Understanding PECR and UK GDPR for B2B Email Outreach
LimeProspect Team
If you're running B2B email outreach in the UK, two pieces of legislation govern how you can contact prospects: the Privacy and Electronic Communications Regulations 2003 (PECR) and the UK General Data Protection Regulation (UK GDPR). They work together, but they cover different things.
Understanding the distinction is essential. Getting it wrong can result in enforcement action from the Information Commissioner's Office (ICO), damage to your sender reputation and loss of trust with potential customers.
PECR and UK GDPR: different rules for different things
UK GDPR governs the processing of personal data. It applies whenever you collect, store or use information that identifies an individual. This includes names, email addresses, job titles and any other data that relates to a living person.
PECR sits alongside UK GDPR and specifically regulates electronic communications, including marketing emails, calls and texts. PECR has its own consent rules that are separate from UK GDPR's lawful basis requirements.
The key point is this: even if you have a lawful basis under UK GDPR to process someone's personal data, you still need to comply with PECR's rules on electronic marketing. Both sets of regulations must be satisfied.
Corporate subscribers vs individual subscribers
PECR makes a crucial distinction between corporate subscribers and individual subscribers. This distinction determines whether you need prior consent to send marketing emails.
Corporate subscribers include limited companies (Ltd), public limited companies (PLC), limited liability partnerships (LLP) and other corporate bodies. Under PECR regulation 22A, you can generally send unsolicited marketing emails to corporate subscribers without prior consent, provided the emails are relevant to their business activities.
Individual subscribers include sole traders, some partnerships and, of course, private individuals. These recipients are treated like consumers under PECR. You generally need their consent before sending marketing emails, unless you can rely on the soft opt-in exemption.
The soft opt-in applies when you've obtained someone's contact details through a sale or negotiation of a sale, the marketing relates to similar products or services, and you gave them a clear opportunity to opt out when collecting their details and in every subsequent message.
Why this matters for B2B prospecting
Many B2B databases don't distinguish between limited companies and sole traders. A "business" in a lead list might be a registered limited company with 50 employees, or it might be a freelance consultant operating as a sole trader. The PECR rules are fundamentally different for each.
If your outreach list mixes corporate and individual subscribers and you treat them all the same, you're likely breaching PECR for the individual subscribers on your list. The ICO can issue fines of up to £500,000 for serious breaches of PECR.
Proper B2B prospecting requires you to verify the legal form of each business before including them in an outreach campaign. Companies House data makes this straightforward for registered companies. You can confirm whether a business is a Ltd, PLC, LLP or another corporate form.
TPS and CTPS screening
If your outreach includes telephone calls, you need to screen against the Telephone Preference Service (TPS) and the Corporate Telephone Preference Service (CTPS).
The TPS register covers individuals and sole traders who have opted out of unsolicited marketing calls. It's a legal requirement to screen your call lists against TPS before making marketing calls to individual subscribers. The CTPS covers corporate subscribers. While screening against CTPS isn't a strict legal requirement in the same way, the ICO strongly recommends it as best practice. Ignoring CTPS registrations generates complaints and damages your reputation.
Both registers are maintained by the Data and Marketing Commission, and you can access them through their screening services.
Lawful basis under UK GDPR
Even when PECR allows you to send marketing emails to corporate subscribers without consent, you still need a lawful basis under UK GDPR for processing any personal data involved. This typically means the personal data of the individual you're emailing, such as their name and work email address.
The most commonly used lawful basis for B2B marketing is legitimate interest. To rely on legitimate interest, you need to conduct a legitimate interest assessment (LIA) that considers three elements: purpose (is there a genuine business reason for the processing?), necessity (is the processing necessary to achieve that purpose?) and balancing (do the individual's rights and interests override your legitimate interest?).
You should document your LIA and be prepared to demonstrate it if challenged. The ICO provides guidance on conducting legitimate interest assessments, and it's worth following their framework closely.
Practical compliance steps
Start by classifying every prospect in your database by their legal form. Use Companies House data to verify whether each business is a limited company, LLP or sole trader. This classification determines which PECR rules apply.
For corporate subscribers, you can send relevant B2B marketing emails. Ensure you include a clear unsubscribe mechanism in every message and honour opt-out requests promptly.
For individual subscribers (sole traders and some partnerships), only send marketing emails if you have consent or can rely on the soft opt-in exemption. Document how and when consent was obtained.
Maintain a suppression list of contacts who have opted out. Check this list before every campaign. Under PECR, you must stop sending marketing emails to anyone who has objected, regardless of their subscriber type.
Conduct and document a legitimate interest assessment for your B2B marketing activities. Review it regularly, especially if your targeting criteria or outreach approach changes.
Record keeping and accountability
UK GDPR's accountability principle requires you to demonstrate compliance, not just claim it. Keep records of your lawful basis assessments, consent records (where applicable), suppression lists and data sources.
If the ICO investigates a complaint about your marketing, they'll want to see evidence that you took reasonable steps to comply. Having clear documentation of your compliance processes is far more persuasive than asserting that you believed you were compliant.
B2B email outreach is entirely lawful when done properly. The regulatory framework isn't designed to prevent business communication. It's designed to ensure that marketing is targeted, relevant and respectful of recipients' choices. Compliance isn't a burden; it's a competitive advantage. Companies that get it right build trust and maintain strong sender reputations, while those that don't face complaints, blacklisting and potential enforcement action.