Newsletter
Email marketing consent, double opt-in, and newsletter rules by country.
UK email marketing is governed by PECR Regulation 22 (the consent rule) plus UK GDPR (the lawful-basis rule). For B2C, you need a clear opt-in OR the narrow PECR "soft opt-in" exception for existing customers buying similar products. For B2B, cold email to corporate addresses is permitted under PECR — but you still need an opt-out in every message and the recipient's data still falls under UK GDPR. The ICO is one of the more active regulators on email: HelloFresh paid £140,000 in 2023, Halfords £30,000 in 2022, and almost every quarter sees fresh PECR action against SMEs.
Key facts
- •PECR Reg. 22 requires consent for B2C marketing — pre-ticked boxes are explicitly invalid under ICO guidance
- •The PECR "soft opt-in" only applies to existing customers buying similar products — not to bought-in lists, not to prospects
- •B2B email to corporate addresses (info@, sales@) is permitted under PECR, but ICO still expects an unsubscribe link and an honest sender identity
- •Sending marketing to individual sole traders or partnerships is treated as B2C under PECR — most SME mailing lists mix both
- •UK GDPR requires you to document when and how each subscriber gave consent — a checkbox record is not enough
What we check
- ✓Newsletter signup form consent mechanism
- ✓Double opt-in implementation where required
- ✓Unsubscribe link presence in email templates
- ✓Privacy policy coverage of email marketing
- ✓Consent record-keeping practices
Newsletter signup: good vs. bad examples
Pre-checked consent box
A checkbox that says "I want to receive newsletters" is already checked when the page loads. Under UK GDPR consent must be a clear affirmative action, and pre-ticked boxes are explicitly invalid (Planet 49 still applies in the UK as retained case law).
Unchecked, specific consent box
An unchecked checkbox with clear text: "Yes, I'd like to receive weekly website tips by email. You can unsubscribe at any time." This is specific, freely given, and requires an affirmative action.
Bundled consent
"By creating an account, you agree to our terms and to receiving marketing emails." This bundles newsletter consent with account creation. UK GDPR Article 7(2) requires consent for different purposes to be clearly distinguishable and separate.
Double opt-in with confirmation email
After signing up, the subscriber receives an email: "Please confirm your subscription by clicking the link below." The subscriber is only added to the list after clicking. Not strictly required in the UK, but the ICO treats it as strong evidence of consent and it's mandatory in Germany if you sell there.
No unsubscribe link
A newsletter that only says "Reply with STOP to unsubscribe" at the bottom in grey text. PECR Regulation 22 requires a clear, easy-to-use unsubscribe mechanism in every marketing email — ideally a one-click link.
Clear unsubscribe in every email
Every newsletter includes a prominent "Unsubscribe" link at the top or bottom. One click takes the user to a confirmation page, no login required. Gmail and Apple Mail also show a one-click list-unsubscribe header.
Hidden opt-in during checkout
Adding customers to a mailing list when they make a purchase, with the opt-in buried in the terms and conditions. This is not valid consent. The subscriber must actively choose to sign up.
Separate consent with record-keeping
Newsletter signup is a separate form or clearly separated checkbox. The system records the timestamp, IP address, the exact text shown and the form version. This proves exactly when and how consent was given.
Pre-checked consent box
A checkbox that says "I want to receive newsletters" is already checked when the page loads. Under UK GDPR consent must be a clear affirmative action, and pre-ticked boxes are explicitly invalid (Planet 49 still applies in the UK as retained case law).
Bundled consent
"By creating an account, you agree to our terms and to receiving marketing emails." This bundles newsletter consent with account creation. UK GDPR Article 7(2) requires consent for different purposes to be clearly distinguishable and separate.
No unsubscribe link
A newsletter that only says "Reply with STOP to unsubscribe" at the bottom in grey text. PECR Regulation 22 requires a clear, easy-to-use unsubscribe mechanism in every marketing email — ideally a one-click link.
Hidden opt-in during checkout
Adding customers to a mailing list when they make a purchase, with the opt-in buried in the terms and conditions. This is not valid consent. The subscriber must actively choose to sign up.
Unchecked, specific consent box
An unchecked checkbox with clear text: "Yes, I'd like to receive weekly website tips by email. You can unsubscribe at any time." This is specific, freely given, and requires an affirmative action.
Double opt-in with confirmation email
After signing up, the subscriber receives an email: "Please confirm your subscription by clicking the link below." The subscriber is only added to the list after clicking. Not strictly required in the UK, but the ICO treats it as strong evidence of consent and it's mandatory in Germany if you sell there.
Clear unsubscribe in every email
Every newsletter includes a prominent "Unsubscribe" link at the top or bottom. One click takes the user to a confirmation page, no login required. Gmail and Apple Mail also show a one-click list-unsubscribe header.
Separate consent with record-keeping
Newsletter signup is a separate form or clearly separated checkbox. The system records the timestamp, IP address, the exact text shown and the form version. This proves exactly when and how consent was given.
Related guides
Is Double Opt-in Required? It Depends on the Country
Is double opt-in required? Yes in Germany, recommended in Austria, optional elsewhere. What ePrivacy and GDPR say per country.
Newsletter Signup Forms: GDPR Requirements
Your newsletter signup form needs more than a checkbox. Here are the GDPR rules for email consent, what to store and how to avoid common mistakes.
Pre-checked Signup Boxes Are Illegal: Here's Why
Prechecked checkbox illegal under GDPR: the CJEU Planet49 ruling (C-673/17) confirms pre-ticked boxes do not produce valid consent. What to fix on your forms.
SPF, DKIM and DMARC: Email Security in Plain Language
SPF, DKIM and DMARC explained simply. Learn what they do, why you need them and how to set them up for your domain.
Why Your Business Emails End Up in Spam (And How to Fix It)
Business emails landing in spam? You're probably missing SPF, DKIM or DMARC records. Here's what they are and how to set them up.
Email Marketing Consent: Country-by-Country Rules
Email marketing rules differ across Europe. Here are the consent requirements for the Netherlands, Germany, UK, Belgium and more.
EU Soft Opt-in: Email Customers Without Consent
The soft opt-in lets you email existing customers without explicit consent. But strict conditions apply. Here's how it works.
Related from other areas
GDPR Compliance Checklist for Your Website (2026)
A practical GDPR checklist for small business websites. Check cookies, privacy policy, consent forms, and tracking scripts.
Cookie Banner Requirements Under EU Law (2026 Guide)
Cookie banner requirements in the EU 2026: reject equal to accept, no dark patterns, prior consent. EDPB Guidelines 05/2020 explained.