Compliance

PECR Email Signature Requirements (UK)

The Privacy and Electronic Communications Regulations 2003 (PECR, SI 2003/2426) govern electronic marketing communications in the United Kingdom. Working alongside the UK GDPR and the Data Protection Act 2018, PECR imposes specific rules on email marketing that directly affect email signatures — particularly Regulation 22 (unsolicited marketing emails) and Regulation 23 (soft opt-in) — enforced by the Information Commissioner's Office (ICO).

£500K

Maximum ICO fine under current PECR enforcement (monetary penalty notice)

67M

UK residents protected by PECR

500+

ICO enforcement actions for electronic communications since 2018

PECR Requirements for Email Signatures

Regulation 22: Unsolicited Marketing

Email marketing to individuals requires prior consent unless the soft opt-in exception (Regulation 23) applies. Promotional elements in email signatures can trigger Regulation 22 requirements.

Regulation 23: Soft Opt-In

The soft opt-in allows marketing to existing customers who provided their email during a sale negotiation, provided an opt-out is offered in every message — including via email signatures.

B2B Marketing Rules

PECR applies differently to corporate subscribers versus individual subscribers. Unsolicited marketing emails to corporate subscribers (company email addresses) are permitted under Regulation 22A if sender identity is disclosed.

Sender Identification (Regulation 22(2)(b))

The sender of a marketing email must not conceal their identity and must provide a valid contact address for opt-out requests — requirements naturally fulfilled by a properly structured email signature.

Understanding PECR

The Privacy and Electronic Communications Regulations 2003 (PECR) implement the EU ePrivacy Directive (2002/58/EC) into UK law. Following Brexit, PECR continues to apply in the UK as retained EU law, working alongside the UK GDPR (the retained version of the EU GDPR) and the Data Protection Act 2018. PECR is enforced by the Information Commissioner's Office (ICO), which has the power to issue monetary penalty notices, enforcement notices, and prosecutions.

PECR's relevance to email signatures centers on Regulations 22 and 23, which govern unsolicited electronic marketing to individual subscribers. When email signatures contain promotional banners, marketing calls-to-action, product announcements, or event invitations, the email may constitute direct marketing under PECR — triggering consent requirements and opt-out obligations that must be fulfilled within the email itself.

A critical distinction under PECR is between individual subscribers (personal email addresses like john@example.com) and corporate subscribers (generic company addresses like info@company.co.uk). Regulation 22A permits unsolicited marketing to corporate subscribers provided the sender identifies themselves and provides contact details — requirements that a well-structured email signature naturally satisfies. However, many business email addresses are individual subscriber addresses, so organizations should default to the stricter individual subscriber rules.

The ICO has been increasingly active in PECR enforcement, issuing over 500 enforcement actions since 2018. Fines for email marketing violations have reached £500,000 under the current regime. The UK government has proposed replacing PECR with an updated ePrivacy framework, but until new legislation is enacted, PECR remains the governing law for electronic communications. Organizations must ensure their email signatures comply with both PECR and UK GDPR simultaneously.

PECR Email Signature Compliance Checklist

Determine whether email signature content constitutes "direct marketing" under PECR Regulation 22

Obtain prior consent for marketing signature elements sent to individual subscribers unless the soft opt-in exception applies

If relying on soft opt-in (Regulation 23), include a simple opt-out mechanism in every email with marketing signature content

Include clear sender identification in email signatures (Regulation 22(2)(b)) — do not conceal the sender's identity

Provide a valid contact address for opt-out requests within the email signature

For B2B emails to corporate subscribers, ensure sender identification and contact details are included per Regulation 22A

Ensure that opt-out requests from signature marketing are honoured promptly

Review email signatures for compliance with both PECR and UK GDPR (the two regimes apply concurrently)

Maintain records of consent for all individual subscribers receiving emails with promotional signature elements

Include Companies Act 2006 s.82 required company information in business email signatures (registered name, registration number, registered office address)

How Siggly Ensures PECR Compliance

Marketing Content Classification

Siggly helps organizations distinguish between informational and promotional signature elements, flagging when marketing banners may trigger PECR Regulation 22 consent requirements.

Built-In Opt-Out Mechanisms

When signatures include marketing content, Siggly provides integrated opt-out functionality that satisfies both PECR Regulation 23 (soft opt-in opt-out) and general marketing consent withdrawal requirements.

Companies Act Compliance

Siggly templates for UK organizations include mandatory Companies Act 2006 s.82 fields (registered company name, registration number, registered address), ensuring dual PECR and Companies Act compliance.

ICO Audit Readiness

Complete deployment records and consent tracking provide the evidence the ICO expects during PECR compliance investigations, including timestamps, consent records, and opt-out processing logs.

"The ICO's increased focus on electronic marketing enforcement made us reassess every email leaving our organization. Siggly's classification of marketing vs. informational signature content was exactly the control we needed to stay compliant."

Eleanor Whitmore

Head of Data Protection, Ashford Reid Consulting

Frequently Asked Questions

Does PECR apply to standard business email signatures?

Standard email signatures with contact information only are not subject to PECR marketing rules. However, if signatures include promotional banners, product announcements, or marketing calls-to-action, the email may constitute direct marketing under Regulation 22, triggering PECR requirements.

What is the "soft opt-in" and how does it affect email signatures?

Regulation 23 allows marketing to existing customers without express consent if: (1) their email was collected during a sale/negotiation, (2) the marketing is for similar products/services, and (3) a simple opt-out is offered in every message. Email signatures with marketing content for existing customers can rely on soft opt-in if these conditions are met.

Are B2B emails exempt from PECR?

Partially. PECR Regulation 22A allows unsolicited marketing emails to corporate subscribers (company email addresses) without prior consent, provided the sender identifies themselves and includes contact details. However, if the email is addressed to a named individual at a company, they may be treated as an individual subscriber subject to stricter rules.

What company information must UK email signatures include?

Under the Companies Act 2006 s.82, UK companies must include their registered company name, registration number, place of registration, and registered office address in business emails. This applies to all business emails, not just marketing messages.

How does PECR interact with UK GDPR for email signatures?

PECR and UK GDPR apply concurrently. PECR governs the electronic communication rules (consent, opt-out), while UK GDPR governs the underlying data protection (lawful basis, data minimization, rights). Email signatures must comply with both — for example, consent for marketing under PECR and data minimization under UK GDPR.

Achieve Compliance Today

Siggly's built-in compliance features make meeting regulatory requirements effortless.