What are the rules for marketing to consumers vs businesses?

By SuLe · Updated 19 May 2026

Marketing to consumers is the stricter regime: electronic marketing to them generally needs consent under PECR, and it triggers consumer-protection law. Marketing to businesses is looser — corporate contacts sit outside PECR's consent rule — but UK GDPR and an opt-out still apply. The dividing line runs between individual subscribers and corporate subscribers, plus an extra layer of consumer law in B2C.

Get expert legal advice before you sign.

Book a free 20-minute call

Key facts

  • Electronic marketing to individual subscribers (consumers, sole traders, most partnerships) generally needs consent under PECR.
  • Marketing to corporate subscribers at limited companies sits outside PECR's consent rule — but UK GDPR still applies.
  • The soft opt-in lets you email your own existing customers about similar products without fresh consent.
  • Consumer marketing also engages consumer-protection law, enforced by the CMA under the Digital Markets, Competition and Consumers Act 2024.
  • Cookie-consent rules apply to B2B and B2C sites alike — the split affects email marketing, not cookies.

What's the core difference between B2C and B2B marketing rules?

Who the recipient is. PECR — the Privacy and Electronic Communications Regulations — divides recipients into individual subscribers and corporate subscribers, and treats them very differently for electronic marketing.

Individual subscribers are consumers, sole traders and most partnerships. Marketing email to them generally needs prior consent. Corporate subscribers — named people at limited companies, LLPs and public bodies — sit outside that consent rule, so B2B outreach is looser.

But "looser" is not "unregulated". A business email address that identifies a person is still personal data, so UK GDPR always applies underneath PECR, whichever side of the line you are on.


What extra rules apply when marketing to consumers?

A whole layer of consumer-protection law that B2B avoids. On top of PECR consent, marketing to consumers must not be misleading or unfair — and that regime now has real teeth.

The Digital Markets, Competition and Consumers Act 2024 lets the CMA fine consumer-law breaches directly, up to 10% of global turnover. It specifically targets fake reviews and drip pricing — advertising one price then adding unavoidable fees at checkout.

The consumer provisions came into force in phases from 2025, so check the current commencement position rather than assuming a date. The practical message for founders: consumer marketing carries reputational claims-and-pricing rules that business marketing does not.


What still applies when I market to businesses?

UK GDPR and basic fairness, always. Even though corporate subscribers escape PECR's consent rule, the person behind someone@company.com has data protection rights.

So B2B marketing needs a UK GDPR lawful basis — usually legitimate interests — a prompt, honoured opt-out, and clear identification of who you are. Send only relevant, targeted messages, and keep evidence of your legitimate-interests reasoning.

You also cannot dodge the rules by mislabelling. A sole trader or an individual's personal email is an individual subscriber even in a business context, so treating "any work-ish contact" as fair game for cold email will catch people the consent rule protects.

RuleConsumers (B2C)Businesses (B2B)
Electronic marketingConsent, or soft opt-in for existing customersNo PECR consent needed for corporate subscribers
Underlying UK GDPRApplies — lawful basis + opt-outApplies — usually legitimate interests + opt-out
Consumer-protection law (DMCC 2024)Applies — no misleading claims or drip pricingDoes not apply
Cookie consent (PECR)AppliesApplies

Do cookies and website rules differ too?

No — and this catches people out. PECR's cookie-consent rule applies to any website with non-essential cookies, regardless of whether your audience is consumers or businesses.

So a purely B2B SaaS marketing site still needs a compliant cookie banner for its analytics and advertising cookies. The B2C/B2B distinction changes the email-marketing consent position; it does not touch the cookie position.

Treat cookies as a flat requirement across both audiences, and reserve the "who is the subscriber?" analysis for direct marketing. Mixing the two up leads founders to under-protect a B2B site's cookies on the false belief that "business audiences are exempt".


Worked example

Bea runs Craftly, which sells a design tool to both hobbyist consumers and small studios. Her marketing splits along the B2C/B2B line automatically.

For consumer sign-ups, she relies on consent captured at registration, or the soft opt-in for existing customers, and she is careful that her pricing shows all fees upfront — no drip pricing — to stay clear of the CMA's consumer regime. For studios that are limited companies, she prospects named contacts on a legitimate-interests basis with a clear opt-out.

One "studio" turns out to be a sole trader using a personal email. Bea moves that contact to the consumer track, because a sole trader is an individual subscriber needing consent. Her cookie banner, meanwhile, runs identically for every visitor.


Where founders go wrong

  • Treating all business contacts as consent-free.

    Sole traders and personal emails are individual subscribers, even in a business setting.
  • Forgetting UK GDPR in B2B.

    Corporate subscribers escape PECR consent, but the person's data still needs a lawful basis and opt-out.
  • Drip pricing to consumers.

    Hidden checkout fees are squarely targeted by the CMA under the DMCC 2024 — check commencement, then avoid it.
  • Under-protecting a B2B site's cookies.

    Cookie consent applies to business-facing sites too; the audience does not exempt you.

Related questions

Is marketing to businesses easier than marketing to consumers?

Generally yes, for electronic direct marketing. PECR's consent rule applies to individual subscribers — consumers, sole traders and most partnerships — but not to corporate subscribers at limited companies. So B2B email is looser. But UK GDPR still applies to the people behind business addresses, and consumer-protection law adds rules that only bite in B2C.

What consumer-protection rules apply to B2C marketing?

Beyond PECR consent, consumer marketing engages the ban on misleading and unfair practices, now enforced by the CMA under the Digital Markets, Competition and Consumers Act 2024. That regime specifically targets fake reviews and drip pricing, with fines up to 10% of global turnover — check the current commencement position, as the consumer provisions came into force in phases from 2025.

Do the same cookie rules apply to B2B and B2C sites?

Yes. PECR's cookie-consent rule applies regardless of whether your audience is consumers or businesses — non-essential cookies need consent on any site. The B2B/B2C distinction changes the email-marketing consent position, not the cookie position, so a business-facing site still needs a compliant banner for analytics and advertising cookies.

Can I put a business on a marketing list without consent?

You can email a named person at a limited company without PECR consent, but you still need a UK GDPR lawful basis — usually legitimate interests — plus a prompt opt-out and clear identification. Consumers and sole traders are different: they need consent or the soft opt-in, so lumping every contact into one list risks breaching the rules for the individual subscribers on it. [More: Can I send cold emails under UK GDPR and PECR?]


The B2C/B2B line decides which rules you live under, and getting a single contact on the wrong side — or drip-pricing a consumer checkout — can turn marketing into an enforcement problem. A SuLe solicitor can segment your marketing correctly and keep you clear of both the ICO and the CMA. Book a free compliance check call and market to both audiences safely.

Keep reading: Can I send cold emails under UK GDPR and PECR? · Do I need a cookie banner on my website? · What does UK GDPR require from an early-stage startup? · Do I need terms and conditions and a privacy policy for my startup? · Does my startup need to register with the ICO? · Can I publicly advertise that my startup is raising money?

Primary sources: GOV.UK — Marketing and advertising: the law · ICO — For organisations

AI-generated content. General information, not legal advice.