PECR and B2B email: what UK law actually says
PECR — the Privacy and Electronic Communications Regulations 2003 — is the UK law that directly governs marketing email, and it permits unsolicited B2B email to corporate subscribers provided you identify yourself and offer a working opt-out. The much-quoted consent requirement applies to individual subscribers, a category that includes sole traders and most non-LLP partnerships but not limited companies. Understanding that distinction is most of what a UK outbound operator needs from this law — and, as throughout, this is an explanation, not legal advice.
What is PECR, and how does it differ from UK GDPR?
Two laws, two questions. UK GDPR governs the processing of personal data — collecting, storing and using information about people — and for cold prospecting the relevant analysis is the legitimate-interest case covered in cold email and UK GDPR. PECR governs the act of sending electronic marketing: who may be emailed, texted or called, and on what terms. Both apply simultaneously to a cold campaign, and you need to be right under both. A campaign can have a solid lawful basis under UK GDPR and still breach PECR, or vice versa.
PECR is also the law the ICO actually enforces against bad email practice — its published penalties for unlawful marketing are overwhelmingly PECR cases. Alongside the technical groundwork in the Cold Email Deliverability guide, it forms the compliance half of the infrastructure layer.
What does "corporate subscriber" mean, and why is it the hinge?
PECR's consent rule for email (regulation 22) protects "individual subscribers" — people, in essence. Corporate subscribers — limited companies, LLPs, Scottish partnerships, government bodies — sit outside that rule. Emailing named staff at a limited company is therefore not subject to PECR's prior-consent requirement, which is the legal foundation UK B2B cold email stands on.
The trap is in who doesn't count as corporate. Sole traders and unincorporated partnerships (outside Scotland) are individual subscribers even though they're businesses — so a plumber trading as himself or a two-person design partnership gets the consumer-grade protection, and cold-emailing them without consent is where firms genuinely stray into breach. The practical consequence lands in list building: your data pipeline should know each prospect's legal form, and Companies House makes incorporation status checkable. When you filter to incorporated entities, then the regulation 22 consent question falls away and you're left with the conduct rules.
What are the conduct rules you must still follow?
Even for corporate subscribers, PECR and related law impose baseline conduct, and the mechanism is short. When you send, then you must not conceal or disguise your identity — the email says who you are and the business it comes from. When a recipient wants out, then a valid contact address and a workable opt-out route must be right there in the message. When someone opts out, then the address goes onto a suppression list and stays there — honoured across every campaign, every mailbox, indefinitely. When those three hold, then the sending itself is on defensible PECR ground, and your remaining obligations live on the UK GDPR side.
None of this constrains a well-run operation, because deliverability already demanded it: honest identification, easy opt-outs and permanent suppression are precisely the behaviours inbox providers reward. The law and the filters are, unusually, pushing in the same direction.
What does enforcement actually look like?
The ICO can issue monetary penalties for PECR breaches, and its enforcement register shows a steady record of fines against unlawful marketers — overwhelmingly aimed at high-volume, consent-free spam to individuals: consumer lists, concealed senders, ignored opt-outs, millions of messages. Measured B2B outreach to incorporated companies, honestly identified, with working opt-outs, is a different category of activity — but the register is worth reading as a catalogue of what not to become, and the reputational cost of an ICO action would dwarf any fine for a small firm.
Also hold the wider context loosely: privacy law evolves, ICO guidance gets revised, and post-Brexit divergence from EU rules continues. The principles above are stable; the details deserve an occasional check against current ICO guidance, or a professional opinion where stakes are high.
How do you build compliance into the system rather than the checklist?
The same way this cluster treats every failure mode: make it structural. Incorporation status checked at list-build; identification and opt-out language in every template; suppression automated in the sending tool, feeding back into list hygiene so pruned and opted-out contacts never re-enter through a side door. Compliance-by-checklist decays under pressure; compliance-by-design doesn't care how busy you are — the same feedback-loop logic that governs every other part of the pipeline, as set out in a systems-thinking guide for founders.
The one-line summary: UK law does not forbid B2B cold email — it forbids doing it dishonestly, to the wrong category of recipient, or after being asked to stop. Build those three constraints into the machine and move on. (Not legal advice.)
Next step: the Growth System Audit — £450, seven days, credited against any build — maps where your growth system leaks and what to build first.
Total Format builds the systems UK B2B service firms grow on — AI-powered outbound, automation, and reporting — so growth stops depending on the founder's time.
Map your growth system. The £450 audit takes seven days and is credited against any build.
BOOK THE AUDIT