What else do we need to consider?
Latest updates
20 August 2025 - The Data Use and Access Act added the definition of direct marketing in the DPA into PECR
In detail
- What is the relationship between PECR and the data protection rules?
- How does ‘legitimate interests’ work for the soft opt-ins?
- Are tracking pixels covered by the rules in PECR?
What is the relationship between PECR and the data protection rules?
PECR sets the rules for sending electronic mail marketing. Where you use personal information to send your electronic mail marketing, you must also comply with the UK GDPR and the Data Protection Act 2018. For example, you must be fair, lawful and transparent.
Fairness means not doing anything with personal information that people would find unexpected, misleading or detrimental.
Transparency means being clear, open and honest. People have the right to be informed about what you plan to use their personal information for. For example, when you collect someone’s details, you must tell them that you intend to send electronic mail marketing.
Lawfulness includes having a valid lawful basis for using personal information to send electronic mail marketing. There are seven lawful bases in the UK GDPR. In this context, ‘consent’ and ‘legitimate interests’ are usually the most relevant.
If you rely on consent to send unsolicited electronic mail marketing, your lawful basis for processing personal information is likely to be consent. If you’re using a soft opt-in, your lawful basis is likely to be legitimate interests. See How does ‘legitimate interests’ work for the soft opt-ins? for more information.
You must respect people’s data protection rights, including their absolute right to object. If someone exercises this right, you must stop using their personal information for direct marketing purposes. There are no grounds to refuse. Failing to opt out of the soft opt-ins does not override this, you can only send electronic mail marketing if they later give their consent.
You should keep a ‘do not contact’ or suppression list to make sure you don’t send electronic mail marketing to someone who has exercised this right.
Further reading – ICO guidance
How does ‘legitimate interests’ work for the soft opt-ins?
If you’re using a soft opt-in to send unsolicited electronic mail marketing to individual subscribers, your UK GDPR lawful basis for processing personal information is likely to be legitimate interests.
When you rely on this basis, you must make sure your marketing does not unduly affect people. To help with this, you should carry out a legitimate interests assessment to show you have identified your purpose (legitimate interest), ensured that using the personal information is necessary and balanced your interest against the person’s interests, rights and freedoms.
Think carefully about people’s reasonable expectations and the potential impact of your electronic mail marketing, especially where people may be in vulnerable situations. If the risk of harm or intrusion is higher, you may be unable to demonstrate a legitimate interest.
For example, a person who has contacted a charity for help with domestic abuse could be at risk of harm if their partner saw emails from the charity. The charity is unlikely to have a legitimate interest in sending marketing emails, even if the person hasn’t opted out of marketing.
Where you cannot rely on legitimate interests, you could seek to rely on consent instead.
Example
A domestic abuse charity wants to use the charitable purposes soft opt-in to send their beneficiaries electronic mail marketing asking for donations and volunteers. The charity has collected contact details in line with the soft opt-in’s requirements. However, the charity also needs a lawful basis under data protection law because they are using personal information.
The charity plans to use the ‘legitimate interests’ lawful basis, so they conduct a legitimate interests assessment. They decide that they have a legitimate interest and that using personal information is necessary. However, the charity recognises that people who access their support may be in vulnerable situations. Emailing people could put them at risk of harm if an abusive partner saw the message.
The charity concludes that sending electronic mail marketing to these people could unduly affect their rights and freedoms. The charity decides not to rely on the soft opt-in.
Example
An online retailer wants to use the products and services soft opt-in to send marketing emails promoting similar items to customers who have previously bought from them. When making a purchase, customers gave their email address and were offered a clear opt-out from receiving marketing. Those who did not opt out fall within the scope of the products and services soft opt-in.
The retailer also needs a lawful basis to use personal information for this marketing. They plan to rely on the ‘legitimate interests’ lawful basis, so they carry out a legitimate interests assessment.
The retailer identifies a legitimate interest in promoting similar products to existing customers and decides that using personal information is necessary for that purpose. The retailer also believes the risk of harm is low and that sending these marketing emails does not unduly affect people’s interests, rights or freedoms. They decide they can rely on the products and services opt-in together with the legitimate interests lawful basis.
Further reading – ICO guidance
Are tracking pixels covered by the electronic mail marketing rules?
Many marketing emails include tracking pixels. For example, some record information such as the time a user opened an email, their location and their device’s operating system.
The electronic mail marketing rules in PECR apply to the email itself, not to the tracking pixels. Tracking pixels are covered by PECR’s separate rules on storage and access technologies. If the email includes tracking pixels, you must comply with the rules on storage and access technologies.
Further reading – ICO guidance