Cold email under PECR regulation 22: what UK B2B teams can and cannot send

If your team sends UK B2B email outreach in 2026, regulation 22 of the Privacy and Electronic Communications Regulations 2003 is the thing you most need to understand correctly. Most don't. The split between 'corporate subscriber' and 'individual subscriber' under PECR is not the same as the split between 'business email' and 'personal email' under casual usage, and the gap is where the fines come from.

This piece is a practitioner walkthrough of regulation 22 specifically, what UK B2B sales teams can do under it, and the four common ways teams trip up.

What regulation 22 actually says

Regulation 22 of PECR (as amended) prohibits sending unsolicited email or SMS marketing to an individual subscriber without that subscriber's prior consent. The two key terms:

• Individual subscriber: a person who has the contractual relationship with the email service. For consumer email (gmail, outlook.com, hotmail.com), the individual is always the subscriber. For sole traders and unincorporated partnerships outside Scotland, the trader IS the subscriber.
• Corporate subscriber: a body corporate, an LLP, a Scottish partnership, or a public body. PECR does not apply to corporate subscribers in regulation 22's terms.

The corporate subscriber exemption is what makes UK B2B cold email lawful. You can email lucy@bigco.com without consent because BigCo is a corporate subscriber. PECR regulation 22 does not engage.

The trap: UK GDPR engages even when PECR does not

Regulation 22's exemption for corporate subscribers is about the subscriber. It says nothing about the data subject. Lucy is a named individual; her email address is personal data; UK GDPR engages.

The practical effect: you don't need consent under PECR to email Lucy at BigCo, but you do need a lawful basis under UK GDPR. The standard lawful basis for UK B2B prospecting is legitimate interest (now formally recognised under the Data (Use and Access) Act 2025). To rely on legitimate interest you must:

• Document a Legitimate Interests Assessment (LIA) for the campaign type, signed off by your data-protection lead.
• Provide a privacy notice in the first message or linked from it.
• Honour data-subject rights: erasure, objection, access. An unsubscribe link covers the routine objection path; the rest you have to handle on demand.
• Apply suppression: if Lucy unsubscribes, every future campaign across your organisation must respect that.

The corporate subscriber exemption gets you out of regulation 22 of PECR. UK GDPR is what's left.

What you can do under regulation 22

A UK B2B cold email campaign that complies with regulation 22 looks like this:

• Recipient is at a corporate subscriber (limited company, LLP, public body, or a Scottish partnership).
• Email is identifiably from your organisation. The 'from' address is a real corporate address and the sender's identity is clear.
• The email contains a clear and free opt-out mechanism (an unsubscribe link).
• You have applied UK GDPR-compliant data sourcing with a documented LIA.
• The recipient has not previously objected to receiving email from your organisation (suppression list is current within 28 days).

Within those guardrails, regulation 22 does not require prior consent. You can email cold.

What you cannot do

You cannot email sole traders without consent. A sole trader operating as 'Jane Bloggs t/a Bloggs Consulting' is an individual subscriber under PECR. The corporate subscriber exemption does not apply. Regulation 22 requires prior consent. This is the single most-common UK B2B email mistake.

How to detect a sole trader on a list: their domain is normally a custom personal domain or a freemail address; their LinkedIn shows them as 'Founder, [their name] Consulting'; Companies House has no record of an incorporated entity at that name. If your list has a meaningful proportion of sole-trader-shaped recipients (independent consultants, freelancers, micro-agencies), you must screen them out of regulation-22-exempt campaigns.

You cannot email unincorporated partnerships outside Scotland. Same legal status as sole traders for PECR purposes. Scottish partnerships are legally distinct (they have legal personality under Scottish law) and are corporate subscribers. English / Welsh / Northern Irish partnerships are not. This is a quirk; respect it.

You cannot email a personal email address that happens to belong to a working professional. lucy.bloggs@gmail.com is the individual's address even if Lucy uses it for work. If your list contains a freemail address, regulation 22 requires prior consent.

You cannot get away with 'we bought the list and the broker had consent'. The ICO's March 2025 enforcement action against a UK compensation company (90,000 pounds for unlawful marketing calls) confirmed that broker-collected consent does not transfer to the calling organisation unless the calling organisation was named at the point of collection. The same logic applies to email. The broker's consent stamp is not your consent stamp.

Operational checklist

Before any UK B2B email campaign:

• List sourced with documented compliance position from the data provider; written confirmation of the legal basis under which the data was collected.
• Sole-trader and unincorporated-partnership records identified and segmented out of regulation-22-exempt campaigns.
• Freemail-domain records identified and segmented out unless you have prior consent.
• LIA documented for the campaign type; sign-off from data-protection lead on file.
• First email discloses sender identity and organisation, and contains a working unsubscribe link.
• Privacy notice accessible from your domain.
• Suppression list updated within 28 days of any opt-out request.

When in doubt

If the recipient's status is ambiguous (e.g. you can't tell whether they're a sole trader from public information), the conservative position is consent-based outreach for that segment. The cost of conservative outreach is lower volume; the cost of being wrong is an ICO complaint and a public penalty.

The ICO's full updated direct-marketing guidance is due in spring 2026 and will likely tighten the operational expectations further. Teams that build the discipline now do not have to retrofit it under deadline pressure.

This is editorial coverage, not legal advice. Consult counsel on your specific data flows.