsolicited marketing emails to info[at]companyltd.extension is not prohibited by UK legislation. However, sending unsolicited marketing emails to fred.bloggs[a]companyltd.extension may be prohibited under the DPA, while sending unsolicited marketing emails to anything[at]partnership.extension or anything[at]freemailservice.extension will be prohibited under the PECRs, unless the soft opt-in applies.

Even though some unsolicited marketing emails are not prohibited under UK legislation, that doesn't mean it is a good idea to send them.

The charity I work for is bombarded with unsolicited emails from companies. I always ask where they obtained our information from, as we operate a zero-tolerance attitude to spam. The name of a particular operator often comes from the few who respond. One of their customers told me they had been assured that the operator uses only "double opted-in" data (whatever that means). We have never "opted in" to any such list and, as we never advertise ourselves, cannot understand why we should be on these lists without our permission - which would never be given. I have contacted the operator twice in recent weeks asking why we are on their lists and stating clearly that they are not sell or otherwise disseminate our details. They have ignored me.

I should be grateful if you would please explain the law in this situation.

If the charity is a corporate entity (e.g. a company limited by guarantee) and the sending of the emails does not involve any personal data processing, then there will likely be no legal remedy under the DPA or the PECRs as they currently stand.


Very interesting article. I understand the legal protection against unsolicited emails, but from everything i read above, it almost sounds like it prevents small businesses to be contacted? Imagine there is a small business i want to contact because I want to ask them for a price. So if I send an email to name[at]smallbusiness.extension then that is not allowed? (Because its unsollicited, not a limited company and on top of that I am using a personal name in the email). Clearly, that sounds strange. So why would this be allowed (I would assume it should be allowed to ask questions in an unsolicited way?) and where is the border? Thanks

In the example you give, the first question is: where did you get the name? For instance, if the contact name was published on the business's website, then you could imply consent to processing for the purpose of getting pricing information etc. Data protection law is relatively abstract and quite flexible, so when interpreting the law you need to take into account the policy objectives of the regulatory authorities: new business enquiries = good; spam = bad.

We have collected some business cards from the exhibition we conducted. Are we allowed to contact those persons by phone/email/mail? Is there any restrictions while contacting the persons from US or China?


If you collected the business cards on the clear understanding that the contact details would be used for the purpose you propose, this should be OK. Consider what would happen in the event of a complaint, e.g. to the Information Commissioner. Could you prove that details were collected on the basis of such an understanding?

Without doing some checking, I'm not sure of the position under US law. Even with some checking, I doubt I'd be able to establish the position under Chinese law.

Would you kindly confirm whether we as a company would be at risk of breaching the Data Protection Act if we use an email marketing company to send out marketing literature by email - or is it down to the email marketing company we use to ensure that the data is "clean"?

So far as the DPA in its current form is concerned, the principal obligations fall upon the "data controller" - that is, the person who (or company that) determines the purposes for which the relevant data are processed.

In the majority of cases, a client rather than an email marketing company will be the data controller. In some cases, however, both will be data controllers. And in some cases, I suppose, the marketing company will be the sole data controller. It all depends upon who ultimately determines the purposes of processing.

In non-technical terms, if it is "your data", then you are probably the data controller.

We mail a monthly trade magazine via the Royal Mail by request to our readers and have done so before email even existed; these same readers have given us their email details in order to send them quotes and other information that they have requested, so is it OK for us to e-market these readers?

... is not consent for another.

Email marketing in the situation you describe is unlikely to be lawful, although it does depend upon the specific circumstances - especially, the circumstances in which the email details were obtained.

Hello, What is the difference in laws or best practices between mailing to recipients in the US and mailing to the UK?

Whilst the laws are different, best practice will be very similar, demanding more than the law does in each jurisdiction: e.g. in relation to consent - specific, express, informed, verified (e.g. double opt-in) and current consent.

Is it a violation of the DPA for a publisher to have an "unsubscribe" link at the bottom of every email they send out but then to respond to the request to unsubscribe by saying that they can no longer use that method to unsubscribe but that instead one must call their 800 number and request that your email address be deleted from their mailing list?

There is no particular rule in the DPA that says marketing emails have to carry an unsubscribe link, although - assuming the mailing involves personal data processing - you could make the case that a failure to provide an easy opt-out method negates a previously-given consent.

If the Privacy and Electronic Commuincations Regs apply, then Reg 23(b) and possibly Reg 22(3)(c) would be engaged - the latter would certainly and the former would probably require something other than an 0800 number-based opt-out system.

In the course of my business I exchange many emails with customers, customers' customers, suppliers, etc. These are all people therefore with whom I have established some sort of business relationship, even if it just my sending them an email on a particular subject, and their sending a reply.

Is it still against the rules if, for example, I want to send all these people an electronic Christmas card? Or maybe even want to send them a business proposal? In other words, does the law differentiate between sending emails to people that know who I am, and those whose names I have just found on a company website, but who are not known to me personally?

Very much appreciate your professional opinion. Thanks.

The law - by which I mean the DPA and the PECRs - doesn't specifically differentiate between email recipients who are known to the sender and those who are not.

The soft opt-in under the PECRs might sometimes apply in these circumstances, but it's not really directed at this sort of relationship.

Under the DPA at least, you could argue that there is some form of implied consent.

I imagine that a judge asked to rule whether an electronic Christmas card to a business contact breached these laws would try quite hard to find that it did not, but the text of the PECRs in particular ("... the recipient of the electronic mail has previously notified the sender that he consents for the time being to such communications being sent ...") would not much help the judge. Another approach would be to exclude Christmas cards etc from the scope of "... purposes of direct marketing ...".

The risk of a complaint would of course usually be low, because most people don't consider these sorts of emails to be "spam".

Apologies for the lack of a straight answer.

Add new comment