Picture this. Your head of growth drafts a dunning sequence for failed Stripe payments. Email one is a polite reminder. Email two is the same reminder plus "while you're here, check out our new Pro plan, 20% off this month." Email three adds a testimonial and an upgrade CTA.
That second email just turned your entire dunning flow into a direct marketing campaign under UK PECR. If the customer never opted in to marketing, you have a compliance problem, and potentially an ICO problem.
The line between a transactional payment reminder and a marketing message is thinner than most SaaS teams think. This guide walks through where it sits, what the ICO has said, and how to build dunning sequences that recover revenue without tripping the Privacy and Electronic Communications Regulations.
This article is general information, not legal advice. If you are building compliance workflows, run them past a qualified data protection lawyer.
The two regimes you are working with
Payment reminders in the UK sit under two overlapping rules.
UK GDPR governs the processing of personal data. You need a lawful basis under Article 6 to use a customer's email address or phone number at all. For subscription dunning, that basis is usually Article 6(1)(b), performance of a contract (more on that in our lawful basis article).
PECR (the Privacy and Electronic Communications Regulations 2003) governs the channel. It adds an extra layer on top of UK GDPR specifically for electronic marketing by email, SMS, phone, and fax. PECR is what decides whether you need prior consent before you can send a message.
The critical point. PECR only bites on direct marketing. Service messages, including genuine transactional notifications, are outside its scope. So the question becomes, when does a payment reminder stop being a service message and start being marketing?
What the ICO says about "direct marketing"
The ICO's Direct Marketing Code defines direct marketing as "the communication (by whatever means) of any advertising or marketing material which is directed to particular individuals." The key words are "advertising or marketing material."
A message whose sole purpose is to administer the existing contract, telling the customer their payment failed and asking them to update their card, is not advertising. It is a service message. The ICO guidance on service messages is explicit that things like account notifications, renewal reminders, and failed payment alerts are not caught by PECR rule 22 (the consent rule for unsolicited marketing email and SMS).
But the moment you bundle promotional content into that same message, the whole message becomes marketing. The ICO has said repeatedly that you cannot "hide" marketing inside a service message to avoid consent. If a reasonable recipient would say the email is trying to sell them something, it is marketing, full stop.
Transactional vs marketing: the practical test
Ask these questions about every email or SMS in your dunning sequence.
- Is the core purpose to resolve a failed payment on an existing contract? If yes, it leans transactional.
- Does the message contain any promotional content? Upsells, cross-sells, discount codes, "new features you should try," testimonials, or links to marketing landing pages move you toward marketing territory.
- Would the message still make sense if you stripped the promotional content out? If removing the offer changes the message fundamentally, the offer is not incidental, it is the point.
- Is the call to action limited to updating the payment method or paying the outstanding invoice? That is a service CTA. "Book a demo" or "upgrade now" is not.
If you fail test 2 or 4, PECR rule 22 kicks in. You need valid consent, and if you do not have it, you cannot send the message.
The soft opt-in, and why it rarely helps for dunning
PECR has a narrow carve-out called the soft opt-in (regulation 22(3)). It lets you send marketing by email or SMS without prior consent if:
- You obtained the contact details in the course of a sale or negotiations for a sale
- You are marketing your own similar products or services
- You gave a simple way to opt out at the point of collection, and in every subsequent message
In theory this could cover some dunning-adjacent marketing. In practice it is a trap. The soft opt-in was designed for newsletters to existing customers, not for pressuring people whose payments just failed. Relying on it in a dunning sequence is risky, because the whole framing of a failed payment makes promotional content feel coercive, and the ICO will look hard at context.
Safer rule. Do not market in dunning messages at all. Send clean transactional reminders. Market to the same customers through a separate, consented channel if you want to.
SMS: the same rules, with a twist
PECR treats email and SMS identically for marketing purposes. Everything above applies to text messages. A pure "Your payment failed, update your card here" SMS is a service message. Adding "Reply YES for 30% off an annual plan" turns it into marketing subject to rule 22.
The twist. SMS is a more intrusive channel. The ICO has fined companies for sending unwanted marketing texts under PECR, with penalties that have reached six figures. If your dunning SMS strays into marketing territory without consent, you are in higher-risk enforcement waters than for email.
Every dunning SMS should include a clear opt-out, usually "Reply STOP," and you must honour it immediately. Rekko handles SMS opt-outs automatically through its GDPR-compliant opt-out system, stripping a customer from all future sequences as soon as they reply STOP.
Transactional vs marketing checklist
Use this before shipping any dunning template.
- Subject line references the failed payment or invoice, not a product or offer
- Body explains what failed, when, and how to fix it
- No promotional copy (upsells, cross-sells, "new features," social proof)
- Only CTA is "update payment method," "pay invoice," or "contact support"
- No discount codes or time-limited offers
- No links to marketing landing pages. Link directly to a payment update page
- Footer includes sender identity and physical address (PECR reg 23)
- SMS messages include "Reply STOP to opt out"
- Opt-out is honoured immediately and logged
- Template has been reviewed by someone who is not the person who wrote it
If every box is ticked, you are in service-message territory and PECR consent rules do not apply. You can rely on UK GDPR Article 6(1)(b) contractual necessity for the underlying data processing.
Common mistakes we see in SaaS dunning flows
The "win-back" last email. Teams sometimes add a final dunning email that says "Sorry to see you go, here's 25% off to stay." That email is marketing. It needs consent or soft opt-in, and even then it is on shaky ground because the trigger is a failed payment.
The bundled newsletter. Putting a "Meanwhile, check out our latest blog post" section in a payment failure email. Small, innocent, technically marketing.
The cross-sell footer. A generic footer advertising other products under every dunning email. The ICO has specifically called this out as an attempt to smuggle marketing into service messages.
No unsubscribe on SMS. Dunning SMS without "Reply STOP" violates both PECR and the spirit of the ICO's Direct Marketing Code, even if the content itself is transactional.
How Rekko keeps dunning on the right side of PECR
Rekko was built around the assumption that dunning is, and should stay, transactional. That shapes the product.
- Message templates default to payment-focused language. No upsell blocks, no promotional footers.
- SMS opt-out ("Reply STOP") is automatic and applied across all sequences and all Stripe accounts on the tenant.
- Opt-outs are logged in the
OptOutmodel so you can prove suppression if the ICO ever asks. - The lawful basis is contractual necessity, documented in Rekko's DPA, so you are not stretching consent or legitimate interests to cover standard dunning.
- Message logs show exactly what was sent, when, and to whom, which is what you need for both PECR accountability and UK GDPR Article 30 records.
If you want a dunning tool that treats compliance as a default rather than a feature flag, Rekko is a good starting point.
Start your 14-day free trial, no credit card required. Or compare Rekko against other options on the alternatives page.
Sources and further reading
- ICO Direct Marketing Code of Practice
- ICO guidance on PECR regulation 22 and service messages
- Privacy and Electronic Communications (EC Directive) Regulations 2003
- UK GDPR Article 6
Again, this is general information, not legal advice. Your dunning flows should be reviewed by counsel before launch.