Engage
Book a demo
Compliance

UK PECR and the soft opt-in: email marketing rules for venues

This guide explains what UK PECR requires for venue email marketing and why the soft opt-in exception is structurally insufficient for physical venues. It shows how capturing explicit, timestamped consent at the Guest WiFi login - using Purple Engage - provides a safer, broader, and more scalable basis for email marketing than the narrow soft opt-in, which only covers prior customers.

6 min read1,300 words

Why this matters for your venue

For physical venues, foot traffic is your primary asset. A guest walking through the door only generates revenue for that single visit. To increase lifetime value, you must reach them after they leave and give them a reason to return. Email marketing remains the most effective channel for this, but in the UK it is heavily regulated. The Information Commissioner's Office (ICO) enforces the Privacy and Electronic Communications Regulations 2003 (PECR) alongside the UK GDPR. Sending marketing emails without valid consent or a lawful exception risks significant fines and reputational damage.

Many venues attempt to rely on the "soft opt-in" rule to email past customers. While this works for e-commerce, it is structurally flawed for hospitality, retail, and events. If a table of six dines at your restaurant and one person pays the bill, you only have a chance of capturing one email address. The soft opt-in leaves the other five guests anonymous. Worse, if you try to email that one paying guest about a different service - like a hotel stay rather than a meal - you violate the soft opt-in's strict conditions.

To drive repeat visits and maximise revenue per send, venues need a list that builds itself from verified, conscious-choice, first-party data. Generic email tools like Mailchimp or Klaviyo are built to send campaigns, but they rely on you to supply the list. Purple Engage captures explicit, timestamped opt-in consent at the point of WiFi login, turning anonymous foot traffic into a compliant, scalable marketing database. To understand how the data capture works end-to-end, see our guide on Guest WiFi email capture: how it works and what to expect.

The approach: PECR and the limits of the soft opt-in

Under PECR Regulation 22, you must not send unsolicited marketing emails to individuals without specific consent. The only exception is the soft opt-in, which allows you to email existing customers without explicit consent if - and only if - you meet four strict conditions:

  1. You obtained their contact details during a sale or negotiations for a sale.
  2. The marketing relates to similar products or services only.
  3. You provided a simple way to opt out when you first collected their details.
  4. You provide a clear opt-out in every subsequent message.

For a physical venue, the soft opt-in is a fragile foundation. It restricts you to past purchasers only, excluding browsers, companions, and prospective customers. The "similar products" rule limits cross-selling across different venue types or brands within your portfolio. Proving that you offered an opt-out at the point of sale is often difficult when relying on point-of-sale systems or third-party booking platforms. The ICO has fined businesses - including a UK retailer fined £150,000 in 2024 - for sending marketing emails to customers who had unsubscribed, citing a soft opt-in justification the company did not actually meet (ICO enforcement register, 2024).

Soft optin vs explicit consent

Explicit consent is the safer, more profitable alternative. Under UK GDPR Article 4(11), consent must be a freely given, specific, informed, and unambiguous indication of the guest's wishes. By securing explicit consent, you remove the restrictions of the soft opt-in entirely. You can market your full range of services to anyone who opts in, regardless of whether they made a purchase.

How to do it with your Guest WiFi

Your venue already offers Guest WiFi. By integrating Purple Engage, you transform a cost centre into an automated list-building engine. When a guest connects to your network, they are presented with a captive portal - the web page a guest must interact with before accessing the public WiFi network. This portal requires them to authenticate, using a standard form or social login.

Crucially, the portal presents a clear, unchecked opt-in box for marketing communications. This is not bundled with the WiFi terms and conditions - bundled consent is invalid under UK GDPR Article 7. The guest makes a conscious choice to receive offers.

Consent data flow

When the guest ticks the box, Purple Engage records the exact timestamp, the IP address, and the specific wording they agreed to. This creates an auditable consent record that meets the highest UK GDPR standards. The data flows directly into your Purple Engage CRM, segmenting the guest based on their demographics, visit frequency, and dwell time. Purple operates across 80,000+ live venues and recorded 440 million logins in 2024 (Purple internal data, 2024), giving you a proven, at-scale infrastructure for this approach.

What to send, and when

Once you have a compliant list built on explicit consent, you can deploy targeted campaigns that drive footfall. Purple Engage allows you to automate these based on real-world behaviour captured by the WiFi network.

The welcome campaign. Send an automated email 24 hours after a guest's first visit. Thank them for coming and offer a small incentive - a free coffee or 10% off their next visit - for returning. This targets the critical window where a first-time visitor decides whether to become a regular.

The lapsed guest campaign. Use WiFi presence data to identify guests who have not visited in 30 days. Automatically trigger a "we miss you" email with a compelling offer. Because you have explicit consent, you are not relying on a stale soft opt-in from a purchase made months ago.

The cross-sell campaign. If a guest frequently visits your restaurant, email them about your upcoming ticketed events or private hire spaces. The soft opt-in might restrict this as a non-similar product, but explicit WiFi consent gives you the freedom to promote your entire venue.

Measuring what works

Generic email metrics like open rates and click-through rates only tell half the story. The true measure of venue marketing is whether the email drove a physical visit and generated revenue.

Because Purple Engage links the email profile to the device's presence on the network, you can measure offline attribution. When you send a campaign to 10,000 opted-in guests, Purple tracks how many of those specific devices walk back into your venue within the next seven days.

Focus on these three metrics:

Metric What it tells you
Opt-in rate at WiFi login The percentage of guests who actively tick the consent box
Return visit rate The percentage of email recipients who physically return to the venue
Revenue per send The estimated spend generated by returning guests

Where to start

To move away from the risks of the soft opt-in and build a compliant, high-performing email list, follow these steps in order:

  1. Audit your current list. Identify which contacts rely on the soft opt-in and whether you can prove all four PECR conditions for each one.
  2. Deploy a captive portal. Set up Purple Guest WiFi with a branded login screen across your venue.
  3. Configure explicit consent. Ensure the marketing opt-in box is unchecked by default and clearly explains what the guest will receive.
  4. Automate the welcome. Set up a Purple Engage automation to email new opt-ins within 24 hours to drive their second visit.
  5. Track offline returns. Monitor the dashboard to see how many emails translate into physical foot traffic.

For a detailed walkthrough of the capture mechanics, see Guest WiFi email capture: how it works and what to expect.

References

[1] Information Commissioner's Office, "Electronic mail marketing," Guide to Privacy and Electronic Communications Regulations. https://ico.org.uk/for-organisations/direct-marketing-and-privacy-and-electronic-communications/guide-to-pecr/electronic-and-telephone-marketing/electronic-mail-marketing/

[2] Information Commissioner's Office, "How do we comply with the PECR electronic mail marketing rules?" Guidance on direct marketing using electronic mail. https://ico.org.uk/for-organisations/direct-marketing-and-privacy-and-electronic-communications/guidance-on-direct-marketing-using-electronic-mail/how-do-we-comply-with-the-pecr-electronic-mail-marketing-rules/

[3] GDPR Local, "PECR Compliance Explained: What Every Email Marketer Needs to Know," May 2025. https://gdprlocal.com/gdpr-newsletter-compliance/

[4] MailGraf, "UK GDPR Email Marketing: Compliance Guide (2026)," May 2026. https://mailgraf.com/blog/uk-gdpr-email-marketing-guide

[5] Purple internal data, 2024. 80,000+ live venues, 440 million logins in 2024.

Related guides

Compliance

Managing consent and unsubscribes for venue email

Managing email consent correctly is the difference between a high-converting guest database and a GDPR liability. This guide shows marketing directors and CRM managers at restaurants, hotels, bars and retail venues how Purple Engage captures verified, timestamped consent at the WiFi login portal, handles unsubscribes automatically, and eliminates the manual spreadsheet processes that create compliance gaps. The result is a defensible consent record, a cleaner list, and measurable improvement in repeat visit rates.

Compliance

Email deliverability basics for venue marketers

This guide covers the fundamentals of email deliverability for venue marketers - from authentication to list hygiene - and explains how capturing verified, conscious-choice first-party data through guest WiFi protects your sender reputation from day one. It is written for marketing directors, CRM managers, and owner-operators at restaurants, hotels, retail stores, and other physical venues who want to turn foot traffic into repeat customers.

Compliance

Why bought email lists fail venues

Buying email lists is one of the fastest ways to damage your sender reputation, violate GDPR, and waste marketing budget. This guide explains the three reasons purchased lists fail physical venues - deliverability, legal compliance, and ROI - and shows how Purple Engage builds a verified, first-party database automatically from your guest WiFi logins, so you never need to buy a contact again.