PECR Explained for SaaS Founders

PECR — Privacy and Electronic Communications Regulations 2003 — is the UK law that decides whether you can legally send cold email to a prospect. Most cold-email tooling is US-first and doesn’t enforce the UK-specific rules. The result: UK founders casually breaching PECR without realising.

PECR in one paragraph

You can send unsolicited marketing email to UK corporate subscribers (Ltd, LLP) without prior consent — the B2B exemption. You cannot send unsolicited marketing email to individual consumers without consent — and that includes sole traders and non-LLP partnerships. PECR also requires clear sender identification and a working opt-out.

Who counts as a corporate subscriber

Legal entity	PECR treatment
Ltd company	Corporate subscriber — B2B exemption applies
LLP	Corporate subscriber — B2B exemption applies
Sole trader	Individual consumer — consent required
Partnership (not LLP)	Individual consumer — consent required
Overseas companies (UK rep office)	Mixed — check case-by-case

The sole trader trap

If you scrape contact data or buy a list that mixes “UK B2B” without legal-entity verification, you will hit sole traders. Most lists do. Every sole trader you email without consent is a PECR breach.

Under PECR + UK GDPR: freely given, specific, informed, unambiguous. Pre-ticked boxes don’t count. Scraped email addresses don’t have consent. “Implied consent” from them being on your CRM doesn’t count.

The soft opt-in (regulation 22(3))

One narrow exception: if a person previously purchased or negotiated a purchase of similar products or services from you, you can email them about similar offerings — subject to opt-out at point of first collection and in every subsequent email. Does not apply to cold first-touch.

UK founders often focus their compliance attention on GDPR. PECR is actually the more binding law for outbound marketing. The distinction matters:

GDPR governs how you store, process, and protect personal data. It applies once you hold the data.
PECR governs how you contact people electronically. It applies at the point of sending.

A campaign can be fully GDPR-compliant in its data handling and still breach PECR in its delivery. The ICO’s largest fines against UK B2B operators in recent years have come from PECR breaches more often than GDPR ones, precisely because PECR applies at the volume-based moment of electronic marketing delivery.

How to implement the sole-trader filter

Protecting yourself from the sole-trader trap is a tooling and process question. The minimum required:

Data source filtering. Only import contacts tied to a verified Companies House entity (Ltd or LLP). Sole-trader entries go into a separate bucket.
At-send verification. Before any email goes out via your cold-email tool, check the contact record for legal-entity flag. No flag = no send under B2B exemption.
Consent collection for sole traders. If your product genuinely serves sole traders, build a separate opt-in path — a landing page, a content download, a free tool — that collects unambiguous consent before any outreach.
Segmented sending lists. Keep sole-trader opt-in consented contacts physically separate from corporate-subscriber lists. This makes audit trivial.
Audit logs. Every send to a sole trader must be traceable to consent. If your tool cannot produce that audit on demand, it is the wrong tool.

This is unglamorous plumbing. It is also the single largest PECR compliance lever for most UK B2B operators.

What compliant cold email looks like

Sent only to Ltd / LLP contacts (for B2B exemption path) OR with documented consent (for sole traders)
Sender clearly identified (company name + registered address per Companies Act 2006 §82)
Subject line not misleading
Legitimate-interest balancing test documented
Working opt-out; one-click unsubscribe honoured within 24h

What happens if you breach

ICO warnings (informal) → ICO enforcement notices → ICO fines (£5K–£200K+ range based on scale)
Reputational damage (ICO publishes fines)
Domain reputation degradation from spam complaints

Enforcement examples

The ICO has published multiple enforcement notices over 2024–2026 against companies that sent unsolicited B2C marketing treating the recipients as B2B. The pattern: the ICO prefers warnings first, but fines after repeated offences.

Frequently asked questions

Does PECR apply to LinkedIn DMs? In-platform messaging on LinkedIn has historically fallen outside PECR’s “electronic mail” definition, because the Regulations focus on SMS and email. That does not exempt LinkedIn behaviour from LinkedIn’s own TOS, and it does not exempt any data you hold from UK GDPR. Treat LinkedIn as governed by TOS plus GDPR, not PECR.

What about calls? PECR regulates marketing calls too. Live unsolicited calls to Ltd companies are generally allowed unless the recipient is on the CTPS (Corporate Telephone Preference Service). Calls to sole traders require TPS compliance. Automated calls (pre-recorded) require prior consent regardless.

How does the B2B exemption interact with GDPR? The B2B exemption is specifically PECR. UK GDPR still requires a lawful basis for processing the personal data — usually legitimate interest with a balancing test. Both tests must be passed independently. The exemption lets you send; GDPR governs what you keep.

Is “your email was publicly listed” enough? It helps the balancing test but is not by itself sufficient. You still need a documented legitimate interest, a clear opt-out, and proportionate frequency. Public listing reduces the impact on the individual, not your compliance burden.

What if we genuinely do not know whether a contact is a sole trader or a Ltd? Then you do not send under B2B exemption. The conservative rule is to assume individual subscriber until proven corporate. Annoying in theory, simple in practice once your filters are set up.

How LeadKing handles PECR

LeadKing verifies legal-entity status before enabling email outreach features (coming post-launch). Lead data is business-contact-only, sourced from public business records. Sole-trader identification triggers a flag in your workflow — you still own the decision to contact.