Is consent required for email marketing using third-party data under UK data protection laws?
Matthew Whittaker
Co-founder & CTO, Suped
Published 18 May 2025
Updated 14 Aug 2025
11 min read
Summary
Under UK data protection laws, specifically the UK GDPR and the Privacy and Electronic Communications Regulations (PECR), obtaining explicit consent for email marketing using third-party data is generally required. While there are narrow exceptions, such as 'soft opt-in' for existing customers, the default stance emphasizes consumer control and transparency regarding personal data. The legal framework aims to prevent unsolicited communications and ensure individuals are fully aware of how their data is processed and by whom.
Key findings
Explicit consent: For email marketing, particularly when using data acquired from third parties, explicit, informed consent is the primary legal basis required under PECR and UK GDPR standards.
Third-party transparency: If you intend to share data with third parties for marketing purposes, or receive data from them, the consent obtained must specifically mention these third parties and their intended use of the data.
Lawful basis: While 'legitimate interests' can be a lawful basis for processing personal data under UK GDPR, it is generally not applicable for sending marketing emails without consent, especially when third-party data is involved. The Information Commissioner's Office (ICO) provides detailed guidance on this, emphasizing that consent must meet UK GDPR standards. You can find more details on their site: ICO's guide to PECR.
Non-transferable consent: Consent obtained by a third party may not be sufficient for your organization to use the data, unless the original consent specifically included your organization or type of organization. This directly impacts how GDPR affects email deliverability and sender reputation.
Right to be informed: Individuals have a fundamental right to be informed about how their data is collected and used, especially if it was obtained from a third party. Failing to provide this information can lead to compliance issues and potential blacklisting, impacting your email deliverability.
Key considerations
Audit data sources: Regularly review and audit all third-party data sources to ensure they meet UK GDPR and PECR consent requirements. Verify the consent mechanism used by the third party.
Specific consent language: Ensure that the consent language used by your data providers clearly states that data will be shared with your organization (or a category of organizations) for email marketing purposes.
Transparency in communications: In your first communication with a new subscriber acquired through a third party, clearly state how their data was obtained and provide easy access to your privacy policy.
Record keeping: Maintain robust records of consent, including when and how it was given, and by whom. This is crucial for demonstrating compliance if challenged.
Risk assessment: Assess the risks associated with using third-party data, particularly regarding the quality of consent. Non-compliance can lead to significant fines and reputational damage, as well as impacting your email deliverability.
What email marketers say
Email marketers often grapple with the complexities of consent, especially when considering third-party data. While the ideal is always direct, explicit consent, the reality of marketing efforts sometimes involves data partnerships. Marketers express concerns about the practicalities of proving consent obtained by another entity and the potential for violating an individual's right to information, which can have significant consequences for email performance and compliance. There's a strong emphasis on transparency and avoiding practices that could lead to being identified as spam.
Key opinions
Legal interpretation variability: Many marketers find the legal guidelines around 'legitimate interests' versus 'consent' confusing, especially for email marketing, often leading to a conservative approach of seeking explicit consent.
Transparency challenges: It is challenging to be fully transparent about data sourcing when working with third-party providers, as it requires clear communication from the initial data collection point.
Risk of non-compliance: There is a perceived high risk of non-compliance fines and negative impacts on sender reputation when relying on poorly obtained third-party data. This could lead to emails being sent to the spam folder, necessitating tools like an email deliverability tester.
Focus on data quality: Marketers recognize that acquiring good quality, consented data, even if from a third party, is paramount for effective email campaigns and avoiding blocklists (or blacklists).
GDPR's lasting impact: Despite initial concerns about GDPR's specific application to the UK post-Brexit, marketers generally understand that the principles of consent and data protection remain largely enshrined in the Data Protection Act 2018. More information on email marketing compliance can be found through resources like Usercentrics.
Key considerations
Vendor due diligence: Thoroughly vet third-party data providers to ensure their consent collection practices align with UK data protection laws and your organization's ethical standards.
Clear user journey: If using a third-party lead generation, ensure the user journey clearly explains how their email will be used for marketing by other organizations. Email domains are considered PII, increasing the need for transparency.
Opt-out options: Always provide clear and easily accessible unsubscribe mechanisms in every marketing email, regardless of how the data was acquired.
Internal training: Educate marketing teams on the nuances of UK data protection laws concerning third-party data, especially the distinction between consent and legitimate interest for email.
Marketer view
Marketer from Email Geeks believes that if an email address is purchased from a third party, it constitutes an abuse of the individual's right to be informed. This marketer stresses that claiming 'legitimate interest' in such scenarios would be inappropriate and could lead to compliance issues under UK data protection laws.
08 Mar 2019 - Email Geeks
Marketer view
Marketer from RD Marketing points out that the GDPR mandates complete transparency regarding the use and sharing of personal data. They caution that failing to inform subscribers about any sharing of their data with third parties is a prevalent mistake that can result in non-compliance.
26 Nov 2024 - RD Marketing
What the experts say
Experts in email deliverability and data privacy consistently highlight the stringent requirements for consent under UK law, especially for third-party data. They emphasize that while GDPR has largely transitioned into the Data Protection Act 2018 in the UK, the core principles of explicit, informed consent for direct electronic marketing remain paramount. Relying on 'legitimate interest' for email is generally advised against unless specific, narrow conditions are met, and even then, transparency and user rights must be at the forefront. Proper data hygiene and consent management are crucial not just for compliance, but also for maintaining a strong sender reputation and avoiding blacklisting (or blocklisting).
Key opinions
Consent is key for email: Experts agree that for email marketing, explicit consent is almost always the required legal basis, differing from other marketing channels like postal mail.
Legitimate interest caution: While 'legitimate interest' exists as a lawful basis, it is broadly discouraged for email marketing, especially concerning new contacts or third-party sourced data, due to high interpretative risks.
Data Protection Act 2018: The UK's post-Brexit data protection framework, rooted in the Data Protection Act 2018, maintains high standards similar to GDPR, particularly regarding consent for electronic communications.
Impact on deliverability: Non-compliant consent practices, particularly with third-party data, significantly risk email deliverability, leading to increased spam complaints and domain or IP blocklisting.
User rights paramount: The individual's right to be informed about how their data is used and shared is a core principle that cannot be circumvented when acquiring data via third parties. This also impacts how email deliverability is affected by scraped lists.
Key considerations
Verify consent chains: Ensure that any third party providing data can demonstrate a clear and compliant consent chain back to the original data subject, specifically for email marketing.
Privacy by design: Integrate data protection principles, including consent mechanisms, into all stages of your email marketing strategy from the outset.
Regular audits: Conduct periodic audits of your email lists and consent records to ensure ongoing compliance, particularly with any changes in data protection legislation. You can get a good overview from Data Protection Report.
Contractual obligations: Establish clear contractual agreements with third-party data providers that stipulate their responsibilities for consent collection and data handling according to UK law.
Monitoring deliverability: Actively monitor email deliverability metrics for signs of poor list hygiene or consent issues, such as high complaint rates or blocklist appearances.
Expert view
Expert from Email Geeks emphasizes that processing any personal data necessitates consent or another valid legal ground. This principle extends to using data for email marketing, meaning simply having an email address, especially one obtained from a third party, does not automatically grant permission to send promotional messages.
08 Mar 2019 - Email Geeks
Expert view
Expert from Spam Resource highlights that email deliverability success hinges on respecting subscriber consent. They note that even if data is technically 'clean,' if the consent chain is unclear or insufficient, it will inevitably lead to spam complaints and damage sender reputation, resulting in emails landing in spam folders.
20 May 2024 - Spam Resource
What the documentation says
Official documentation from the Information Commissioner's Office (ICO) and other legal bodies clarifies the strict requirements for consent in email marketing, particularly when third-party data is involved. It distinguishes between various forms of marketing and outlines when explicit opt-in consent is mandatory under PECR and the UK GDPR. The documentation consistently emphasizes that consent must be freely given, specific, informed, and an unambiguous indication of the data subject's wishes. Crucially, it clarifies that consent obtained by one entity does not automatically transfer to another unless explicitly stated and agreed upon by the individual.
Key findings
PECR compliance: The Privacy and Electronic Communications Regulations (PECR) specifically require consent for unsolicited electronic marketing communications (emails and texts), with limited exceptions.
UK GDPR standard: Consent for email marketing must meet the higher standards of the UK GDPR: it must be freely given, specific, informed, and unambiguous. This means a clear affirmative action is required.
No automatic transfer: The ICO explicitly states that consent is not automatically transferable. If data is sourced from a third party, the original consent must specifically cover the subsequent use by your organization for marketing via email.
Right to be informed: Data subjects have a right to be informed about how their data is used, especially if obtained indirectly. This includes details of the source of their data. This aligns with overall GDPR's impact on email deliverability.
Legitimate interest exception: A narrow 'soft opt-in' exception under PECR allows marketing to existing customers if they initially provided their details in the context of a sale or negotiations for a sale, were given an opportunity to opt out, and the marketing relates to similar products or services. This is generally the only instance where deliverability and compliance objectives can be met without fresh consent. More details can be found on Privacy Compliance Hub.
Key considerations
Document consent: Maintain clear, auditable records of consent, including the date, method, and specific scope of consent provided by the individual, especially for third-party acquired data.
Specificity of purpose: Ensure that the consent obtained specifically covers the purpose of email marketing and the identity of the sender, if it is a third party.
Regular data cleansing: Regularly clean email lists to remove inactive or unconsented contacts, minimizing the risk of complaints or blocklistings.
Privacy notices: Provide comprehensive and easily accessible privacy notices that clearly explain your data processing activities, including sourcing from third parties and the legal basis for processing.
Technical article
Official documentation from the ICO's GDPR FAQs for charities states that consent is not always needed, for instance, for postal marketing. However, it explicitly clarifies that consent is required for certain calls, texts, and emails under PECR. This distinction is crucial for understanding specific electronic marketing obligations.
08 Mar 2019 - ico.org.uk
Technical article
Documentation from Securiti.ai's UK Guide on Direct Marketing via Email outlines that consent obtained for sending direct marketing messages must meet specific criteria. It must be freely given, specific, informed, and an unambiguous indication of the individual's wishes, emphasizing the high bar for valid consent.
