Do PECR rules apply to B2B email marketing?

Yes. Regulation 22 of PECR applies to any unsolicited commercial email to individual subscribers, which includes sole traders and some partnerships. However, emails to a named individual at a corporate entity (a limited company) fall outside the individual-subscriber definition, meaning the softer B2B rules apply: you must provide a clear opt-out in every message and identify the sender, but prior opt-in consent is not required.

What is the PECR soft opt-in and when can I use it?

The soft opt-in (Regulation 22(3)) lets you email or text existing customers about similar products or services without fresh consent, provided: (1) you collected the contact details during a sale or negotiation, (2) the new message covers similar products or services to those originally sold, and (3) every message includes a clear, free, and easy way to opt out. It applies only to your own customers, not to rented or purchased lists.

Does PECR apply to postal direct mail?

No. PECR covers electronic communications only: email, SMS, telephone calls, and automated calls. Postal direct mail is not governed by PECR. It is regulated by UK GDPR and, for consumer lists, by the Mailing Preference Service (MPS). Marketers using consumer postal data should wash their files against the MPS before mailing.

What is the difference between PECR and UK GDPR?

UK GDPR governs how any personal data is collected, stored, and processed. PECR is a separate, more specific regulation that adds extra rules for electronic direct marketing, regardless of whether the data is personal. You must comply with both: UK GDPR provides the lawful basis for data processing, and PECR sets the channel-specific consent and opt-out obligations. Where PECR requires consent, that consent must meet the UK GDPR standard.

What are the penalties for breaching PECR?

The Information Commissioner's Office (ICO) can issue monetary penalties of up to £500,000 per breach under the current PECR enforcement regime. The ICO has issued significant fines for unlawful direct marketing, including cases involving spam SMS campaigns and nuisance telephone calls. The government has consulted on increasing these limits further.

Do I need to screen against the TPS before making marketing calls?

Yes. Regulation 21 of PECR prohibits unsolicited direct marketing calls to any number registered with the Telephone Preference Service (TPS), unless the individual has specifically consented to receive calls from your organisation. For business numbers, the Corporate Telephone Preference Service (CTPS) applies. Failure to screen is one of the most common reasons the ICO issues PECR enforcement notices.

PECR explained: what UK marketers need to know

How do PECR and UK GDPR fit together?

A common point of confusion is thinking these two pieces of legislation do the same thing. They do not. UK GDPR (retained from the EU General Data Protection Regulation) is a broad framework governing how organisations collect, store, use, and share personal data. PECR is a narrower, more specific instrument that sits alongside it and controls how electronic marketing is delivered.

The practical consequence: you need a lawful basis under UK GDPR Article 6 to hold and process the contact data in the first place, and you separately need to satisfy PECR's consent or opt-out rules before you press send. Where PECR requires consent, that consent must meet the high standard set by UK GDPR: freely given, specific, informed, and unambiguous. A pre-ticked box or buried opt-in language will satisfy neither.

PECR applies regardless of whether the data constitutes personal data. An email sent to a generic role address such as [email protected] involves no identifiable individual under UK GDPR, yet PECR still governs the sending of that message if it is a commercial communication. In practice, the two regimes almost always apply together.

Regulatory home

Both UK GDPR and PECR are enforced by the same body: the Information Commissioner's Office (ICO). The ICO publishes detailed guidance on both and can investigate complaints under either or both simultaneously.

What does PECR actually cover?

PECR covers four main categories relevant to marketers:

Unsolicited commercial email and SMS (Regulation 22): requires prior consent or the soft opt-in exemption.
Unsolicited direct marketing calls (Regulation 21): prohibits calling numbers registered on the TPS or CTPS without specific consent.
Automated calling systems (Regulation 19): requires prior consent for any call delivered by an automated system, even if a live agent joins later.
Cookies and similar technologies (Regulation 6): governs the use of tracking technologies on websites, separate from marketing channel rules.

Postal direct mail falls entirely outside PECR's scope. If your campaign uses addressed physical post, you are operating under UK GDPR alone, along with any obligations tied to the Mailing Preference Service (MPS) suppression file.

B2C email and SMS: when is consent required?

For consumer marketing, the default position under Regulation 22 is clear: you need prior opt-in consent before sending any unsolicited commercial email or SMS to an individual subscriber. The exception that many marketers know about, and often misapply, is the soft opt-in.

What is the soft opt-in?

Regulation 22(3) permits organisations to send commercial messages to existing customers without fresh consent, subject to three conditions being met simultaneously:

You collected the recipient's electronic contact details in the context of a sale or negotiation of a product or service.
The marketing message relates to your own similar products or services (not a third party's, and not a product category you did not sell them before).
Every message includes a simple, free opt-out mechanism that the recipient can use to stop future messages at any point.

The soft opt-in does not apply to rented or purchased consumer lists. If you have acquired a B2C email file from a third party, those individuals are not your existing customers, and prior opt-in consent remains a requirement. Our guide to lawful basis for B2B data covers how different legal grounds interact across contact channels, which is useful context if you are running mixed B2B and B2C campaigns.

B2B email: how does Regulation 22 treat corporate contacts?

This is where PECR's approach diverges sharply from the B2C default. The individual-subscriber definition in PECR does not extend to employees acting in a purely corporate capacity at a limited company. Emails sent to an individual at a corporate entity (for example, [email protected] where Acme Corp Ltd is a registered company) fall outside the Regulation 22 consent requirement.

What B2B emailers must still do under PECR:

Identify who the communication is from (the trading name and, where relevant, the registered company name).
Include a valid postal address or other contact details for the sender.
Provide a working opt-out mechanism in every message and act on opt-out requests promptly.

Note the nuance around sole traders and some partnerships. A freelance consultant, a self-employed plumber, or a two-partner law firm that is not a limited company may qualify as an individual subscriber under PECR. Emailing them as if they were a corporate entity is a common compliance gap. If your B2B list includes sole traders, treat them as B2C contacts for PECR purposes: prior consent applies.

Sole trader risk

Many B2B data files include sole traders, especially in trades, professional services, and agriculture. These individuals qualify as subscribers under PECR. If your campaign targets these sectors, either apply the consent standard or check that the individuals on your list are specifically registered as limited companies at Companies House.

Telephone marketing: TPS, CTPS, and Regulation 21

Regulation 21 is the provision most organisations associate with nuisance call complaints. It prohibits direct marketing calls to any number registered on the Telephone Preference Service (TPS) for individuals, or the Corporate Telephone Preference Service (CTPS) for business numbers, unless the number holder has given specific consent to receive calls from your organisation.

Washing a dial list against both the TPS and CTPS is not optional. It is a legal obligation. The ICO's enforcement history on this point is extensive: fines in the tens and hundreds of thousands of pounds have been issued for systematic failures to screen, including a £160,000 penalty for a single campaign. Beyond the regulatory risk, TPS suppression improves contact quality: numbers registered on TPS are by definition those least likely to engage.

The consent exception is narrow. It must be specific to your organisation, given by the individual for telephone contact, and recorded with a timestamp and evidence of the opt-in. A general marketing consent that does not mention telephone calls is unlikely to satisfy the ICO's expectations if challenged.

For B2B calling, the CTPS applies to numbers registered by organisations specifically to suppress corporate cold calling. Many marketers overlook CTPS entirely, focusing only on TPS. Both files should be applied before any telemarketing campaign goes live.

Automated calls and Regulation 19

Automated calling systems (robocalls, IVR blasting, and pre-recorded message drops) require prior consent regardless of whether the number is on TPS. Regulation 19 makes this a strict-consent channel: there is no soft opt-in and no B2B exemption equivalent. If your call is delivered by a machine at any point, even if a human takes over, you need documented prior consent from each recipient.

This regulation catches several modern outreach tools that use predictive diallers or AI voice systems. If the first moment of contact is machine-generated, Regulation 19 applies before Regulation 21 even comes into play.

Channel-by-channel consent thresholds: a comparison

Channel	B2C (individuals, sole traders)	B2B (corporate entities, limited companies)	Key PECR regulation
Email (unsolicited commercial)	Prior opt-in consent required. Soft opt-in available for existing customers purchasing similar products.	No prior consent required. Must identify sender, provide opt-out in every message, and honour requests promptly.	Regulation 22
SMS (unsolicited commercial)	Prior opt-in consent required. Soft opt-in available on same terms as email.	Same rules as B2B email: no prior consent, must include opt-out.	Regulation 22
Live telephone calls	Cannot call TPS-registered numbers without specific consent to calls from your org.	Cannot call CTPS-registered numbers without specific consent. TPS also applies where personal numbers are used.	Regulation 21
Automated calls	Prior consent required. No soft opt-in. No TPS exemption even if number is not registered.	Prior consent required. No B2B exemption. Regulation 19 applies regardless of corporate status.	Regulation 19
Postal direct mail	Not covered by PECR. Governed by UK GDPR and MPS suppression for consumer files.	Not covered by PECR. Governed by UK GDPR and legitimate interests assessment for B2B.	N/A (outside PECR scope)

What must every PECR-compliant marketing message include?

Regardless of channel, every commercial electronic communication sent under PECR must contain:

A clear identification of who the message is from. The sender name must not be disguised or misrepresented.
A valid contact address so the recipient can respond or make a complaint.
A straightforward, cost-free way to opt out of future messages. For email, this is typically an unsubscribe link. For SMS, a reply keyword. The mechanism must actually work and requests must be acted on promptly.

Sending a marketing email from a no-reply address with no unsubscribe link is a PECR breach in itself, separate from the consent question.

Penalties for PECR breaches

The ICO's current enforcement ceiling under PECR is £500,000 per contravention. Notable fines have been issued to organisations running large-scale SMS spam campaigns (over £300,000 in several cases), companies making automated calls without consent, and businesses that failed to screen against the TPS consistently. The ICO publishes its enforcement decisions publicly, and the pattern shows repeat or systematic breaches attract the largest penalties.

The government has previously consulted on aligning PECR penalties with UK GDPR's higher limits (up to 4% of global annual turnover or £17.5 million). If those changes are implemented, the financial stakes will rise substantially. Checking the ICO's published enforcement register gives a clear picture of the types of conduct that have attracted attention.

Beyond fines, the ICO can issue enforcement notices requiring an organisation to stop specified activities, and data subjects can bring claims for distress caused by unlawful marketing. For businesses running high-volume campaigns, the reputational impact of an enforcement notice often outweighs the monetary penalty.

Practical checklist before launching a PECR-governed campaign

Before any electronic marketing campaign goes live, the following checks are worth completing:

Identify your audience: Are these individuals, sole traders, or corporate entities? The answer determines which PECR rules apply to email and SMS.
Establish your consent basis or exemption: For B2C, confirm you have opt-in records or that the soft opt-in conditions are genuinely met. For B2B email, confirm the recipients are employees of limited companies rather than sole traders.
Screen telephone numbers: Run the dial list against TPS and CTPS before the campaign starts, not after complaints arrive.
Check automated tools: If any part of your outreach uses an automated dialler or pre-recorded message, Regulation 19 consent is needed regardless of other factors.
Review message content: Confirm the sender identity is visible, a working opt-out is present, and the message accurately describes its source.
Log suppression files: Keep dated records of TPS/CTPS washes and unsubscribe requests. These records are your primary evidence if the ICO investigates.

PECR explained: what UK marketers need to know about electronic marketing rules

Key points