PECR Compliance for NRI Email and SMS Marketing in the UK

6 min read · Compliance · Updated 3 May 2026

PECR — the Privacy and Electronic Communications Regulations 2003 — is the UK regulation that catches most NRI marketing campaigns even when UK GDPR compliance is solid. Where UK GDPR governs the lawful basis for processing personal data, PECR specifically governs the act of sending electronic marketing (email, SMS, fax, telephone). For NRI campaigns targeting UK individuals, PECR is usually the rule that determines whether your campaign is legal.

What PECR covers

PECR Regulation 22 is the operative provision for marketing email and SMS to individual subscribers (consumers, sole traders, and most partnerships). It requires prior consent from the recipient before a marketing message is sent — full stop. UK GDPR's broader lawful-basis options (legitimate interest, contractual necessity, etc.) do not override PECR's consent requirement for electronic marketing to individuals.

Regulations 19, 20, and 21 cover other electronic marketing methods (automated calls, fax, live unsolicited calls). Regulations 23 and 24 cover the soft opt-in exception and content of marketing messages.

What "prior consent" actually requires

Consent under PECR (and UK GDPR) must be:

Freely given — not bundled with terms of service or required for unrelated transactions.
Specific — the consent must contemplate the actual marketing communications you intend to send (e.g., "marketing communications from [platform] and its trusted partners").
Informed — the data subject must know what they're consenting to and who will market to them.
Unambiguous — opt-in via a clear affirmative action (ticked checkbox is fine; pre-ticked checkbox is not).

This is why verified marketing-consented data sourced from public consumer fintech platforms (where the original sign-up captured this consent) is legally usable for cold UK NRI marketing — and why scraped or web-mined data is not.

The soft opt-in exception (narrow)

PECR Regulation 22(3) allows marketing without prior consent in three narrow circumstances:

The recipient is an existing customer (not a prospect, not a list member);
The marketing relates to similar products or services to those previously purchased;
The recipient was given a simple opt-out at the time their data was collected and in every subsequent message.

The soft opt-in does not help you market to a bought NRI list — those recipients have not previously transacted with you.

Live phone calls and the TPS register

PECR Regulation 21 covers live unsolicited marketing calls. You can call an individual subscriber for marketing only if either:

You have their prior consent for marketing calls; or
You have screened the number against the Telephone Preference Service (TPS) register and the number is not listed.

If a number is on TPS and you call without consent, you breach PECR — even if the call is short and the recipient hangs up. The TPS register currently lists ~25M UK numbers; many UK NRIs are on it.

ICO enforcement patterns

The ICO publishes monthly enforcement actions and is actively pursuing PECR violations. Common enforcement triggers:

Repeated unsolicited email campaigns to UK consumers from a UK-registered company;
Marketing SMS without consent (especially with high complaint volumes);
Cold marketing calls to TPS-listed numbers;
Failure to honour unsubscribe requests within statutory deadlines.

Penalties run up to £500K for PECR-only matters and can stack with UK GDPR penalties for related data-protection breaches.

What this means for NRI marketing in practice

Verified marketing-consented data is your foundation. Without it, UK email/SMS marketing is unlawful.
Every campaign must include a one-click unsubscribe link. Honour requests within 24 hours.
Segregate UK-resident records and apply UK-specific rules — even if your dataset is multi-country.
If you're calling, screen against TPS unless you have specific call-marketing consent on file.
Keep audit trails of consent provenance, opt-out actions, and suppression updates.

Common PECR mistakes

Relying on UK GDPR legitimate interest for cold consumer email. Doesn't work — PECR overrides.
Treating soft opt-in as broad. The exception is narrow; bought lists are out of scope.
Forgetting TPS for phone calls. A non-issue for email-only campaigns but catches anyone running phone follow-up on email leads.
Missing the 24-hour suppression standard. Late suppression often surfaces as repeat-marketing complaints — the highest-risk PECR enforcement trigger.

For broader compliance coverage see our NRI Compliance Masterclass.

Ready to put this into action?

NRI Financial Services has verified, opt-in NRI marketing data for the UK, UAE, and USA — segmented by remittance, real estate, tax, shopping, travel, and card-spending behaviours. Pick a segment and click Buy Access to get started, or email contact@nrifinancialservices.com for a free 50-row sample.