UK

I keep getting spam emails. How do I stop them legally?

30 days
ICO response time
£500k
Max fine
2003
PECR enacted
100%
Consent required
The Short Answer

You can legally stop spam emails in the UK by withdrawing consent, reporting to the ICO, and using your rights under PECR and the UK GDPR.

What the Law Says

The main law governing spam emails in the UK is the Privacy and Electronic Communications Regulations 2003 (PECR), which implements EU e-privacy rules and remains in force post-Brexit. It sets strict rules on unsolicited marketing emails.

PECR requires that businesses obtain your clear, specific, and informed consent before sending marketing emails — unless they’re emailing existing customers under the ‘soft opt-in’ exception (e.g., you bought from them recently and they’re promoting similar products). Even then, every email must include a free, easy way to unsubscribe.

The UK General Data Protection Regulation (UK GDPR) also applies: if an organisation processes your personal data (like your email address) to send marketing, they must have a lawful basis — almost always your consent — and honour your right to object at any time.

It’s illegal to conceal the sender’s identity, use fake headers, or fail to provide a valid opt-out mechanism in every marketing email.

Statutory Text

A person shall not send electronic mail for the purposes of direct marketing unless the recipient has previously notified the sender that he consents to such communications being sent by or at the instigation of the sender.

Privacy and Electronic Communications (EC Directive) Regulations 2003, reg. 22(1) — Unsolicited communications
Statutory Text

Where electronic mail is sent for the purposes of direct marketing… the person sending the communication must provide a simple means of refusing further communications.

Privacy and Electronic Communications (EC Directive) Regulations 2003, reg. 22(3) — Right to refuse

What to Do

1

Unsubscribe using the ‘opt-out’ link in the email — it must work within 28 days (reg. 22(3)).

2

Report persistent spam to the Information Commissioner’s Office (ICO) via ico.org.uk/concerns.

3

If the sender is outside the UK but targets UK residents, the ICO may still take action — especially if they have a UK presence or process UK residents’ data.

4

Keep evidence: save spam emails (including headers) for at least 6 months in case of investigation.

Sources

statutePrivacy and Electronic Communications (EC Directive) Regulations 2003, reg. 22 — Unsolicited communicationsstatuteUK General Data Protection Regulation (UK GDPR), Art. 21 — Right to objectguidanceInformation Commissioner’s Office (ICO) — Marketing guidance

Not legal advice. This article is general information based on publicly available sources, written for educational purposes. Laws change and individual situations vary. Consult a licensed attorney in your jurisdiction before acting on anything you read here. Last reviewed: 2026-06-08.