Can I Add Contact Form Leads to My Mailing List? UK GDPR

Short answer: no, not unless they specifically opted in to marketing at the time they contacted you.

It’s a mistake a lot of small UK businesses make, often without realising. And once you spot it, it’s usually straightforward to put right.

Does filling in a contact form give permission for marketing emails?

No, a contact form submission just gives you permission to reply to that enquiry, nothing more (even though it can feel like a warm lead).

When someone fills in your contact form, asking for a quote or more details, they’re expecting a reply to that specific question. Their lawful basis under UK GDPR is ‘legitimate interests’. Yours is to reply; theirs is to get an answer. That basis only covers the response. It doesn’t extend to adding them to your newsletter, sending follow-up offers, or dropping them into an automated email sequence. As soon as you move beyond replying and start sending marketing emails, you’ll need separate, explicit consent.

The full picture of what UK GDPR requires for your contact form is in How to Make Your Small Business Website GDPR Compliant.

What does proper consent for email marketing look like?

In simple terms, consent needs to be a clear, active choice, not something implied or buried in small print.

In practice, that usually means adding a simple, unticked checkbox with clear wording. Something like: ‘Tick here if you’d like to receive marketing emails from us.’ It must be separate from the submit button. The person actively ticks it. You’ll need a record of when and how they opted in. Consent can be withdrawn at any time, so every marketing email needs an unsubscribe link.

Bundled consent doesn’t meet this standard, even though you’ll still see it on plenty of websites. Writing ‘by contacting us you agree to our terms’ does not give you permission to email people for marketing purposes.

I’ve already been adding people to my list without consent. What do I do?

First, stop adding new contacts without consent. Even if you’ve been doing it for a while, it’s better to fix it now than later. Then decide what to do with the people already on your list.

In reality, it usually comes down to two options. First, send a re-permission email. Tell them you are reviewing your mailing practices and what you will be sending. Ask them to click a link to confirm they want to stay on the list. If they ignore it, you’ll need to remove them — which often surprises people. Second, if you have recent customers who bought similar services, you may be able to rely on the ‘soft opt-in’ rule under PECR. This allows you to email existing customers about similar services. For example, you might follow up a company formation purchase with related compliance services. Every message must include a clear opt-out. Speak to a data protection specialist if you are unsure which route applies.

Does legitimate interests cover email marketing?

For most small businesses, no. Legitimate interests isn’t a safe basis for marketing emails. It’s where people tend to run into trouble.

The ICO generally takes the view that direct marketing by email requires consent, except in the limited soft opt-in case. The Data (Use and Access) Act 2025 introduced a seventh lawful basis, ‘recognised legitimate interests’, but it covers specific purposes like fraud prevention and network security. Commercial marketing is not included. If your current approach relies on legitimate interests to justify marketing emails, it needs to change.

Can I ask for marketing consent on the same form as the enquiry?

Yes, and for most small businesses, this is by far the simplest way to handle it going forward.

Add a separate, optional, unticked checkbox to your contact form: ‘Yes, I’d like to receive occasional emails from [your business name].’ Keep it separate from the main submit action. Make it genuinely optional, not ticking it must still allow the enquiry to go through. It’s a small change, but it makes a big difference. You’ll clearly see who agreed to hear from you.

For the exact wording to use near your form and when different form types need different approaches, Do I Need a GDPR Checkbox on My Contact Form? has the details.

While you are reviewing your mailing list setup, it is worth checking the rest of your site too. Your website should include a privacy policy, cookie notice, terms and conditions, and your business details in the footer. Most DIY builders like Wix or Squarespace provide templates, but they won’t tell you if something important is missing.

If you already have a website, a quick compliance check can show you what’s missing.

Check your website now →

Want a website built with the right consent mechanics from day one?

At Duport, we build websites for UK small businesses with the compliance side handled from the start. So things like consent and legal pages aren’t left as an afterthought. Every site includes properly set up contact forms, legal pages drafted for your business, and a cookie notice that works from launch.

Duport’s website build starts from £360. Mention this article when you get in touch and we’ll honour the £144 rate.

This article is for general guidance. For advice specific to your mailing practices and data processing, speak to a qualified solicitor or data protection specialist.

FAQs

• Can I cold-email potential customers I haven’t had contact with?

Only in limited cases under PECR, usually for business-to-business messages where there’s a clear reason to contact them. For consumers, you need explicit consent first.

• How long can I keep someone on my mailing list?

As long as they’ve consented and haven’t unsubscribed. In practice, many businesses review lists after 12–18 months of inactivity.

• Do I need to keep records of who consented and when?

Yes, UK GDPR requires you to demonstrate consent. Keep a record of what someone was told when they opted in and when they ticked the box. Most email marketing platforms store this automatically when you use their forms.

• Is my Wix or Squarespace website legally compliant in the UK?

Not automatically. UK law requires your website to include a privacy policy, a cookie notice, clear terms and conditions, and specific business information; such as your registered company name and number if you’re a limited company. Most website builders include template pages for some of these, but they don’t check whether your content is accurate or complete. Use our free website compliance checker to see what your site has and what it’s missing.

Check your website →

Rebecca