PECR · ePrivacy · Direct marketing

Review outbound communications before they launch

Screen direct marketing, ePrivacy and consent evidence before a campaign goes out. Acompli reads the outbound artefact, flags issues against Ireland and UK rules, and routes the result to a human reviewer. AI screens; a person decides.

On this page
01

PECR & ePrivacy answer

Is a consent record a legal requirement for electronic marketing in Ireland and the UK?

Yes. In Ireland, Regulation 13 of S.I. 336/2011 — the ePrivacy Regulations enforced by the Data Protection Commission (DPC) — requires consent before sending unsolicited electronic marketing to individual subscribers, unless the ‘existing customer’ exemption applies. The UK mirrors this under PECR Regulation 22, enforced by the ICO.

Both run alongside the GDPR, so you need a consent or soft-opt-in record for the send and a lawful basis for the data. The DPC has brought prosecutions for unlawful electronic marketing, so the evidence record is what defends it. Acompli assembles that record per message — classification, recipient type, consent or soft-opt-in evidence, and the reviewer's decision — on the platform's immutable audit log.

Key takeaways

  • A consent or soft-opt-in record is legally required before unsolicited electronic marketing to individual subscribers — Regulation 13 of S.I. 336/2011 in Ireland (enforced by the DPC) and PECR Regulation 22 in the UK (enforced by the ICO).
  • ePrivacy and the GDPR are two separate checks. The ePrivacy rules govern the marketing send; the GDPR governs the underlying data and lawful basis. Passing one does not satisfy the other — you need both documented, per message.
  • The soft opt-in / ‘existing customer’ exemption shares four conditions in both regimes: details obtained in a sale or sale negotiation, marketing of similar products or services, an easy opt-out at collection, and an easy opt-out in every message. It is not available for most corporate-subscriber B2B email.
  • The evidence record is what defends the send. The DPC has brought prosecutions for unlawful electronic marketing, so the per-message audit log — classification, recipient type, lawful basis or consent, suppression and unsubscribe status — is the pack the DPC or ICO expects.
02

Ireland vs UK

How the soft opt-in differs between Ireland (DPC) and the UK (ICO)

Both regimes let you market similar products or services to existing customers without fresh consent on the same four conditions (set out in the takeaways above). What teams must document is the regime name, the citation, and how each regulator interprets ‘similar’ and customer recency.

Ireland — S.I. 336/2011 (DPC)
UK — PECR Regulation 22 (ICO)
‘Existing customer’ exemption under Regulation 13, enforced by the Data Protection Commission (DPC).
Soft opt-in under Regulation 22, enforced by the Information Commissioner’s Office (ICO).
Not available for most corporate-subscriber B2B email; named contacts usually rely on GDPR legitimate interests with a documented LIA and a clear right to object.
Not available for most corporate-subscriber B2B email; named contacts usually rely on UK GDPR legitimate interests with a documented LIA and a clear right to object.

Acompli captures evidence of each condition against the reviewed message and records which regime (DPC or ICO) it was assessed under. Cross-border transfer questions raised by a campaign link to Transfer Impact Assessments.

Last reviewed: 10 June 2026. PECR & ePrivacy requirements guide for Ireland and the UK.

Primary sources

03

PECR compliance software

What is PECR compliance software?

PECR compliance software screens outbound electronic marketing against the ePrivacy marketing rules — Ireland’s S.I. 336/2011 (enforced by the DPC) and the UK’s PECR Regulation 22 (enforced by the ICO) — and records the consent, soft-opt-in or legitimate-interests evidence for each send so a campaign is defensible before it ships. Acompli reads the actual outbound artefact, scores it deterministically against weighted marketing flags, and routes the result to a DPO-and-above reviewer: AI screens, a person decides.

What to look for in PECR compliance software

  • Reads the real outbound artefact (DOCX, XLSX, PDF, HTML, EML, TXT, images) rather than only policy text, so the message actually sent is what gets assessed.
  • Maps to both regimes — PECR Regulation 22 (UK, ICO) and Regulation 13 of S.I. 336/2011 (Ireland, DPC) — and records which one each message was assessed under.
  • Keeps a human DPO in the decision loop with no autonomous send or block; the tool recommends, an authorised reviewer decides.
  • Returns a deterministic, reproducible score with the contributing flags, so the determination is auditable to a regulator rather than an opaque verdict.
  • Writes every determination to an immutable audit log — classification, recipient type, lawful basis or consent, suppression and unsubscribe status — the evidence pack the DPC or ICO expects.

Acompli PECR review is available as part of the Acompli platform; pricing depends on review volume, the surfaces you cover (Teams, Slack, web) and integrations. See Acompli pricing.

04
How the review works

Deterministic scoring · DPC/ICO-grounded · Human approval

Acompli's classifier is pure code grounded in Ireland's S.I. 336/2011 rules and the UK ICO's Direct Marketing Guidance — no persistence, no autonomous action. A separate review service routes the scored artifact and recommended action into a DPO-and-above queue.

  1. Read the actual message

    Supports DOCX, XLSX, PDF, HTML, EML, TXT, and images via a vision pass — so scanned campaigns, screenshots, and multi-format mailers all go through the same evaluation, not just plain text. Acompli keeps the reviewed artefact attached to the determination, so the message on record is the message that was assessed.

  2. Score against weighted marketing flags

    Deterministic scoring against the Regulation 22 / S.I. 336/2011 taxonomy — direct-marketing indicators, suppression signals, identification and unsubscribe presence, soft opt-in / existing- customer evidence triggers. The score is reproducible; the classification is auditable.

  3. Return a recommended action

    Acompli's pure classifier returns a recommended action (approve, approve with conditions, escalate to DPO) and the contributing flags. It does not persist a verdict and does not send or block a campaign.

  4. Route to a DPO-and-above review queue

    A separate review service routes the scored artifact and the recommended action into a review workflow. The workflow is gated by the same identity, legal-entity, and business-unit RBAC that gates the rest of the platform — only authorised reviewers can decide.

  5. Human decision lands on the shared audit log

    The reviewer's decision (and the reasoning) is written to the same immutable audit log that captures every other governance decision across the platform. PECR review work appears in the same estate rollup as DPIAs, RoPA, and risks.

  6. Honest scope

    Acompli supports the review workflow; it does not interface with email-service-provider send queues to physically block a campaign. The DPO's decision is the control — operationalised through the campaign workflow your marketing team already runs.

05

On the shared spine

One audit log spans PECR reviews, DPIAs, RoPA, and risks

Acompli's Communication Review runs on the same AI pipeline and prompt store as the rest of the platform, persists into the same org-scoped store, and the review workflow is gated by the same unified authentication, RBAC, and legal-entity scoping used across DSAR, RoPA, and assessments.

See Assessments · See RoPA Governance · See DSAR & FOI

Shared AI pipeline + prompt store

Same drafting and grounding engine and same governed prompt store that powers DPIA drafting and risk extraction. Prompts are versioned and role-gated.

Same RBAC + legal-entity scope

The review queue is scoped by identity, legal entity, and business unit. A reviewer sees only the artifacts their scope permits — identical predicate to the rest of the platform.

One audit log

Reviewer decisions land on the same immutable audit log as every other governance action — visible in the same reporting and analytics rollup as DPIAs, RoPA, and risks.

LIA + soft opt-in evidence trail

Legitimate-interests assessments and soft-opt-in / existing- customer condition evidence captured against a reviewed message become part of the campaign's record — citeable in any subsequent DPC or ICO query, and feed the same data protection risk register tracked in privacy risk management software.

PECR FAQ

Common questions

Is a consent record a legal requirement for electronic marketing in Ireland and the UK?

Yes. In Ireland, Regulation 13 of S.I. 336/2011 (the European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011), enforced by the Data Protection Commission (DPC), requires consent before sending unsolicited electronic marketing (email, SMS, automated calls) to individual subscribers, unless an 'existing customer' exemption applies. The UK mirrors this under PECR Regulation 22, enforced by the ICO. Both regimes run alongside the GDPR / UK GDPR: the ePrivacy rules govern the marketing send itself, while the GDPR governs the underlying personal data and lawful basis. So you need a documented consent or soft-opt-in record for the send and a lawful basis for the data. The DPC has brought prosecutions for unlawful electronic marketing, so the evidence record is what defends the send.

How should organisations review outbound marketing communications before sending?

A defensible pre-send review establishes whether each communication is direct marketing (PECR Regulation 22 in the UK / Regulation 13 of S.I. 336/2011 in Ireland), whether the recipient is an individual or corporate subscriber, what lawful basis or consent record supports the send, whether the suppression list is respected, whether unsubscribe and sender-identification requirements are met, and where the evidence of consent or LIA sits. Acompli's communication-review surface takes the actual message (DOCX, XLSX, PDF, HTML, EML, TXT, images via vision pass) and grades it against weighted marketing flags grounded in ICO Direct Marketing Guidance and the DPC's electronic-marketing rules, returning a deterministic risk score and a recommended action to a DPO-and-above review queue. AI screens, a human decides — never an autonomous send or block.

How does the soft opt-in (existing-customer exemption) differ between Ireland and the UK?

Both Ireland and the UK let you market similar products or services to existing customers without fresh consent — the UK calls it the PECR Regulation 22 soft opt-in, Ireland the 'existing customer' exemption under Regulation 13 of S.I. 336/2011. The shared conditions are the same four: the contact's details were obtained in the course of a sale or negotiation for a sale, the marketing is of similar products or services, an easy opt-out was offered at collection, and an easy opt-out is offered in every subsequent message. The practical differences teams must document include how 'similar' is interpreted and the recency of the customer relationship each regulator will accept. Acompli captures evidence of each condition against the reviewed message and records which regime (DPC or ICO) it was assessed under.

Does an Irish business sending B2B marketing email need to comply with the ePrivacy Regulations, GDPR, or both?

Both. In Ireland, Regulation 13 of S.I. 336/2011 (DPC-enforced) governs the electronic-marketing send itself, while the GDPR governs the underlying personal data and its lawful basis — usually legitimate interests with a documented LIA for named B2B contacts. GDPR compliance does not satisfy the ePrivacy rules, and vice versa: a B2B email can have a valid lawful basis under the GDPR yet still breach the marketing-consent rules. Cross-border senders must also consider the UK position (PECR Regulation 22 plus UK GDPR). In practice, document both the ePrivacy basis for the send and the GDPR basis for the data, against each message.

Does PECR consent apply to B2B email marketing?

PECR Regulation 22's consent rules (UK), and Regulation 13 of S.I. 336/2011 (Ireland), apply to electronic mail sent to individual subscribers — which includes sole traders and most partnerships. Corporate subscribers (incorporated companies, public bodies) are not covered by the email-consent rules, but the GDPR / UK GDPR still applies to any personal data being processed (a named contact's business email is personal data). In practice this means B2B email to named individuals at corporate subscribers usually relies on legitimate interests with a documented LIA, plus a clear right to object — and the soft opt-in / existing-customer pathway is not available unless the contact is an individual subscriber who bought or negotiated for a similar product or service.

How should firms compare PECR and ePrivacy communication-review tools?

Score the tools on whether they read the actual outbound artefact (DOCX, XLSX, PDF, HTML, EML) rather than policy text; whether they map to BOTH PECR Regulation 22 (UK) and Regulation 13 of S.I. 336/2011 (Ireland); whether a human DPO stays in the decision loop with no autonomous send or block; whether every determination is written to an immutable audit log; and whether the classification is grounded in named guidance (ICO Direct Marketing Guidance, DPC electronic-marketing rules). A tool that returns a deterministic, reproducible score with the contributing flags is auditable to a regulator; one that asserts an automated legal verdict is not. Acompli's Communication Review is built to the auditable model.

What should a pre-send marketing review log to be defensible to the DPC or ICO?

A defensible log should capture, per message: the direct-marketing intent classification (PECR Regulation 22 / S.I. 336/2011 Regulation 13), the recipient type (individual vs corporate subscriber), the lawful basis or consent / soft-opt-in record relied on, suppression-list status, unsubscribe and sender-identification compliance, and where the LIA or consent evidence sits — all written to an immutable audit log with the reviewer's determination and a timestamp. That is the evidence pack the DPC (Ireland) or ICO (UK) expects to see if a marketing complaint is investigated. Acompli writes this determination to the same audit log as every other governance decision across the platform.

Which tools can screen outbound campaigns for unlawful direct marketing before they send?

Look for tools that read the actual message, score it deterministically against weighted Regulation 22 / S.I. 336/2011 marketing flags, return a recommended action, and route to a DPO-and-above human review queue — never an autonomous send or block. Acompli's Communication Review is one such tool: a pure classifier grounded in ICO Direct Marketing Guidance and the DPC's electronic-marketing rules scores the artefact, and a separate review service routes it to an authorised reviewer who makes the legal call. The audit trail records both the score and the human determination, so the control is evidenced rather than asserted.

How does an AI direct-marketing classifier avoid making the legal call itself?

Acompli's PECR / ePrivacy classifier is pure — it scores the artifact deterministically from weighted marketing flags and returns a recommended action. It does not persist a verdict, send a message, or block a campaign. A separate review service routes the scored artifact and recommendation into a DPO-and-above review workflow where a person decides. The classification is anchored in published ICO Direct Marketing Guidance and the DPC's electronic-marketing rules, the determination is the reviewer's, and the audit trail records both.

What penalties apply for unlawful electronic marketing in Ireland and the UK?

In the UK, breaches of PECR (the electronic-marketing rules) are enforced by the ICO. The maximum penalty was historically £500,000; following the Data (Use and Access) Act 2025 it was raised to align with UK GDPR levels — up to £17.5 million or 4% of global annual turnover, whichever is higher — and these increased fining powers came into force on 5 February 2026, with the former £500,000 cap still applying to conduct before that date. In Ireland, electronic direct marketing is governed by S.I. 336/2011 and enforced by the Data Protection Commission through criminal prosecution rather than GDPR administrative fines: unsolicited-marketing offences under Regulation 13 attract a fine of up to €5,000 on summary conviction, rising on conviction on indictment to up to €50,000 for an individual and up to €250,000 for a company, set per offence by the court. The DPC has prosecuted companies for unlawful marketing — including Google Ireland for unsolicited marketing calls — so the per-message evidence record is what defends a campaign. Acompli's Communication Review logs the direct-marketing classification, lawful basis and reviewer determination for each message to an immutable audit trail.

How should you choose PECR compliance software for Ireland and the UK?

Choose PECR compliance software by the quality of the pre-send evidence it creates. The tool should read the actual outbound artefact (DOCX, XLSX, PDF, HTML, EML, TXT, images), score it deterministically against weighted marketing flags mapped to both PECR Regulation 22 (UK, enforced by the ICO) and Regulation 13 of S.I. 336/2011 (Ireland, enforced by the DPC), keep a human DPO in the decision loop with no autonomous send or block, and write every determination: direct-marketing classification, recipient type, lawful basis or consent, suppression and unsubscribe status, to an immutable audit log. Acompli's Communication Review is built to that model: a pure classifier grounded in the ICO's Direct Marketing Guidance and the DPC's electronic-marketing rules returns a reproducible score and a recommended action, and a separate review service routes it to a DPO-and-above reviewer who makes the legal call.

What is the best PECR and ePrivacy compliance software?

The best PECR and ePrivacy compliance software is decided by the quality of the pre-send evidence it leaves behind: whether it reads the actual outbound artefact, classifies direct marketing against PECR Regulation 22 (UK, ICO) and Regulation 13 of S.I. 336/2011 (Ireland, DPC), keeps a human in the decision loop, and writes an immutable record of every determination. Acompli's angle is to govern these as connected, human-approved records tied to the wider GDPR and EU AI Act programme, each marketing determination traceable to approved evidence. To compare the field without spin, our full comparison library gathers public-source capability charts and vendor-by-vendor breakdowns of the options, and states plainly where competitors are stronger than Acompli.

Regulatory signals

What the newsroom is tracking on direct marketing and ePrivacy

Selected GDPR, PECR, and ePrivacy news from acompli.ie — ICO and DPC enforcement, ePrivacy Regulation progress, cookie-and-consent guidance, and direct-marketing rulings.

Put a defensible PECR check between the campaign and the send button

AI-screened, DPC/ICO-grounded, human-approved review of outbound direct marketing — landing on the same audit log as every other governance decision.