Skip to main content

How do we comply with the rules on sending marketing by electronic mail?

Contents

In detail

How do we use consent to send marketing by electronic mail?

If you want to rely on consent, your consent request must be prominent, concise, easy to understand and separate from things like general terms and conditions.

You must ensure that the consent specifically covers receiving that particular type of electronic mail from you. For example, you must have specific consent for emails or specific consent for text messages. Simply asking for consent for ‘direct marketing’ would not make it specific or informed enough.

Example

□ Tick here if you would like to receive marketing from us about our services by text message.
□ Tick here if you would like to receive marketing from us about our services.

Remember, some people may want to consent to some forms of electronic mail but not to others. For example, some people may want your marketing emails but not your marketing text messages. Therefore you should ask for consent separately for each one.

If you are considering sending direct marketing by text message, remember that consent to use someone’s phone number for live or automated calls doesn’t automatically cover direct marketing by text message.

Consent for electronic mail marketing must be freely given. For example, it’s unlikely that you can make consent to such marketing either a condition of buying your product or service or donating to your cause.

Example

If you would like to receive our marketing emails
please tick here □.

Click here to submit your order.

By submitting your order you agree to receive our marketing emails.

Click here to submit your order.

There are many different ways that you may decide to seek consent for your electronic mail marketing. For example, you could use opt-in tick boxes, use equally prominent yes or no options, or even by verbal consent. But the key point is that you must get valid consent and you should keep clear records of it. See the section What is consent? for more information about the standard of consent you need.

Example

A customer uses their mobile phone to call a restaurant to book a table. The restaurant asks for their number in case it need to contact the customer about the booking and so that it can send a confirmation message.

The customer tells the restaurant their mobile number. The restaurant then asks them if they would like to receive its marketing text messages about discounts and events.

The customer verbally agrees, so the restaurant adds their number to its marketing database which shows the time and date that they consented.

The restaurant subsequently sends a booking confirmation text to the customer. A few days later it also sends the customer a text advertising its special food event.

The restaurant complies with PECR by obtaining the customer’s consent to receive its direct marketing text messages.

A customer uses their mobile phone to call a restaurant to book a table. The restaurant asks for their number in case it needs to contact the customer about the booking and so that it can send a confirmation message.

The customer tells the restaurant their mobile number.

The restaurant subsequently sends a booking confirmation text to the customer. A few days later it also sends the customer a text advertising its special food event.

The customer didn’t consent to the restaurant using their phone number to send direct marketing text messages. The restaurant didn’t give any information to the customer during the phone call about using their number for this purpose.

The customer giving the restaurant their phone number to administer their booking is not consent to receive direct marketing text messages.

Consent isn’t transferrable. It’s specific to receiving electronic mail marketing to a particular number or address that the person gives you. For example, the consent someone gives you to receive direct marketing to their particular email address won’t cover any other email addresses that they might also use.

Remember that, under PECR, someone gives consent “for the time being” and can withdraw it. See the section on Can people object to our electronic mail marketing? for further information.

Further reading

  • For more detail on obtaining, recording and managing consent, see our UK GDPR consent guidance.

How do we use the soft opt-in to send marketing by electronic mail?

Many organisations find that using the soft opt-in is a good way to send electronic mail marketing to their existing customers. However, if you want to use the soft opt-in instead of consent, you must meet all of its requirements.

It breaks down into five requirements:

  1. You obtained the contact details;
  2. In the course of a sale or negotiation of a sale of a product or service;
  3. You are marketing your similar products and services;
  4. You provided an opportunity to refuse or opt-out when you collected the details; and
  5. You give an opportunity to refuse or opt-out in every subsequent communication.

We describe these requirements in detail below.

1. You obtained the contact details

You must obtain the contact details directly from the person you want to send the marketing to. If someone else obtains the contact details then the soft opt-in doesn’t apply. For example, there is no such thing as a third party marketing list that is ‘soft opt-in compliant’.

Example

A restaurant collects mobile phone numbers from customers when they book a table on its website.

By collecting the contact details themselves, the restaurant satisfies this first part of the soft opt-in.

A restaurant buys a list of people’s mobile phone numbers which the third party claims are ‘soft opt-in compliant’.

The soft opt-in doesn’t apply because the restaurant did not obtain the contact details directly from these people. The restaurant didn’t satisfy the first part of the soft opt-in.

The soft opt-in is only available to the same entity or single organisation that originally collected the contact details. For example, this means that it won’t apply to other companies within the same group as the collecting organisation.

2. In the course of a sale or negotiation of a sale of a product or service

A person doesn’t actually need to buy anything from you to trigger the soft opt-in. It’s enough if “negotiations for a sale” took place. This means that they must actively express an interest in buying your products or services. For example, by requesting a quote or asking for more details of what you offer. You must have some form of express communication.

Example

A customer completes an online enquiry form asking for more details about a product or range of products. This may be enough to meet this part of the soft opt-in.
A customer logs into a company’s website to browse its range of products. This is not enough to constitute negotiations and this part of the soft opt-in.

Another example of “negotiations for a sale” might include them signing up to a free trial of your service or product. But remember you must still meet the other parts of the soft opt-in. This includes giving people a chance to opt-out at the time you collect their details.

The communication from the person must involve buying products or services. It’s not enough for someone to send any type of query.

Example

A customer sends an online enquiry to ask if the company can order a particular product. This could constitute negotiations for a sale and satisfy this part of the soft opt-in.
A customer sends an online enquiry asking if the company is going to open more branches in a particular location. This does not satisfy this part of the soft opt-in as the enquiry is not about buying products or services.

Currently, the PECR soft opt-in specifically uses the word “sale” and refers to “products and services”. This means it doesn’t apply to details collected where there is no sale (or such a negotiation), or where there is no product or service involved, eg fundraising and campaigning.

3. You are marketing your similar products and services

You can only send electronic mail about your similar products or services. The key question is whether people reasonably expect direct marketing about your particular product or service. This is likely to depend on the context, including the type of business you are and the category of product.

Example

A customer buys bread and bananas online from a large supermarket chain. Afterwards they might reasonably expect emails about groceries, as well as emails about a wide range of other products commonly sold in supermarkets.
A customer buys bread and bananas online from a large supermarket chain. Afterwards, however, they are unlikely to expect emails about banking or insurance products sold under the supermarket brand. These products are not bought and sold in a similar context. Also, the supermarket is usually not the same organisation as the one that provides banking or insurance products under its branding.

Because it must involve your similar products and services, the soft opt-in doesn’t apply to sending the marketing messages of other organisations.

As in the previous requirement, because the soft opt-in currently applies to “products and services”, it can only apply to commercial marketing. This means that charities, political parties or other not-for-profit bodies cannot rely on the soft opt-in for their campaigning or fundraising, even with existing supporters. In other words, you must have consent to send electronic mail promoting your aims or ideals. See the section Can we use the soft opt-in for fundraising or campaigning? for further information.

4. You provided an opportunity to refuse or opt-out when you collected the details

You must give people a clear opportunity to opt-out of your direct marketing when you first collect their details. Just because people engage with you doesn’t mean they are happy to receive direct marketing from you in the future.

You must make it simple to opt out. When first collecting a customer’s details, you must include this as part of the same process. For example, your online forms should include a prominent opt-out box, and staff taking down details verbally should specifically offer an opt-out.

Example

A customer buys some trainers from an online retailer and, as part of the buying process, provides their email address. The retailer provides a clear, easy to understand opt-out box when it asks the customer to provide their email address. The customer decides they want the retailer’s marketing so they don’t tick the box to opt out. The retailer adds their email address to its marketing database. The customer subsequently receives an email with a 10% discount code for their next purchase.

It’s likely that these emails are compliant with this part of the soft opt-in.

A customer buys some trainers from an online retailer and, as part of the buying process, provides their email address. The retailer automatically adds their email address to its marketing database. The customer subsequently receives an email with a 10% discount code for their next purchase.

These emails are not compliant with this part of the soft opt-in. The retailer did not give the customer an opportunity to opt-out of receiving direct marketing emails when it collected their details. This means the retailer cannot rely on the soft opt-in, even though it collected the customer’s email address during the course of a sale and the marketing is for the retailer’s similar products.

You must offer an opt-out at the time you collect someone’s details. Placing an opt-out within your privacy policy is not sufficient, as this doesn’t make it easy or simple for people to opt-out. Likewise, providing an opt-out after collecting their details is also not sufficient. For example, giving an opt-out in an order completion email doesn’t constitute “at the time” you collected the details and is not a simple means of opting out.

Example

A customer orders a takeaway pizza online. As part of the process, the company asks them to provide either an email address or mobile phone number. The customer provides their mobile phone number and a box appears underneath which says:

We will send you marketing text messages about our special offers. If you don’t want to receive these please tick here .

The customer decides to tick the box as they don’t want marketing text messages from the takeaway.

The takeaway subsequently sends an order confirmation text to the customer. The takeaway doesn’t send them any direct marketing text messages.

The takeaway complies with PECR and this part of the soft opt-in. This is because they gave the customer an opportunity to opt-out of marketing texts when collecting their details.

A customer orders a takeaway pizza online. As part of the process, the company asks them to provide either an email address or mobile phone number. The customer provides their mobile phone number.

The takeaway subsequently sends an order confirmation text to the customer. This also tells them how to opt-out of the takeaway’s marketing text messages.

Providing an opt-out after the customer gives their details is not compliant with the soft opt-in. This means any marketing text messages that the takeaway subsequently sends would breach PECR.

5. You give an opportunity to refuse or opt-out in every subsequent communication

You must give people the chance to opt-out of every subsequent message that you send.

You must make it simple for customers to change their mind and opt-out or unsubscribe. For example, in subsequent messages it should be possible for them to reply directly to the message, or click a clear ‘unsubscribe’ link. With text messages you could offer an opt-out by telling people to send a stop message to a short code number. You must make this free of charge, apart from the cost to people of sending the message.

Example

A yoga studio sends its clients an email about upcoming events. At the bottom of the email the studio provides the following information:

‘If you don’t want to receive these emails from us any more please click here and we will unsubscribe you.’

A yoga studio sends its clients an email about upcoming events. At the bottom of the email the studio provides the following information:

‘If you don’t want to receive these emails from us any more please call the studio on 01245678 and quote your membership number and email address.’

Example

A hairdresser sends its clients a text message offering 30% off colour treatments. At the end of the text it says:

‘To opt-out text STOP to 12345.’

A hairdresser sends its clients a text message offering 30% off colour treatments. It doesn’t provide any information in the message about how to opt-out or unsubscribe.

You shouldn’t ask people to create an account in order to unsubscribe, or ask them to log into their existing account to change their preferences. This is not considered a simple way to opt-out of your electronic mail marketing.

Can we use the soft opt-in for fundraising or campaigning?

No. The soft opt-in is currently worded so that it only applies to commercial marketing of products or services. It doesn’t apply to the promotion of aims and ideals, eg campaigning or fundraising.

However, you can potentially use the soft opt-in for any commercial products or services you offer.

Example

A charity has an online shop that sells various ethically-sourced products. A customer buys some speciality teas from the online shop. When they provide their details, the charity gives them a clear, up-front chance to opt-out of direct marketing by email.

If the customer doesn’t tick the opt-out box, the charity may use the soft opt-in to send direct marketing emails about its shop’s products (assuming it meets the other soft opt-in criteria).

However, the charity can’t send emails to the customer about fundraising because this isn’t covered by the soft opt-in.

Currently you can’t send campaigning or fundraising texts or emails without specific consent, even to existing supporters.

Example

A supporter is making a donation online to a charity. The charity provides an opt-in box that clearly explains that people can tick if they want to hear more about the charity’s fundraising work by email. The supporter decides they would like to hear about the charity’s work, so they tick the box.

The charity sends fundraising emails to the supporter as it has their consent to do so.

Can we use bought-in lists to send marketing by electronic mail?

Many organisations offer marketing lists for sale, rent or under licence. Depending on the circumstances, you can potentially use such a list compiled by a third party to send direct marketing by electronic mail.

However, in order to use such a list for electronic mail marketing, the people on it must have given their consent to receive such marketing from you.

If the third party claims that those on the list consented to direct marketing, you must check that any consent is valid and actually covers you. You should do this by making the following checks:

  • What were people told?
  • What did they consent to?
  • Were you named on the consent request?
  • When and how did they consent?
  • Did they have a choice to consent?
  • Is there a record of the consent?

You are responsible for ensuring that you comply with PECR. For example, if the consent doesn’t name you or cover the method of electronic mail that you want to use, then it isn’t valid. This means that any electronic mail marketing you send to those on the list would breach PECR. See the section What is consent? for more information.

The soft opt-in doesn’t apply to bought-in marketing lists. This is because as part of the soft opt-in you must collect the details directly from the person you want to send marketing to during the course or negotiation of a sale of a product or service. Clearly this doesn’t apply to details you got from a third party. Remember there is no such thing as a third-party marketing list that is ‘soft opt-in compliant’.

You also must be aware of the data protection implications if the information you are buying is personal data. See the section What do the data protection rules mean for electronic mail marketing? for more information.

Can we use publicly available contact details to send marketing by electronic mail?

The term ‘publicly available’ can refer to contact details sourced from various places, including social media accounts, websites or other online or offline sources.

You must have consent or meet all of the soft opt-in requirements to send unsolicited direct marketing by electronic mail to people. Remember, these rules also apply for sole traders and some types of partnership.

Just because someone’s contact details (eg their email address or mobile number) are publicly available doesn’t mean they are consenting to your direct marketing. See the section What is consent? for more information.

The soft opt-in also doesn’t apply to contact details collected from publicly available sources. There are various criteria that you must meet to use the soft opt-in for your electronic mail. This includes you collecting their details during the course or negotiation of a sale of a product or service. You must also provide that person with an opt-out. Clearly this doesn’t apply to contact details obtained from public sources.

Therefore, if you have collected someone’s contact details from publicly available sources, it’s unlikely that you can use these to send them unsolicited electronic mail marketing. An exception to this might be someone’s business contact details that are on their employer’s website.

You also must be aware of the data protection implications if the information you are gathering is personal data. See the section What do the data protection rules mean for electronic mail marketing? for more information.

Further reading

Can we ask people to send our electronic mail marketing?

Asking people to send your direct marketing to their friends and family is often known as viral marketing or a ‘refer a friend’ or ‘tell a friend’ campaign. While many people appreciate such campaigns or schemes, you must comply with the PECR rules. This applies even if you don’t send the messages yourself, but instead instigate the sending or forwarding of these messages.

Instigate doesn’t necessarily mean that you incentivised your customer to send your messages. You don’t have to provide a reward or benefit to instigate the sending of messages. It’s enough if you actively encourage someone to send or forward the messages.

Direct marketing emails and texts require consent (the soft opt-in doesn’t apply in this situation) and you must demonstrate it. You can’t collect valid consent when asking a customer to send your direct marketing. This is because you have no direct contact with the people they are sending your direct marketing to.

Example

An online retailer operates a ‘refer a friend’ scheme, where customers are given 10% off their orders if they participate. A customer provides their own name and email address. The retailer automatically generates an email containing its marketing for them to send to their friends and family.

The retailer is instigating the direct marketing, therefore it is responsible for complying with PECR. Because the retailer doesn’t have the friends’ and family’s consent, such emails breach PECR.

Many organisations offer rewards if a customer gets their friends and family to also become customers. The fact that such a reward is available doesn’t necessarily mean that PECR is engaged. However, if you are encouraging people to send electronic mail to their friends about becoming your customer, you are instigating the sending of direct marketing.

We appreciate it’s difficult for you to control how your customer decides to make other people aware of your reward scheme. However, you can take steps to avoid being the instigator of the messages in this scenario. For example, by not creating pre-populated emails (as in the example above) or not actively encouraging customers to send an email or text message to their friends and family about the reward.

Example

A company operates a ‘refer a friend’ scheme where customers get a discount if their friends or family switch to the company’s service.

When the customer logs into their account, there is a page about the scheme. It explains that if their friends or family input the customer’s unique code when signing up to the company’s services, the customer then gets a discount on their bill. There is no mention on the webpage of how the customer should make people aware of the scheme. It’s therefore for the customer to decide if and how they take part.

In this case, if a customer decides to send electronic mail to make their friends and family aware of the scheme, the company won’t have responsibility under PECR as it is not instigating such messages.

In terms of fundraising, often a key part is people participating in sponsored events. People may choose to seek their sponsorship using electronic mail. You aren’t considered the instigator of those messages (even though it is your event), if you haven’t encouraged them to use that method.

Sometimes your customers and supporters may send your messages to their friends and family on their own initiative. For example, they may be recommending you, giving details of your promotion or campaign or linking to a product on your website. Obviously you are not responsible under PECR if someone chooses, with no encouragement from you, to send such messages.

Can people object to our electronic mail marketing?

Yes. People can object to receiving your electronic mail marketing and they can decide that they no longer want your messages. PECR specifically uses the language “for the time being” which means that they can change their previous preferences. 

In short you must:

  • not send electronic mail marketing to anyone that has opted-out or unsubscribed; and
  • stop sending electronic mail marketing based on consent where someone withdraws that consent.

You should have a process in place to deal with anyone who tells you they no longer want your electronic mail marketing.

It’s important to remember that people are free to change their mind about getting your direct marketing. For example, they can choose to withdraw their consent to receiving your direct marketing messages at any time and you must respect this.

If someone opts out or unsubscribes, this is likely to cover a particular contact type. For example, if someone gets marketing from you by text message and email but then decides to use the email’s unsubscribe link this opt-out is only likely to cover email marketing. It would not affect the text messages. This is assuming that the unsubscribe link was clear that it only covers email marketing.

Example

A customer receives marketing by text message and email from a company. The company is sending the messages while relying on the soft opt-in. As part of this, each text message tells people how to opt-out of the texts and each email has an unsubscribe button which makes clear that using it stops the emails.

The customer decides they no longer want to receive marketing by email so uses the unsubscribe button.

The company stops sending marketing to them by email. However, as the customer has not opted out of the texts, the company continues to send marketing by this other method.

If someone unsubscribes from your particular electronic mail marketing method, you must not send them any further marketing using that method. You should stop sending the messages as soon as possible.

You should add the contact details of people who withdraw their consent or unsubscribe to your ‘do not contact’ or suppression list. Using such a list helps you to comply, as you can check against it and avoid sending electronic mail marketing to anyone who has told you not to.

If someone withdraws their consent or unsubscribes, you can only send electronic mail marketing to them if in the future they subsequently decide to consent to such direct marketing from you.

As people may want to get your electronic mail marketing at a later date, you may wish to make them aware of how they can do this. For example, when they unsubscribe you could send them an automatic bounce back message (using the method they have unsubscribed from). This could confirm that they have unsubscribed and advise them of what to do if they change their mind. However, this message must not require them to take action to confirm their unsubscribe request.

You could also remind people of their electronic mail marketing preferences if the reminder is a minor addition to a message that you were sending anyway. For example, you could include this on an email confirmation when someone places an order with you. This could tell them how they can update their preferences (but without encouraging them to change their mind).

People also have data protection objection rights if you are using their personal data when sending electronic mail marketing. See the section What do the data protection rules mean for electronic mail marketing? for more information.