PECR

When can UK marketers use the soft opt-in?

Scott Dooley
9 min read · Jun 22, 2026

Unsolicited email and SMS to individual subscribers normally needs consent under PECR electronic mail marketing rules. The soft opt-in is a narrow exception: you may email about similar products or services without separate consent only when five tests are met. Miss one test and the campaign is unlawful, regardless of how long someone has been on the list.

The norm: consent-based marketing

ICO guidance treats consent as the default route for unsolicited electronic mail to individuals. Consent needs a clear affirmative action. You must not use pre-ticked opt-in boxes, silence, or inactivity as evidence of consent.

ICO good-practice consent wording on a website form:

☐ I would like to receive marketing emails from you about your services.

If the customer ticks the box, you have consent to send marketing emails. That is consent marketing, not soft opt-in. The rest of this article covers only the products and services soft opt-in exception and its five tests.

What the soft opt-in is (and what it is not)

The soft opt-in lets organisations send email or SMS about similar products or services without separate consent, if contact details were collected in the right context and an opt-out was offered at the point of collection. It is a PECR mechanism, not a UK GDPR lawful-basis shortcut.

It is not legitimate interests. Those are separate paths with separate documentation. Treating soft opt-in as a catch-all for any existing contact is where most marketing teams go wrong.

SMS counts as electronic mail under PECR regulation 22. The same five tests apply to text campaigns.

The five tests for the products and services soft opt-in

ICO electronic mail guidance sets five requirements for the products and services soft opt-in. Every test must pass.

You collected the contact details yourself

Bought-in or rented lists cannot use soft opt-in. If the email address came from a broker, you need consent. ICO guidance is explicit: there is no third-party marketing list that is compliant with the soft opt-in.

ICO bad practice: a restaurant buys a list of mobile phone numbers from a third party, who claims the list is “soft opt-in compliant”. The soft opt-in does not apply because the restaurant did not obtain the contact details directly.

ICO good practice: a restaurant collects mobile phone numbers from customers when they book a table on its website. By collecting the contact details itself, the restaurant satisfies this first part of the soft opt-in.

You collected them during a sale or negotiation

Browsing alone is not enough under regulation 22. The person must actively express an interest in buying your products or services. That includes signing up to a free trial, requesting a quote, or asking for more details about what you offer.

ICO good practice: a customer completes an online enquiry form asking for more details about a product or range of products. That may be enough to meet this part of the soft opt-in.

ICO bad practice: a customer logs into a company’s website to browse its range of products. That is not enough to constitute negotiations for a sale.

You are marketing similar products or services only

Cross-selling unrelated products fails the test. ICO guidance asks whether, based on previous interactions, people reasonably expect direct marketing about your product or service.

ICO good practice: a customer buys bread and bananas from a large supermarket chain’s online shop and provides their email address through the process. Afterwards, they might reasonably expect emails about groceries, as well as emails about other products commonly sold in supermarkets.

ICO bad practice: the same customer is unlikely to expect emails about banking or insurance products. Those are not bought and sold in a similar context, and the supermarket is often not the same organisation as the one that provides banking or insurance products under its branding.

You offered an opt-out at collection

A buried link in a privacy policy is not enough. Neither is a confirmation email sent after collection. The opt-out must be clear at the point you capture the address. Your forms should include a prominent opt-out box.

Soft opt-in uses an opt-out box, not a consent opt-in box. If the customer does not tick the box, you may add them to your marketing database. That is the opposite of consent, where ticking the box is required.

ICO good practice: a customer buys trainers online and gives the retailer their email address as part of the process. The retailer provides a clear, easy to understand opt-out box. The customer does not tick the box, so the retailer adds the customer’s email address to its marketing database.

ICO good practice for SMS: a customer orders a takeaway pizza online and provides their mobile phone number. The form includes:

☐ We’d like to send you marketing text messages about our special offers. If you don’t want to receive these please tick here.

If the customer ticks the box, the company does not send marketing text messages. If they leave it unticked, soft opt-in may apply to similar offers, provided the other tests are met.

ICO bad practice: a customer buys trainers online and gives the retailer their email address. The retailer automatically adds the address to its marketing database without offering an opt-out at collection.

Every message includes a simple opt-out

Each email needs a working unsubscribe link. Each SMS needs a simple STOP route. Requiring account login to opt out does not meet the standard.

ICO good practice: a yoga studio sends clients an email about upcoming events. At the bottom it says: “If you no longer want to receive these emails from us, please click here to unsubscribe.”

ICO bad practice: a hairdresser sends clients a text message offering 30% off colour treatments but does not provide any information in the message about how to opt out or unsubscribe.

When charities can use the charitable purposes soft opt-in

Charities have a separate soft opt-in route for fundraising and campaigning. Only registered charities may use it. Commercial businesses cannot borrow this path.

The charitable purposes soft opt-in commenced on 5 February 2026. Contact details collected before that date need fresh collection with an opt-out offered, unless the charity already holds valid consent. Our DUAA 5 February changes guide covers the wider commencement timetable.

Charities cannot use the products and services soft opt-in for fundraising emails. A charity shop sale does not automatically open the charitable purposes route for a separate appeal campaign.

Soft opt-in vs consent: which path to choose

Start with the list source. Bought-in list? You need consent. Charity fundraising to contacts collected after 5 February 2026 with the charitable soft opt-in tests met? Charitable purposes soft opt-in. Your own list from a sale or negotiation, similar products only, opt-out offered at collection? Products and services soft opt-in. Anything else? Consent.

Soft opt-in is not easier than consent. Both need a documented lawful basis, CRM fields, and staff training. When your records cannot prove which test was met, run a re-consent campaign rather than guessing.

CRM and form checklist for marketing teams

  • Tag every contact with its source: direct sale, negotiation, charity signup, or bought-in import.
  • Store the form version ID or screenshot showing the opt-out offered at collection.
  • Segment sole traders and non-LLP partnerships separately from corporate subscribers.
  • Suppress cross-category campaigns unless consent exists for the new product line.
  • Include an unsubscribe link in every email template before it goes live.
  • Audit list imports quarterly. Flag any broker-sourced file on arrival.
  • Record the lawful basis in a dedicated CRM field, not a free-text note.
  • Train new marketing staff on soft opt-in vs consent during onboarding.

For a structured walkthrough of PECR rules, marketing teams can use our PECR for Marketers course.

Common mistakes that break the soft opt-in

  1. Marketing bought-in lists as “existing customers”
  2. Using a consent opt-in box and calling it soft opt-in
  3. Hiding opt-outs inside privacy policies
  4. Cross-selling unrelated product categories
  5. Treating sole traders as corporate subscribers exempt from PECR consent rules
  6. Emailing charity supporters collected before 5 February 2026 without re-consent
  7. Assuming Mailchimp or CRM default settings create a lawful basis

The ICO takes unsolicited marketing seriously. Its £160,000 fine against Energy Prices Direct followed 700,000 unlawful calls. Email and SMS breaches carry the same enforcement risk.

FAQ

What is the PECR soft opt-in?

It is a PECR exception that lets organisations email or text individuals about similar products or services without separate consent, if contact details were collected during a sale or negotiation, an opt-out was offered at collection, and each message includes a simple opt-out. ICO guidance sets the full conditions on its electronic mail marketing rules page.

Can I use soft opt-in for bought-in email lists?

No. You must have collected the contact details yourself. Bought-in, rented, or broker-supplied lists need consent.

Does soft opt-in apply to B2B marketing?

PECR electronic-mail consent and soft-opt-in rules do not apply to corporate subscribers such as companies, LLPs, and Scottish partnerships. Sole traders and non-LLP partnerships count as individual subscribers. ICO B2B marketing guidance sets the detail. UK GDPR still applies when you market to a named individual at a business.

Can charities email supporters without consent?

Registered charities may use the charitable purposes soft opt-in for fundraising and campaigning, provided contact details were collected on or after 5 February 2026 and the opt-out tests are met. Earlier contacts need fresh collection or valid consent.

What is the difference between soft opt-in and legitimate interests?

Soft opt-in is a PECR rule for electronic mail. Legitimate interests is a UK GDPR lawful basis. They are different legal paths. Do not substitute one for the other in your privacy documentation or CRM fields.

Do I need consent for SMS marketing?

SMS is electronic mail under PECR. You need consent, or you must meet the soft opt-in tests, including a simple STOP opt-out in every message.

Sources

Author

  • Scott Dooley is a seasoned entrepreneur and data protection expert with over 15 years of experience in the tech industry. As the founder of Measured Collective and Kahunam, Scott has dedicated his career to helping businesses navigate the complex landscape of data privacy and GDPR compliance.

    With a background in marketing and web development, Scott brings a unique perspective to data protection issues, understanding both the technical and business implications of privacy regulations. His expertise spans from cookie compliance to implementing privacy-by-design principles in software development.

    Scott is passionate about demystifying GDPR and making data protection accessible to businesses of all sizes. Through his blog, he shares practical insights, best practices, and the latest developments in data privacy law, helping readers stay informed and compliant in an ever-changing regulatory environment.

    View all posts

Popular posts on Measured Collective

  1. £300,000 ICO Penalty for Illegal Automated Marketing Calls: Home Improvement Marketing Ltd Case Analysis
  2. ICO fines protein e-commerce company Muscle Foods Limited for sending millions of marketing messages without valid consent
  3. GDPR & Google Workspace: How to stay compliant with GDPR
  4. Mailchimp & GDPR: Complete Compliance Guide for UK Businesses
  5. How the Data Protection and Digital Information Bill could change marketing in the UK

Start learning today

Essentials GDPR Course

UK GDPR awareness training for your team

GDPR Refresher

Keep your GDPR knowledge sharp

PECR for Marketers

ePrivacy compliance for marketing teams

Free GDPR Basics

100% free introduction to GDPR