Disclosure: This page contains affiliate links.
UK GDPR applies to how you collect, store, and process personal data — including your customers’ email addresses. This guide covers what it actually requires for email marketing, written in plain English and sourced directly from the ICO’s guidance.
This guide is not legal advice. For specific legal questions about your business, consult a solicitor. All regulatory claims in this guide are sourced to ICO.gov.uk — links are provided throughout.
The legal framework: UK GDPR and PECR
Email marketing in the UK is governed by two overlapping pieces of legislation.
UK GDPR (the retained EU General Data Protection Regulation) governs how personal data — including email addresses — is collected, stored, and processed. It applies to any organisation that processes personal data about individuals in the UK.
PECR (the Privacy and Electronic Communications Regulations 2003) specifically governs electronic marketing communications, including marketing emails. PECR requires prior consent for direct marketing emails to individual consumers.
Both apply to email marketing. UK GDPR governs your data processing relationship with customers; PECR governs whether you are allowed to send them marketing email at all.
Source: ICO direct marketing guidance — ico.org.uk/for-organisations/direct-marketing-guidance/
Consent for marketing emails
Under PECR, you need prior consent to send marketing emails to individual consumers (B2C). The ICO’s definition of valid consent is specific.
Consent must be:
- Freely given — no bundling consent with terms of service or making consent a condition of purchase
- Specific — subscribers must know what they are signing up for (marketing emails from your store, not a vague “updates”)
- Informed — clear identification of who is sending the emails
- Unambiguous — an active opt-in action (ticking a box). Pre-ticked boxes do not count.
Source: ICO consent guidance — ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/consent/
What this means in practice for Shopify stores:
Your checkout flow should have an unticked opt-in checkbox for marketing emails, clearly labelled. Something like: “I’d like to receive email updates and promotions from [Store Name].” Pre-ticking this box is not valid consent. Not including a checkbox and assuming all customers consent to marketing is not valid consent.
For pop-up signup forms on your store, the “Subscribe” button click is the opt-in action — this is valid consent if the form clearly states what the subscriber is signing up for.
B2B emails and legitimate interests
For emails sent to business email addresses (e.g. contact@company.co.uk), the rules are less restrictive. The soft opt-in rule under PECR applies, and legitimate interests may be an available lawful basis under UK GDPR.
However, personal email addresses used for business (e.g. john@smith.co.uk or firstname@gmail.com used professionally) are treated as individual addresses, not corporate addresses. Consent is required for these.
Source: ICO legitimate interests guidance — ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/legitimate-interests/
Data residency and international transfers
When you use an email marketing tool, you are transferring your customers’ personal data to a third party and often to a server in another country. UK GDPR restricts transfers of personal data outside the UK unless a lawful transfer mechanism is in place.
Lawful transfer mechanisms:
- Adequacy regulations — the UK has made adequacy decisions for certain countries, including the EU (via the EU–UK adequacy decision, still in force as of April 2026). Transfers to EU-based email marketing tools are covered.
- UK–US Data Bridge — operational from October 2023, this allows transfers to US organisations that have self-certified under the scheme. Some US email marketing tools are covered; verify for each specific tool.
- Standard contractual clauses (SCCs) — contractual protections that can be used when no adequacy decision exists. Require additional documentation.
Source: ICO international transfers guidance — ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/international-transfers/
What this means in practice:
| Tool | Data location | Transfer mechanism |
|---|---|---|
| Omnisend | EU (Amsterdam) | EU–UK adequacy |
| GetResponse | EU (Poland) | EU–UK adequacy |
| Brevo | EU (France) | EU–UK adequacy |
| Dotdigital | UK or EU | No transfer needed |
| Klaviyo | EU (if selected at signup) | EU–UK adequacy |
| Klaviyo (default) | US | UK–US Data Bridge or SCCs |
| ActiveCampaign Standard | US | UK–US Data Bridge or SCCs |
| Mailchimp | US | UK–US Data Bridge or SCCs |
The simplest path to compliance: use a tool that stores data in the EU by default (Omnisend, GetResponse, or Brevo). This satisfies the transfer requirement via the EU–UK adequacy decision without additional documentation.
Data Processing Agreements
Under UK GDPR, if you use an email marketing tool to process personal data on your behalf, the tool is a data processor and you must have a written Data Processing Agreement (DPA) in place.
This is a legal requirement, not a best practice. The DPA sets out what the processor can do with the data, the security measures they apply, and the obligations they owe you.
All major email marketing tools make their DPA available. For most tools, this is either in account settings or available on request. The DPA should be in place before you import any customer data.
DPA availability by tool:
| Tool | DPA location |
|---|---|
| Omnisend | Account settings |
| GetResponse | Account settings |
| Brevo | Account settings |
| Klaviyo | Via support request |
| ActiveCampaign | Account settings |
| Mailchimp | Account settings (Standard Data Processing Addendum) |
Double opt-in
Double opt-in (DOI) is a two-step subscription process: a subscriber signs up, then confirms their subscription by clicking a link in a confirmation email. Only after that confirmation are they added to your marketing list.
Is double opt-in required by UK GDPR? No. The ICO does not mandate double opt-in. However, the ICO recommends it as best practice because it provides a clearer evidence trail for consent — you have a record of the confirmation click as evidence that consent was actively given.
Should you use it? For most UK Shopify stores, yes. The drop-off from confirmation emails is typically 10–20% of signups, which is a real cost. But the quality of the resulting list is higher — lower complaint rates, better deliverability, and cleaner consent documentation.
ICO registration
If you process personal data, you are likely required to register with the ICO. The fee is £40/year for small organisations (turnover under £632,000, fewer than 10 staff). Registration takes approximately 15 minutes at ico.org.uk/registration.
An exemption may apply if your data processing is limited to staff administration or core business functions that do not involve marketing or sales. For any business that sends marketing emails, registration is required.
GDPR compliance checklist for UK email marketers
- Collect consent via an active opt-in mechanism (unticked checkbox or explicit subscribe button)
- Store consent records (when, how, what was agreed to)
- Have a DPA in place with your email marketing tool
- Ensure your email tool stores data in the EU/UK or has an adequate transfer mechanism
- Include an unsubscribe link in every marketing email
- Have a privacy policy that covers your email marketing data processing
- Register with the ICO (ico.org.uk/registration)
- Double opt-in recommended but not legally required
For a tool-by-tool GDPR assessment, see our best email marketing for UK Shopify stores guide.
Frequently asked questions
Do I need consent to send marketing emails under UK GDPR?
Yes, for B2C marketing emails to individuals. Consent must be freely given, specific, informed, and unambiguous. Pre-ticked boxes do not constitute valid consent. For B2B emails to business addresses, legitimate interests may apply — but consent is the safer basis and required for emails to personal/hybrid addresses.
Is my email marketing tool GDPR compliant if it stores data in the US?
It can be, but it requires additional steps. You must have a lawful transfer mechanism: either the tool is covered by the UK–US Data Bridge, or you have signed standard contractual clauses (SCCs) with the tool. The safest approach is to use a tool that stores data in the EU or UK by default.
Do I need a Data Processing Agreement with my email marketing tool?
Yes. Under UK GDPR, if you are using an email marketing tool to process personal data on your behalf, that tool is a data processor and you must have a written DPA in place. Most major tools make this available in account settings.
What is double opt-in and is it required by UK GDPR?
Double opt-in is a two-step confirmation process — a subscriber signs up, then confirms via email before being added to your list. It is not legally required by UK GDPR, but it is best practice and recommended by the ICO because it provides a stronger evidence trail for consent.
Not sure which tool is right for you?
Answer three questions to get a personalised recommendation.
How many contacts do you have?
What's your monthly budget?
Is UK GDPR data residency a hard requirement?
Our recommendation
Read the full review →