Is consent always required for email marketing using third-party data?

Yes, generally, for direct email marketing to individuals in the UK, explicit consent is required under PECR and UK GDPR. This is especially true for third-party data, where you must ensure the original consent covered sharing with you for your specific marketing purposes.

What constitutes 'valid consent' under UK data protection laws?

Consent must be freely given, specific, informed, and an unambiguous indication of the individual's wishes. This typically means an active opt-in (e.g., ticking an unticked box) rather than passive acceptance or pre-checked boxes. For insights into its global implications, read about which countries require double opt-in .

Can I use 'legitimate interest' as a lawful basis for email marketing with third-party data?

While legitimate interest can be a lawful basis for processing personal data under UK GDPR, it is generally not suitable for direct email marketing to individuals under PECR. PECR specifically mandates consent for electronic marketing communications to individuals, with limited exceptions like the soft opt-in for existing customers.

What are the risks of non-compliance with UK email marketing laws?

Non-compliance can lead to significant fines (up to 4% of global annual turnover or £17.5 million, whichever is higher), reputational damage, and impaired email deliverability, potentially resulting in your emails being blocked or placed on a blacklist (or blocklist).

Who is responsible for proving consent when using third-party data?

You are responsible for demonstrating valid consent. This means conducting due diligence on the third party's data collection methods, obtaining assurances, and retaining records that prove consent was obtained according to UK GDPR and PECR standards for your intended marketing use.

How long does email marketing consent last under UK law?

For specific guidance on how long email consent lasts , it's important to note there's no fixed expiry. Consent should remain valid as long as the data processing is consistent with the original purpose. However, it's best practice to periodically re-verify consent for inactive subscribers or after significant changes to your marketing practices.

Knowledge base

/

Email deliverability

/

Compliance

Is consent required for email marketing using third-party data under UK data protection laws?

Matthew Whittaker

Co-founder & CTO, Suped

Published 18 May 2025

Updated 19 Aug 2025

7 min read

Navigating the complexities of email marketing, especially when leveraging third-party data, can be a minefield of legal compliance, particularly under the stringent UK data protection laws. The core question for many marketers is whether explicit consent is always required. It is not always straightforward, but understanding the foundational regulations is key to avoiding penalties and maintaining a healthy sender reputation.

In the United Kingdom, email marketing is primarily governed by two significant pieces of legislation: the UK General Data Protection Regulation (UK GDPR) and the Privacy and Electronic Communications Regulations (PECR). Both work in tandem to ensure individuals' personal data and privacy are protected. While UK GDPR sets out the broader principles for processing personal data, PECR specifically addresses unsolicited marketing communications, including emails.

The interplay between these regulations becomes particularly critical when dealing with data sourced from third parties. Relying on such data for email marketing purposes without a clear understanding of the consent requirements can lead to significant compliance issues, including fines and damage to your brand's reputation and email deliverability.

The UK GDPR establishes the framework for how personal data must be processed. It requires that you have a lawful basis for processing any personal data. For email marketing, this typically means relying on either consent or, in very limited circumstances, legitimate interest, although the latter is rarely applicable for electronic direct marketing to individuals.

PECR is more specific to electronic communications and generally requires prior consent for sending marketing emails to individuals. There is a limited soft opt-in exception for existing customers, where they have previously purchased a product or service from you, and you are marketing similar products or services. However, this exception does not extend to third-party acquired data.

Crucially, if you rely on consent under PECR, that consent must meet the high standards set by the UK GDPR. This means consent must be freely given, specific, informed, and an unambiguous indication of the individual’s wishes. This often necessitates an active opt-in, where the individual takes a clear affirmative action to consent.

Valid consent requirements

Freely given: Individuals must have a genuine choice and control over their data.
Specific: Consent should be for specific purposes, not a blanket agreement for all marketing.
Informed: Individuals must know who is collecting their data and what it will be used for, including if it's shared with third parties.
Unambiguous: Consent requires a clear affirmative action, such as ticking an unticked box, not pre-checked boxes or silence.

This rigorous standard makes it challenging to rely on consent for data not directly collected from the individual by your organization.

When it comes to using third-party data for email marketing in the UK, the answer is almost always a resounding 'yes,' consent is required. If you acquire an email list or database from another organization, that organization must be able to demonstrate that they obtained valid consent for their sharing of the data with third parties like yourself, and that the consent covers the specific type of marketing you intend to send.

You are ultimately responsible for ensuring the individuals on the list gave valid, specific consent to be contacted by third parties for marketing purposes. This means performing due diligence on any third-party data you acquire. If this consent is lacking or invalid, you risk being in breach of both UK GDPR and PECR, which can lead to significant penalties, including potential listing on an email blocklist or blacklist.

Legal checks

Consent source: Verify how the third party obtained consent.
Scope of consent: Ensure the consent explicitly covers sharing with third parties for email marketing, specifically for your type of business or offerings.
Proof of consent: Request documentation demonstrating valid consent from each individual.

Your responsibilities

Maintain records: Keep clear records of how and when consent was obtained for each contact.
Provide easy opt-out: Include a clear and easy mechanism to unsubscribe from your emails, such as a one-click unsubscribe.
Transparent privacy policy: Ensure your privacy policy clearly states how you process personal data, including data from third parties.

The Information Commissioner's Office (ICO) in the UK takes the position that consent must specifically cover receiving a particular type of electronic mail transmitted by a sender. This means generic consent or consent that was vaguely obtained is unlikely to be sufficient for compliance.

Legitimate interest and email marketing

While UK GDPR offers legitimate interest as a lawful basis for processing personal data, it generally does not apply to sending direct marketing emails to individuals under PECR. This is a common point of confusion. PECR is clear that for electronic marketing to individuals, consent is the default requirement. If PECR requires consent for a message, then consent is the appropriate lawful basis under UK GDPR too.

There's often a distinction made between B2B and B2C email marketing under PECR. For corporate subscribers (e.g., generic company email addresses like info@company.com), you may not always need consent, provided certain conditions are met, such as offering a clear unsubscribe option. However, for individual email addresses (e.g., john.doe@gmail.com), consent is almost universally required for marketing emails, regardless of whether the data was obtained directly or through a third party.

Example of a List-Unsubscribe header for easy opt-outHTTP

List-Unsubscribe: <mailto:unsubscribe@example.com?subject=Unsubscribe>, <https://www.example.com/unsubscribe.html>

Therefore, even if you could argue a legitimate interest for processing the data itself under UK GDPR, the specific act of sending a marketing email generally falls under PECR's consent requirement for individuals. This means you cannot simply buy a list and email individuals without their explicit, informed consent.

Best practices for compliance and deliverability

Ensuring compliance extends beyond just obtaining initial consent, especially with third-party data. It involves ongoing management and adherence to data protection principles. You need to maintain clear records of consent, regularly review your data sources, and ensure that your marketing practices align with current legal interpretations.

Transparency in your privacy policy is also paramount. Individuals have a right to know how their data is used, where it came from, and who it is shared with. Clear communication about your data processing activities builds trust and helps mitigate legal risks. Bad practices can also affect your email deliverability, pushing your emails to the spam folder or even leading to your domain being placed on a blocklist (or blacklist).

Regular audits of your consent mechanisms and data sources are highly recommended. This includes verifying that any third-party data you use still holds valid consent for the purposes you are using it for, and that you are making it easy for subscribers to opt out at any time. Non-compliance can lead to hefty fines and damage to your reputation, making proactive measures essential.

Action	Purpose	Notes
Audit third-party lists	Verify consent scope	Ensure consent covers sharing and your marketing.
Clear opt-out	Provide easy unsubscribe	Must be simple and readily available in every email.
Data minimisation	Only collect necessary data	Avoid gathering excessive personal information.
Regular reviews	Check consent validity	Periodically confirm consent remains valid for active subscribers.

Views from the trenches

Best practices

Always obtain explicit, affirmative consent directly from individuals for email marketing.

Ensure your privacy policy clearly outlines how you process data, including any third-party sharing.

Implement a double opt-in process, especially for new subscribers, to ensure clear consent.

Maintain detailed records of consent, including when and how it was obtained.

Common pitfalls

Purchasing or using email lists from third parties without verifying explicit, specific consent for your marketing activities.

Assuming legitimate interest can be used for direct email marketing to individuals.

Failing to provide transparent information about data sources and processing in your privacy policy.

Ignoring unsubscribe requests or making the opt-out process difficult.

Expert tips

Regularly audit your email lists to remove inactive or unengaged subscribers, which helps improve deliverability and reduces spam complaints.

Consider segmenting your audience based on their consent preferences to ensure you only send relevant emails.

Stay updated on ICO guidance and any changes to UK data protection laws, as interpretations can evolve.

For B2B marketing, ensure you still respect individuals' rights and provide clear opt-out options, even if consent isn't strictly required for corporate addresses.

Marketer view

Marketer from Email Geeks says: If an email address is acquired from a third party, attempting to claim legitimate interest as a lawful basis for marketing is likely to be an abuse of the individual's right to be informed under UK GDPR.

2019-03-08 - Email Geeks

Expert view

Expert from Email Geeks says: Consent is not always required for all forms of marketing, such as postal marketing, but it is necessary for electronic marketing communications like texts and emails under PECR guidelines.

2019-03-08 - Email Geeks

Key takeaways for UK email marketing

In summary, while the landscape of UK data protection laws is complex, the answer to whether consent is required for email marketing using third-party data is generally yes. Both the UK GDPR and PECR reinforce the need for explicit, specific, and informed consent when sending marketing emails to individuals, especially when their data has been obtained indirectly. The impact of GDPR on email marketing has been significant, emphasizing consumer control over personal data.

Prioritizing robust consent practices not only ensures legal compliance but also fosters trust with your audience, leading to better engagement and improved deliverability. Relying on legitimate interest for direct email marketing to individuals from third-party sources is a risky approach that is unlikely to stand up to regulatory scrutiny. Always err on the side of caution and prioritize explicit consent to maintain your sender reputation and avoid falling onto a blocklist or blacklist.