Skip to content

    National Minimum Wage rates changed on 1 April 2026. Check you're being paid correctly. Use the checker →

    BeautyKiln
    This is general guidance, not professional advice.

    Marketing Compliance: Email, SMS, and Social Media

    12 min read
    Reviewed Apr 2026

    You need to market your beauty business to get clients. But there are rules about how you can do it. Break them and you risk fines from the ICO, complaints to the ASA, and damage to your reputation.

    This guide covers the rules for email, text messages, WhatsApp, and social media marketing. It is not as complicated as it sounds - but you do need to know the basics.

    Quick Rule of Thumb

    You need permission before you send marketing messages. There are limited exceptions for existing clients. Never buy email or phone lists. Always give people a way to opt out. And if someone says stop, stop immediately.

    Tip for new starters: Add a marketing consent checkbox to your consultation card from day one. A simple "I would like to receive offers and updates by email/text" with a tick box (not pre-ticked) is all you need. Building a compliant mailing list from the start is much easier than trying to get consent from 200 clients later.

    PECR: The Rules on Direct Marketing

    The Privacy and Electronic Communications Regulations 2003 (PECR) sit alongside UK GDPR and specifically cover direct marketing by electronic means: emails, texts, phone calls, and fax (yes, that is still in the law).

    The core rule:

    You must have the recipient's consent before sending them marketing messages by email or text.

    Consent means the person has actively opted in. Not "they didn't say no." Not "they gave me their email for a booking." They must have specifically agreed to receive marketing from you.

    • A tick box on your consultation card: "I'd like to receive offers and updates by email/text" (must not be pre-ticked)
    • An opt-in on your booking system
    • A verbal agreement (but this is very hard to prove - written is better)
    • Signing up to your mailing list through your website or social media
    • Having someone's email or phone number (just because they booked an appointment does not mean they consented to marketing)
    • A pre-ticked box on a form
    • Assuming consent because they did not object
    • Adding someone to a mailing list because they followed you on Instagram

    The Soft Opt-In Exception

    There is one important exception to the consent rule. It is called the "soft opt-in" and it can save you a lot of hassle.

    How it works:

    You can send marketing emails or texts to existing clients WITHOUT getting fresh consent IF all three of the following conditions are met:

    1. You collected their contact details in the course of a sale or negotiation for a sale (i.e., they are an existing client who has paid for a treatment, or were in the process of booking one)

    2. You are marketing similar services to what they originally bought (if they had a facial, you can market facials and skincare - you probably should not market an entirely different service like barbering)

    3. You gave them an easy way to opt out when you first collected their details AND in every message you send after that

    In practice:

    If Sarah had a gel manicure last week and you collected her email during the booking process, you can email her about your nail services, special offers on nails, and related products - as long as every email has an unsubscribe link and you told her at the point of collection that you might send marketing.

    You do NOT need to get Sarah's separate consent for this. But if Sarah clicks unsubscribe, you must stop immediately.

    What the soft opt-in does NOT cover:

    • People who enquired but never booked or paid
    • Completely unrelated services (marketing hair services to a nail-only client is a grey area)
    • Third-party marketing (promoting someone else's business to your clients)
    • SMS to numbers not provided in a sales context

    Buying Email or Phone Lists

    Do not do this. It is illegal under UK GDPR.

    If someone sells you a list of 5,000 email addresses of "people interested in beauty," those people have not consented to hear from you. Emailing them is a breach of PECR and UK GDPR.

    It does not matter if the list seller claims "they all opted in." They opted in to hear from the list seller's business, not yours. Consent is specific to the organisation.

    The ICO takes this seriously. Fines can be up to £500,000 for serious PECR breaches.

    Email Marketing Rules

    If you use email marketing (Mailchimp, MailerLite, your booking system's email feature, or even just sending from your Gmail), follow these rules:

    Every marketing email must include:

    1. Your name or business name - recipients must know who is emailing them
    2. Your contact details - an email address or postal address
    3. An unsubscribe link or clear opt-out method - in every single email
    4. A clear indication that it is a marketing message (the subject line should not be misleading)

    Unsubscribe requests:

    When someone unsubscribes, remove them from your marketing list within 28 days (the ICO expectation). In practice, do it immediately - most email platforms handle this automatically.

    Do not:

    • Make people jump through hoops to unsubscribe
    • Require them to log in to unsubscribe
    • Ignore unsubscribe requests
    • Re-add people who have unsubscribed

    Record-keeping:

    Keep records of:

    • When each person consented to marketing (or when they became a client for soft opt-in purposes)
    • How they consented (signed form, online opt-in, etc.)
    • Every unsubscribe and the date it was actioned

    SMS Marketing Rules

    Text message marketing follows the same PECR rules as email:

    • Consent required (or soft opt-in for existing clients)
    • Every text must include a way to opt out (e.g., "Reply STOP to unsubscribe")
    • Must identify who is sending it
    • Must not be misleading

    Additional considerations for SMS:

    • Texts are more intrusive than emails - people receive them on their personal phone and may be charged for replies
    • The ICO is particularly strict about unsolicited text messages
    • If you use an SMS marketing service (like those built into Fresha, Booksy, etc.), make sure it handles opt-outs properly
    • Sending texts to numbers scraped from the internet or social media is a PECR breach

    WhatsApp Marketing

    WhatsApp is used by almost every beauty worker for client communication. But when you use it for marketing, the same rules apply as for email and SMS.

    WhatsApp broadcasts (bulk messages):

    • A WhatsApp broadcast goes to everyone on your broadcast list
    • If you are using it to send promotional messages (offers, new services, booking availability), that is marketing
    • You need consent from every recipient
    • The soft opt-in may apply if they are existing clients, but you still need to provide an opt-out mechanism

    WhatsApp Business:

    WhatsApp Business has some marketing features (catalogues, automated messages, labels). These do not change the legal position - if the message is promotional, you need consent.

    Individual WhatsApp messages:

    Sending a one-to-one WhatsApp message to an existing client about their appointment is not marketing - it is service communication. Sending a one-to-one message saying "20% off gel nails this week!" is marketing and requires consent (or soft opt-in).

    The line between service communication and marketing can be blurry. A good test: if the primary purpose of the message is to promote your services or encourage a booking, it is marketing.

    Social Media Marketing

    Social media marketing has different rules from direct marketing (email/SMS). You are not sending messages directly to people - you are posting publicly (or to your followers). But there are still rules.

    Client Photos

    Posting photos of clients or their treatments on social media requires:

    • Consent from the client - explicit, documented consent. Not "they didn't say no." Not "they were fine with it at the time."
    • Specific consent for social media use - consent for photos on your consultation card does not automatically cover posting on Instagram. Be specific about where the photos will be used.
    • If the client is identifiable (face visible), this is personal data under UK GDPR. You need a lawful basis for processing it, which in this case is consent.
    • If the client is under 18, you need parental consent.
    • If the client withdraws consent, you must remove the photo. Yes, even if it had 500 likes.

    Tagging Clients

    Tagging a client in a social media post shares their personal data (their profile, their connection to your business) publicly. Get consent before tagging.

    Better approach: post the photo and let the client tag themselves or share it to their own story/feed.

    Before/After Photos

    Before and after photos are powerful marketing. But the Advertising Standards Authority (ASA) has rules:

    • Photos must be genuine - both photos must be of the same person
    • Photos must be representative - they should show a typical result, not an exceptional one
    • Photos must not be misleading - same lighting, same angle, same distance. Do not use filters, retouching, or different lighting to exaggerate the result
    • If you are making a claim ("reduces wrinkles by 50%"), you need evidence to support it
    • Disclaimers like "results may vary" do not override misleading images

    Testimonials and Reviews

    If you share client testimonials or reviews on social media:

    • Get consent to share them (even if they were originally posted publicly)
    • Do not edit them to change the meaning
    • Do not fabricate testimonials - this is illegal under consumer protection law
    • If a client was given a free or discounted treatment in exchange for a review, this must be disclosed (ASA rules and CMA guidance on endorsements)

    Influencer and Gifted Content

    If you give free treatments to influencers or anyone in exchange for a post or review:

    • The post must be clearly marked as an ad (#ad, #gifted, or equivalent)
    • This is an ASA requirement and a CMA (Competition and Markets Authority) requirement
    • "Thanks to [your business]" alone is not sufficient disclosure
    • Both you and the influencer could be held responsible for non-disclosure

    Fines and Enforcement

    ICO (data protection and PECR):

    • Up to £500,000 for serious PECR breaches (unsolicited marketing)
    • Up to £17.5 million or 4% of global turnover (whichever is higher) for serious UK GDPR breaches
    • In practice, sole traders typically face fines of £1,000 to £10,000 for marketing breaches - still significant for a small business

    ASA (advertising standards):

    • The ASA does not issue fines directly, but it can:
      • Require you to remove or amend ads
      • Refer you to Trading Standards (who can prosecute)
      • Refer you to Ofcom (for broadcast issues)
      • Publish adverse findings against your business (reputational damage)

    CMA (competition and consumer protection):

    • Can take enforcement action for fake reviews and non-disclosure of paid endorsements
    • Can seek court orders and fines

    Practical Compliance Checklist

    • Consent mechanism in place - opt-in on consultation cards, booking system, or website for marketing communications
    • Soft opt-in applied correctly - only for existing clients, similar services, opt-out offered at collection and in every message
    • Unsubscribe mechanism in every marketing email and SMS
    • No bought lists - every recipient either consented or is a soft opt-in
    • Photo consent documented for every client photo used in marketing
    • Before/after photos are genuine, representative, same lighting/angle
    • Social media tags - consent obtained before tagging clients
    • Influencer/gifted content clearly disclosed as #ad or #gifted
    • Consent records kept - who, when, how they consented; who and when they opted out
    • ICO registered - £40/year - ico.org.uk/registration

    What To Do Next

    1. Add a marketing consent checkbox to your consultation card or booking system. Make sure it is not pre-ticked.
    2. Review your mailing list. Can you demonstrate consent (or soft opt-in) for every person on it? If not, run a re-consent campaign or remove them.
    3. Add an unsubscribe link to every marketing email.
    4. Review your social media. Do you have documented consent for every client photo? If not, get it or remove the posts.
    5. Check your before/after photos comply with ASA rules (same lighting, angle, no misleading edits).
    6. Register with the ICO if you have not already (£40/year).

    Tip for new starters: Do not add clients to a WhatsApp broadcast list just because they gave you their number for a booking. That number was given for appointment communication, not marketing. You need separate consent for promotional messages.

    Who To Contact

    • ICO - 0303 123 1113 (Free) - ico.org.uk - direct marketing guidance
    • ASA - asa.org.uk (Free) - advertising standards complaints and guidance
    • CMA - gov.uk/cma (Free) - consumer protection guidance
    • Citizens Advice - 0800 144 8848 (Free) - citizensadvice.org.uk
    • Trading Standards (via Citizens Advice) - 0808 223 1133 (Free)
    • NHBF - nhbf.co.uk - industry marketing guidance (Paid, members only)

    Sources

    • Privacy and Electronic Communications Regulations 2003 (PECR)
    • UK General Data Protection Regulation (UK GDPR)
    • Data Protection Act 2018
    • ICO Direct Marketing Guidance
    • ASA CAP Code (non-broadcast advertising)
    • CMA guidance on online reviews and endorsements
    • Consumer Protection from Unfair Trading Regulations 2008
    • GDPR for Self-Employed Beauty Workers
    • Client Record-Keeping: What You Must Store
    • Building Your Personal Brand on Social Media
    • Handling Client Complaints Professionally
    • What To Do When Clients Threaten Legal Action
    Share:WhatsApp

    📢 Sponsorship available — Learn more

    Was this useful?

    Key Contacts

    ICO

    0303 123 1113 - ico.org.uk - direct marketing guidanceFree

    ASA

    asa.org.uk - advertising standards complaints and guidanceFree

    CMA

    gov.uk/cma - consumer protection guidanceFree

    Didn't find what you were looking for?

    We use a single essential cookie to remember your choice. If you accept, we also load Plausible — a privacy-friendly, cookieless analytics tool — to count anonymous page views. No tracking pixels, no advertising. Learn more