Opt-In, Double Opt-In and Soft Opt-In: UK Email Consent Guide
Opt-in means a person actively agrees to receive email from you. It sounds simple, but in the UK the rules around email consent have layers that many teams , and the cost of getting it wrong is real. The ICO (Information Commissioner's Office) can impose fines of up to £17.5 million or four percent of global turnover under UK GDPR (General Data Protection Regulation), and PECR (Privacy and Electronic Communications Regulations) adds its own penalties on top.
Permission-based lists consistently outperform unsolicited ones. Campaigns sent to opted-in subscribers see average open rates of 20–30%, while purchased or scraped lists hover around 2–5% (Campaign Monitor, 2024). The gap is not just about performance: sending without proper consent risks fines, blocks from inbox providers, and lasting damage to your sender reputation.
This guide covers what opt-in means, how single opt-in, double opt-in and the UK-specific soft opt-in differ, and how to build a compliant, high-quality email list.
Key terms explained
Before diving in, here are the core concepts you will see throughout this guide:
| Term | What it means |
|---|---|
| Opt-in | A person actively agrees to receive marketing email from you |
| Single opt-in | The subscriber fills in a form and is added to the list , with no confirmation step |
| Double opt-in (DOI) | The subscriber fills in a form, receives a confirmation email, and clicks a verification link before being added |
| Soft opt-in | A UK-specific PECR rule allowing you to email existing customers about similar products without fresh consent, provided you gave them an opt-out at the point of collection and in every message |
| Opt-out | A person withdraws consent or ; you must stop sending immediately |
| PECR | Privacy and Electronic Communications Regulations, the UK law that governs electronic marketing, including email and SMS |
| UK GDPR | The UK version of the EU General Data Protection Regulation, governing how personal data (including email addresses) is collected, stored and processed |
| ICO | The Information Commissioner's , the UK's independent data protection regulator that enforces both PECR and UK GDPR |
Single opt-in vs double opt-in
The two main methods of collecting email consent differ in one critical step: verification.
Single opt-in adds the subscriber to your list the moment they submit the form. There is no confirmation email. The list grows faster, but unverified addresses, typos and spam traps can slip through.
Double opt-in sends a confirmation email after the form is submitted. The subscriber clicks a verification link to prove the address is real and that they genuinely want to hear from you. Only then are they added. You lose roughly 15–25% of sign-ups who never click the confirmation link (Litmus, 2024), but the contacts who remain are verified, engaged and far less likely to bounce or complain.
| Criterion | Single opt-in | Double opt-in |
|---|---|---|
| Confirmation step | 1 (form only) | 2 (form + email verification) |
| List growth speed | Faster | Slower |
| Email address verified | No | Yes |
| Bounce risk | Higher | Lower |
| Spam complaint risk | Higher | Lower |
| Legal evidence strength | Weaker | Stronger (timestamp + IP + click record) |
| Recommended for | B2B quick capture | B2C and scenarios requiring clear consent proof |
At MailGraf we enable double opt-in by default for every new account. The reason is straightforward: lists built through DOI consistently produce 1.5 to 2 times higher open rates compared to single opt-in lists across our customer base.
The UK soft opt-in rule under PECR
This is where UK email law differs significantly from most other markets. PECR Regulation 22 sets the baseline: you must not send marketing emails to individuals without their specific consent. But there is one important exception: the soft opt-in.
What the soft opt-in allows
According to the ICO's official guidance on electronic mail marketing, the soft opt-in lets you email your own existing customers without fresh consent, provided all four conditions are met:
- You collected the contact details during a sale or negotiation of a sale of a product or service
- You are marketing similar products or services to what they originally bought or enquired about
- You gave them a clear and simple way to opt out when you first collected their details (for example, an unticked checkbox)
- You include an opt-out mechanism in every message you send (an unsubscribe link)
If any one of these conditions is missing, the soft opt-in does not apply and you need specific consent.
What the soft opt-in does not cover
The ICO is explicit about the limits:
- Prospective customers or new contacts: soft opt-in only applies to people who have already bought from you or actively negotiated a purchase
- Purchased or rented lists: these contacts have no prior relationship with you
- Non-commercial promotions: charity fundraising and political campaigns historically fell outside the soft opt-in, though the Data (Use and Access) Act 2025 is introducing a charitable purpose soft opt-in expected to take effect in 2026
- Sole traders and some partnerships: these are treated as individuals under PECR, meaning the same consent rules apply as for any other person
Soft opt-in vs explicit consent: when to use which
| Scenario | Soft opt-in applies? | Action needed |
|---|---|---|
| Existing customer, similar product, opt-out offered at sign-up | Yes | Send with unsubscribe link in every email |
| Existing customer, completely different product category | No | Obtain fresh consent |
| Prospective customer who downloaded a guide | No | Obtain explicit opt-in consent |
| Contact from a purchased list | No | Do not send; obtain consent first |
| Corporate email at a company (info@, sales@) | Different rule | PECR email rules do not apply to corporate bodies, but UK GDPR may still apply if the address identifies an individual |
When you can email businesses without consent
PECR treats corporate bodies differently from individuals. You can send marketing email to a company, LLP (limited liability partnership) or government body without prior consent. However, the ICO recommends keeping a "do not email" list of any businesses that object, and screening future sends against it.
There is an important nuance: if a business email address identifies a specific person (such as firstname.lastname@company.co.uk), UK GDPR data protection rules may still apply even though PECR's email marketing consent rule does not. The practical advice is to respect opt-out requests regardless of the address format.
How to build a permission-based email list
A compliant, high-quality list takes longer to build than scraping directories or buying databases, but the performance difference is dramatic. Here are the most effective methods:
Add opt-in forms to your website. Three formats work well: an inline form embedded in blog posts or sidebars, a popup form triggered by exit intent or time delay (effective when timed well, counterproductive when overused), and a dedicated landing page designed purely for email capture, ideal for pairing with ad campaigns. Keep the form short. At a minimum, ask for an email address and provide a subscribe button. Every additional field you add reduces completion rates.
Offer a lead magnet. People trade their email for something useful. Examples that convert well: a downloadable guide or checklist relevant to your industry, a discount code for first-time buyers, free access to a webinar or tutorial, or a tool or template they can use immediately. The more specific and immediately usable the offer, the higher the conversion rate. "Subscribe to our newsletter" alone rarely motivates action.
Use offline channels. Collect email addresses at trade shows, conferences and in-store interactions. A QR code linking to your sign-up form works well in physical settings. These contacts enter as single opt-in but are less likely to complain because they met you in person. Send a confirmation email promptly so the interaction is still fresh.
Always offer a clear opt-out at the point of collection. Under PECR, even when using the soft opt-in, you must give people a simple way to decline marketing at the moment you collect their details. not just in later emails. An unticked checkbox with clear language is the standard approach.
Double opt-in: setup and best practices
Setting up double opt-in involves four steps:
1. Create the sign-up form. Keep it minimal: email field, subscribe button, and a one-line privacy note. Something like "By subscribing you agree to receive our email newsletter. You can unsubscribe at any time." Avoid pre-ticked boxes. under UK GDPR, consent must be a clear affirmative action.
2. Send the confirmation email immediately. When the subscriber submits the form, trigger an automated verification email within seconds. The email should be short, contain a single clear call to action ("Confirm your subscription"), and include no marketing content. Late confirmation emails. arriving ten or fifteen minutes after sign-up. see significantly lower verification rates because the subscriber has moved on.
3. Redirect to a thank-you page after verification. Once the subscriber clicks the confirmation link, take them to a page that confirms their subscription and optionally presents your first value offer: a welcome discount, a free resource or a preview of what to expect. This is the moment of highest engagement. Starting a welcome email automation from this point is highly effective. Pair it with proper email segmentation to send the right follow-up content to each new subscriber.
4. Send a single reminder if confirmation does not arrive. If the verification email goes unopened, send one reminder after 24 to 48 hours. If there is still no confirmation, do not add the contact. An unverified address on your list is a liability, not an asset.
How opt-in and consent work in MailGraf
MailGraf handles consent collection through subscription forms and double opt-in workflows built into the platform.
When you create a subscription form in MailGraf, the system generates a form you can embed on your website or use as a standalone landing page. Double opt-in is enabled by default. every new subscriber receives an automated confirmation email and is only added to the list after clicking the verification link.
The platform records consent proof automatically: the timestamp of the original sign-up, the IP address, and the confirmation click. This audit trail is important for demonstrating compliance if the ICO ever requests evidence of consent.
For teams using the soft opt-in with existing customers, MailGraf's contact filters let you segment your list by purchase history and engagement. You can create a dynamic filter such as "purchased in the last 12 months AND has not opted out" to ensure your soft opt-in emails go only to contacts who qualify under PECR.
Every email sent through MailGraf includes an unsubscribe link by default. When a subscriber clicks it, they are removed from future sends automatically, with no manual intervention needed. This satisfies the PECR requirement to include an opt-out in every message. Combined with proper SPF, DKIM and DMARC authentication, a permission-based list gives your campaigns the best possible foundation for reaching the inbox.
Common opt-in mistakes that risk compliance
Using pre-ticked consent boxes. Under UK GDPR, consent must be a deliberate action. A pre-ticked checkbox does not count; the subscriber must actively tick it. The ICO has been clear on this point and has issued fines for organisations that rely on pre-ticked boxes.
Treating a business card as consent. Someone handing you a card at a conference has not opted in to your email marketing. Send a follow-up email asking whether they would like to subscribe. do not add them to your campaign list directly.
Confusing soft opt-in with blanket permission. Soft opt-in has strict conditions. It only applies to existing customers, for similar products, with an opt-out offered at collection and in every message. Using it to email an entire CRM database that includes prospects, leads and contacts from years ago is a compliance breach.
Failing to honour unsubscribes promptly. PECR requires you to act on opt-out requests. Delays in processing unsubscribes. even technical ones. can result in complaints to the ICO. Automate the process so that unsubscribe requests take effect immediately.
Not keeping consent records. If the ICO asks how a subscriber joined your list, you need to show when they opted in, how, and whether they confirmed. Without this audit trail, you have no defence. Double opt-in creates this record automatically.
Frequently asked questions
Is double opt-in required by UK law?
Not explicitly. Neither UK GDPR nor PECR mandate double opt-in as the only acceptable method. However, double opt-in creates the strongest evidence of consent: timestamp, IP address and confirmation click, which makes it the safest approach if your consent is ever challenged. The ICO considers it best practice.
What is the difference between the soft opt-in and explicit consent?
Explicit consent means the person actively agreed to receive marketing from you. for example, by ticking an opt-in box. The soft opt-in is a PECR exception that allows you to email existing customers about similar products without fresh consent, as long as you offered an opt-out at the point of data collection and include one in every email. Explicit consent covers all scenarios; soft opt-in is limited to existing customer relationships.
Can I email businesses without consent in the UK?
Under PECR, you can send marketing email to corporate bodies (companies, LLPs, government bodies) without prior consent. However, sole traders and some partnerships are treated as individuals and require consent. Even for corporate bodies, keeping a "do not contact" list and honouring opt-out requests is both good practice and good business sense.
What happens if I send marketing email without proper consent?
The ICO can investigate complaints and issue enforcement notices or fines. Under UK GDPR, fines can reach £17.5 million or four percent of global turnover. PECR carries its own penalty powers. Beyond fines, inbox providers like Gmail and Outlook will flag your domain if spam complaints rise, which damages your deliverability across the board.
How does the 2025 Data (Use and Access) Act affect email consent?
The Data (Use and Access) Act 2025, which came into law on 19 June 2025, introduces changes to direct marketing rules including an extension of the soft opt-in to charities. The ICO is updating its guidance accordingly. The core principles. consent for individuals, soft opt-in for existing customers. remain intact, but the scope is widening. Check the ICO website for the latest updates as new guidance is published.
Should I use single or double opt-in?
For most UK businesses, double opt-in is the safer and more effective choice. It verifies email addresses, reduces bounce rates, lowers spam complaints and creates a clear consent record. The only scenario where single opt-in makes sense is B2B lead capture where speed matters and you plan to send a confirmation or welcome email immediately after sign-up.
Originally published: Apr 9, 2026
Professional email marketing platform.
Don't miss out
Get the latest email marketing tips and exclusive updates.