GDPR Email Marketing: The Complete Guide for UK E-Commerce Brands

GDPR compliance in email marketing is not a box-ticking exercise. For UK e-commerce brands, it is the legal and operational foundation on which every campaign, every flow, and every list-building tactic must be built. Get it wrong and you face fines from the Information Commissioner’s Office (ICO), reputational damage, and the kind of subscriber loss that takes months to recover from.

This guide covers everything UK e-commerce brands need to understand about GDPR email marketing — from lawful basis and consent mechanics through to what actually happens when brands get it wrong.

UK GDPR vs EU GDPR: The Post-Brexit Landscape

Following Brexit, the UK operates under UK GDPR, which was enacted through the Data Protection Act 2018 and is largely mirrored from the EU’s original GDPR framework. For practical purposes, the principles are near-identical. The key distinction is enforcement: UK GDPR is enforced by the ICO, while EU GDPR enforcement falls to national data protection authorities across EU member states.

If you sell to customers in both the UK and the EU, you are subject to both frameworks simultaneously. This is not an either/or situation.

The other piece of UK-specific legislation that e-commerce brands must understand is the Privacy and Electronic Communications Regulations (PECR). PECR is the law that specifically governs direct marketing by electronic means — including email. GDPR governs data processing more broadly; PECR governs the act of sending marketing messages. You must comply with both.

The Two Lawful Bases for Email Marketing

Under UK GDPR and PECR, there are only two lawful bases on which you can send marketing emails to customers: consent and legitimate interest (for existing customers only).

Consent

Consent is the most common basis for marketing emails to new subscribers. Under UK GDPR, valid consent must be:

• Freely given — The subscriber must have a genuine choice. You cannot make consent a condition of purchase.
• Specific — The consent must be for email marketing specifically. A generic “I agree to the terms” tick box does not count.
• Informed — The subscriber must know what they’re signing up for and who is processing their data.
• Unambiguous — Consent must be given by a clear affirmative action (opt-in). Pre-ticked boxes are not valid consent under UK GDPR.

Your sign-up forms must clearly state what the subscriber is consenting to. “Sign up for exclusive offers and updates from [Brand Name]” meets the standard. “Sign up to our newsletter” with no further detail is borderline. Hiding your marketing intentions in a linked privacy policy that nobody reads is not sufficient.

Consent must be recorded. Every major ESP — Klaviyo, ActiveCampaign, HubSpot, Dotdigital, Mailchimp, Omnisend, Brevo — offers consent timestamp recording. This data must be stored and retrievable. If the ICO asks you to prove consent for a specific subscriber, you need to be able to produce the timestamp, source, and wording of the consent.

Legitimate Interest for Existing Customers

PECR creates a limited exception to the consent requirement for existing customers under what is known as the soft opt-in rule. You can send marketing emails to an existing customer without explicit marketing consent if:

1. You obtained their email address during a sale or negotiation of a sale
2. You are marketing similar products and services to what they purchased
3. You gave them a clear opportunity to opt out at the time of collection and in every subsequent marketing communication

This exception applies only to existing customers — not to people who browsed your site, added to cart, or enquired but didn’t purchase.

The ICO’s guidance on the soft opt-in rule is clear: “similar products and services” must be genuinely similar. If someone bought running trainers from you, you can email them about other footwear and potentially sports apparel. Emailing them about a completely unrelated product line on the basis of the original purchase is a stretch you should not be making.

The Consent Cliff Edge: What Happens to Old Lists

This is one of the most common problems Excelohunt encounters when auditing UK brands. A business has been collecting emails for five years, using a mix of sign-up methods — some compliant, some not. Now what?

The honest answer is this: if you cannot demonstrate valid consent for a subscriber — if you don’t have a timestamp, source, and clear consent wording — that subscriber should not be receiving marketing emails from you.

This is not a legal technicality. The ICO has fined UK businesses for exactly this kind of inherited consent problem. Not because of malicious intent, but because the compliance infrastructure wasn’t in place.

The practical fix is a consent confirmation campaign — a one-time email to your list asking subscribers to confirm they want to continue receiving marketing. This is uncomfortable because you will lose a portion of your list. But the subscribers who don’t confirm were either invalid to begin with or genuinely not interested in your emails. Cleaning them removes ICO risk and improves your deliverability.

Building a GDPR-Compliant Sign-Up Flow

Here’s what a properly compliant email sign-up flow looks like on a UK e-commerce brand’s Shopify store:

The popup or sign-up form must:

• Clearly state what the subscriber is signing up for
• Name the brand collecting the data
• Include an unambiguous opt-in action (a tick box, not a pre-ticked one, or a clear submit button where the purpose is stated)
• Link to your privacy policy
• Not bundle marketing consent with terms of service acceptance

Example of compliant wording: “Sign up to receive exclusive offers, new product launches, and email updates from [Brand Name]. You can unsubscribe at any time. View our Privacy Policy.”

Example of non-compliant wording: “By completing your purchase, you agree to receive marketing communications.”

After sign-up, your ESP should record:

• The timestamp of consent
• The source (which form/page)
• The consent wording displayed at the time
• The subscriber’s IP address (optional but best practice)

Klaviyo, Dotdigital, HubSpot, and ActiveCampaign all support robust consent logging. Mailchimp and Omnisend do so with some configuration. If your ESP does not support this, consider whether it’s the right platform for a UK market.

Double Opt-In: Required or Recommended?

UK GDPR does not legally require double opt-in. However, it is strongly recommended for most UK e-commerce brands because:

1. It produces a cleaner, more engaged list
2. It provides an additional layer of consent evidence
3. It reduces spam complaints
4. It protects against fake sign-ups that can harm deliverability

The counterargument is list growth rate — double opt-in typically reduces confirmed sign-ups by 20–30% compared to single opt-in. For high-growth brands where list size matters, this is a real trade-off.

Our recommendation: use double opt-in unless you have a very compelling reason not to. The compliance protection and list quality improvement generally outweigh the growth rate penalty. If you do use single opt-in, ensure your consent wording and recording are watertight.

Data Subject Rights: What You Must Be Able to Do

UK GDPR gives individuals eight rights over their personal data. For e-commerce brands running email programmes, these are the ones that come up most:

Right to access: A subscriber can request all data you hold on them. You must respond within one month. Your ESP should be able to export a full contact profile including consent history, campaign engagement, and purchase data linked via integration.

Right to erasure (“right to be forgotten”): A subscriber can request deletion of their data. You must delete their profile from your ESP and any connected systems. Note: you may be required to retain some data (e.g., transaction records) under other legislation, but you must delete marketing data.

Right to rectification: If a subscriber’s data is incorrect, they can ask you to correct it.

Right to object to processing: A subscriber can object to processing based on legitimate interest. If they do, you must stop processing for that purpose.

Right to withdraw consent: Subscribers can withdraw consent at any time. Unsubscribing from email is the most common form of this. But withdrawing consent doesn’t erase past processing — it only stops future processing.

Every ESP must have a functional, easy-to-find unsubscribe mechanism in every marketing email. This is both a GDPR requirement and a PECR requirement. Hidden or broken unsubscribe links are one of the fastest routes to ICO complaints.

What to Include in Your Privacy Policy

Your privacy policy must explain your email marketing data processing clearly. At minimum it should cover:

• What data you collect (name, email, browse/purchase behaviour)
• Why you collect it (to send marketing communications)
• The lawful basis for processing (consent or legitimate interest)
• How long you retain the data
• Who you share it with (your ESP, any third-party integrations)
• How subscribers can exercise their rights
• That you use cookies and tracking pixels in email (open tracking, click tracking)

Email open tracking via tracking pixels is technically data processing. While most privacy regulators have not actively pursued this, best practice is to disclose it.

PECR-Specific Requirements

PECR sits alongside GDPR and adds specific rules for electronic marketing. Key points for e-commerce brands:

You must identify the sender. Every marketing email must clearly identify who is sending it. Using a “From” name like “[email protected]” without any brand identification in the email body is non-compliant.

You must provide a valid contact address. Marketing emails must contain a postal address where the sender can be contacted. This is often overlooked and can be a grounds for ICO investigation.

You cannot send to bought or scraped lists. Purchasing email lists and marketing to them is almost certainly in breach of both GDPR (no consent) and PECR (no existing customer relationship). The ICO has issued substantial fines for this.

SMS marketing follows the same rules. If you run SMS alongside email via platforms like Omnisend or a dedicated SMS tool, PECR applies equally to text messages.

Automated Flows and GDPR

GDPR doesn’t just apply to campaign sends — it applies to every automated email your flows send. Each automated email is a form of data processing and must comply with the same principles.

Abandoned cart flows are a common grey area. You can only send an abandoned cart email to someone who:

• Has explicitly opted into your marketing (consent basis), OR
• Is an existing customer where the soft opt-in rule applies

You cannot send an abandoned cart email to a first-time visitor who entered their email at checkout but did not opt into marketing.

Browse abandonment flows are even stricter. You can only browse-abandon someone who is a known subscriber in your database. You cannot capture browser data for non-subscribers and use it to trigger emails.

Win-back flows must handle consent carefully. If a subscriber hasn’t engaged in 12+ months, you should consider whether their consent remains valid and whether you should include a re-consent step before continuing to market to them.

Sunset flows (re-engagement followed by suppression) are best practice under GDPR because they actively manage the relevance and recency of your consent base.

What Happens When Brands Get It Wrong

The ICO is increasingly active in enforcing GDPR and PECR in e-commerce. Recent enforcement actions in the UK have resulted in:

• Six-figure fines for sending marketing emails without valid consent
• Enforcement notices requiring brands to delete entire email lists and rebuild compliant consent processes
• ICO investigations triggered by consumer complaints — even a small number of complaints can initiate a formal investigation

Beyond fines, there is reputational risk. ICO enforcement notices are published publicly. For a consumer brand, a public finding that you were illegally marketing to customers is a significant trust problem.

The ICO also operates a self-report mechanism: if you discover a breach, voluntarily reporting it can reduce the severity of enforcement action. Brands that try to hide compliance failures and are later discovered face harsher treatment.

Working with a GDPR-Aware Email Agency

If you use an email marketing agency, their work on your behalf is data processing under UK GDPR. You must have a data processing agreement (DPA) in place with your agency. This is a contractual requirement, not optional.

Your agency must be able to demonstrate:

• Understanding of UK GDPR and PECR as they apply to email marketing
• Processes for building compliant consent flows in your ESP
• Knowledge of your rights as the data controller
• Compliance with any EU data transfer rules if they’re based outside the UK

Excelohunt operates with DPAs in place for all client relationships and builds GDPR compliance into every campaign, flow, and list management process across Klaviyo, ActiveCampaign, HubSpot, Dotdigital, Mailchimp, Omnisend, and Brevo.

A GDPR Email Marketing Checklist for UK E-Commerce Brands

Use this as your starting compliance baseline:

• All sign-up forms use unambiguous opt-in language
• Consent timestamps and sources are recorded in your ESP
• Privacy policy covers email marketing data processing in plain English
• Every marketing email contains a visible unsubscribe link
• Every marketing email contains a physical address
• Sender name and identity are clear in every email
• Automated flows (abandoned cart, win-back, etc.) only fire for consented subscribers
• Data subject request process is documented and tested
• Data processing agreement in place with your ESP
• Data processing agreement in place with any email marketing agency
• List is cleaned regularly (suppressing non-engagers within 90–180 days)
• Consent re-confirmation process in place for lists older than 24 months

Conclusion

GDPR email marketing compliance in the UK is not negotiable, but it is also not the obstacle many brands make it out to be. With the right processes, the right ESP configuration, and the right approach to consent, you can build a highly compliant email programme that also performs commercially.

The brands that treat GDPR as a competitive advantage — because their list is clean, consented, and engaged — consistently outperform those who treat it as a compliance burden. A smaller, genuinely opted-in list will always outperform a bloated, poorly-consented one.

Build compliance in from day one. The cost of getting it right is far lower than the cost of getting it wrong.

Get a free email audit from Excelohunt →