NRI Compliance Masterclass: GDPR, PECR, CAN-SPAM, DPDP Act

13 min read · Compliance · Updated 3 May 2026

Compliance is the part of NRI marketing that most buyers underestimate and most regulators are most vigilant about. The Information Commissioner's Office (ICO) issued over £40m in marketing-related fines in 2025 alone. The Federal Trade Commission's CAN-SPAM enforcement actions have averaged $19,000 per non-compliant message. The European Data Protection Board now publishes monthly enforcement summaries naming offenders. Compliance is no longer "we'll get to it" — it's the price of staying in the game.

This masterclass walks through each major regime that governs NRI marketing data in 2026, in the order you'll encounter them. We assume you're a buyer (not a vendor) — meaning you license a dataset from someone else and use it to market your own product or service. Your obligations differ from the data provider's, but they are not lighter. In most regimes, you become an independent data controller the moment the file is delivered, and the regulator's first question after a complaint is "what was your lawful basis?" — not "where did you get this list?".

If you've already read our shorter NRI Marketing Data and GDPR primer, this guide goes deeper on each individual regime, the lawful-basis analysis, controller obligations, and the operational checklist for staying compliant at scale.

Important — this is informational, not legal advice. Get an English data-protection solicitor to review your specific use case before relying on it for liability protection. Budget £1,500–£3,000 for an initial review; substantially cheaper than a single ICO investigation.

The five regimes you must consider

NRIs live across multiple jurisdictions, and a single dataset will usually trigger more than one set of rules. The five that matter:

UK GDPR + Data Protection Act 2018 — applies to processing about UK-resident data subjects. Enforced by the ICO. Maximum fine: £17.5m or 4% of global annual turnover, whichever is greater.
PECR (Privacy and Electronic Communications Regulations 2003) — UK rules specifically for electronic direct marketing (email, SMS, telephone, fax). Sits on top of UK GDPR and is often the rule that actually constrains an email campaign. Maximum fine: £500K under PECR-only matters; can stack with UK GDPR fines.
EU GDPR — same legal text as UK GDPR, enforced by EU member-state regulators. Triggered if any record in your dataset relates to an EU resident.
US CAN-SPAM Act + state laws (CCPA, CPRA, Washington's MyHealthMyData, Virginia VCDPA, etc.) — US federal email-marketing law plus a growing patchwork of state privacy laws.
India's DPDP Act 2023 — India's new data-protection law. Generally extraterritorial when processing personal data of data principals within India.

You won't need to apply all five to every campaign, but you need to know which ones apply when. Quick rule of thumb: the law that protects each data subject is the law of the country where the data subject is located, not where you are.

UK GDPR and the Data Protection Act 2018

Lawful basis for direct marketing

UK GDPR Article 6 lists six lawful bases for processing personal data. For B2C direct marketing via email, SMS, or phone, the practical reality is that only two are usable:

Consent (Article 6(1)(a)) — freely given, specific, informed, and unambiguous. The standard basis for cold marketing to consumers.
Legitimate interest (Article 6(1)(f)) — possible in narrow B2B contexts, but the ICO has been clear that legitimate interest is rarely sufficient for cold consumer marketing, and never sufficient where PECR requires consent (which it does for email and SMS to individuals).

For NRI data, this means you need consent at source — recorded by the platform that originally collected the record — that explicitly contemplates the type of marketing communication you intend to send. "I agree to receive marketing communications from [platform] and its trusted partners" is a standard formulation. "I agree to terms of service" is not.

Controller responsibilities you inherit on import

The moment a dataset is delivered to you, you become an independent data controller. The vendor remains a controller for curation and licensing decisions, but everything that happens after import is on you. Practical obligations:

Maintain a Record of Processing Activities (RoPA) under Article 30. This documents what data you process, why, the lawful basis, retention period, and recipients.
Publish a privacy notice that names this dataset as a source of personal data and describes how you use it.
Respond to data subject requests (access, erasure, objection, rectification) within one calendar month. Keep audit trails.
Implement appropriate technical and organisational measures — encryption in transit and at rest, access controls, vendor vetting for sub-processors.
Report any qualifying personal-data breach to the ICO within 72 hours, and to affected individuals "without undue delay" if there's a high risk.
Designate a Data Protection Officer (DPO) if your processing involves "regular and systematic monitoring of data subjects on a large scale" — using a 100K+ record dataset for ongoing marketing usually qualifies.

PECR — the rule that catches most email campaigns

The UK's Privacy and Electronic Communications Regulations 2003 (PECR) sit alongside UK GDPR but specifically govern electronic marketing. PECR is more granular than GDPR and is what the ICO will cite first when an unsolicited email complaint reaches them.

Email and SMS to individual subscribers

You need prior consent from the individual. The "soft opt-in" exception exists but is narrow:

The individual must be an existing customer (not just a prospect or list member);
The marketing must relate to similar products or services to those previously purchased;
The individual must have been given a clear opportunity to opt out at the time their data was collected, and in every subsequent communication.

The soft opt-in does not help you with cold outreach to bought lists.

Live phone calls to individual subscribers

Either consent, or a check against the Telephone Preference Service (TPS) register. If the recipient is on TPS and you call without consent, you breach PECR — even if the call is short and the recipient hangs up immediately.

Postal marketing

PECR does not apply to postal marketing — only UK GDPR does. This makes direct mail one of the few channels where "legitimate interest" can plausibly be the lawful basis for cold consumer marketing, though you still need to honour opt-outs.

EU GDPR — when it bites

EU GDPR has the same legal text as UK GDPR but enforcement is by individual member-state regulators (CNIL in France, BfDI in Germany, AEPD in Spain, etc.). It applies to your processing if:

Any record in your dataset relates to an EU-resident data subject; or
You target marketing to EU residents from outside the EU; or
You monitor the behaviour of EU residents (e.g., through cookies or tracking pixels embedded in marketing emails).

Some "UK" NRI lists include records from the Republic of Ireland or other EU countries with significant NRI populations. Ask your vendor for a country-of-residence breakdown before you import — and segregate any EU records into a dedicated processing flow with country-specific compliance.

US CAN-SPAM, CCPA, and the state-law patchwork

CAN-SPAM (federal)

Permissive by EU standards but not no-rules. Every commercial email to a US recipient must:

Use accurate "From", "To", "Reply-To", and routing headers.
Use a non-deceptive subject line that reflects the body content.
Identify the message as an advertisement (the bar is low — clearly being a commercial message is enough).
Include a valid physical postal address of the sender.
Include a clear and conspicuous unsubscribe mechanism.
Honour unsubscribe requests within 10 business days, and never sell or transfer unsubscribed addresses.

The FTC enforces CAN-SPAM, and penalties run up to $51,744 per non-compliant message (2025 CPI-adjusted figure).

California Consumer Privacy Act (CCPA) and CPRA

California residents have the right to:

Know what personal data you collect about them;
Delete that data on request;
Opt out of "sale" or "sharing" of their personal data (the CPRA-amended definition of "sharing" includes disclosing data to third parties for cross-context behavioural advertising);
Limit use of sensitive personal information.

If you process the data of more than 100,000 California residents, you fall within CCPA's threshold for a Privacy Notice on your website plus a "Do Not Sell or Share My Personal Information" link. Many NRI USA datasets cross this threshold (1.3M total records, of which 200K+ are typically California-resident).

Other state laws

Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), and others have enacted GDPR-lite consumer privacy laws since 2023. Most apply at higher data-volume thresholds and most exempt B2B marketing. For NRI consumer marketing in the US, the practical rule is: comply with CCPA, document your compliance, and you'll cover most state-law requirements.

India's DPDP Act 2023

India's Digital Personal Data Protection Act 2023 is the latest entrant. It applies to processing of personal data:

Within India; or
Outside India, where the processing is in connection with offering goods or services to data principals within India.

For NRI marketing — where the data subjects are by definition outside India — DPDP usually doesn't apply to a non-Indian controller. It does apply if:

Your business operates in India and processes the dataset on Indian soil; or
You use the dataset to market goods or services to India-resident relatives of the NRI subjects (a stretch interpretation but worth noting).

Penalties under DPDP run up to ₹250 crore (~$30m USD) for serious breaches. Indian enforcement against foreign controllers is nascent in 2026 but expected to ramp up as the Data Protection Board of India staffs up.

The lawful-basis analysis: how to do it

Before you send the first email of any NRI campaign, do this analysis in writing and keep it on file:

Identify the data subject's country of residence. This determines which regime applies.
Identify the channel (email, SMS, phone, post) and the message type (commercial, transactional, mixed).
Identify the lawful basis available under the applicable regime. For UK/EU GDPR + electronic channels, this will almost always be consent.
Verify the consent — confirm with your vendor that the records carry a documented marketing-consent basis at source. Ask for evidence on a sample.
Document the analysis in a one-page memo per campaign. Include date, vendor, dataset version, segments used, message content, and the lawful-basis conclusion.

This document is what you produce if a regulator opens a complaint. Without it, you are operating on faith — which is not a defence.

Cross-border data transfers

If you transfer NRI data out of the UK or EU (for example, to a US-based ESP or CRM), you need a transfer mechanism:

Adequacy decision — the easiest path. The UK government has issued adequacy regulations covering transfers to certain countries (the EEA, Israel, Japan, etc.). Transfers to adequate countries do not require additional safeguards.
UK Addendum to the EU Standard Contractual Clauses (SCCs) — the standard contractual mechanism for transfers to non-adequate countries (including the US, India, the UAE).
Binding Corporate Rules (BCRs) — for intra-group transfers within multinational organisations.

The US is not on the UK adequacy list (the UK–US Data Bridge is in scope but limited to specific certified US importers). For most cross-border NRI transfers to US vendors, you'll need the UK Addendum to the SCCs in your data-processing agreement.

Handling erasure and rectification requests

Under UK and EU GDPR, every data subject has the right to:

Access their personal data (Article 15);
Rectify inaccurate data (Article 16);
Request erasure (Article 17 — the "right to be forgotten");
Restrict processing (Article 18);
Object to processing for direct marketing (Article 21 — and the right to object to direct marketing is absolute; you must always honour it).

You must respond within one calendar month (extendable by two months for complex requests, with notice). Most NRI controllers underestimate the operational lift. A working erasure workflow needs:

An inbox or form where data subjects can submit requests;
Identity verification before action (to prevent malicious erasure attempts);
A search of every system that might hold the record (CRM, ESP, data warehouse, backup systems);
Erasure with audit trail;
Notification to your data vendor so the record is suppressed in future deliveries;
Confirmation back to the data subject within the deadline.

Breach notification

UK GDPR Article 33 requires personal-data-breach notification to the ICO "without undue delay and, where feasible, not later than 72 hours after having become aware". A "breach" is any unauthorised access, accidental loss, destruction, alteration, or disclosure. Common scenarios in NRI marketing:

An employee with CRM access leaves and downloads the dataset to a personal device;
An ESP or CRM credential is phished;
An email campaign accidentally bcc's all recipients in the To field;
A vendor sub-processor experiences a breach affecting your data.

Have a one-page incident response plan, a named owner, and an escalation path before you need it.

Common compliance mistakes

Using "legitimate interest" as the lawful basis for cold consumer email. Almost never works under UK or EU GDPR — and PECR requires consent regardless.
Treating "GDPR-compliant data" as a vendor problem. It's not. Vendor compliance proves their licensing is sound; your compliance starts the moment you import.
Not honouring opt-outs across channels. If someone unsubscribes from email, you also need to suppress them from SMS, phone, and post.
Failing to update your privacy notice when you import a new dataset. Your notice must accurately describe what data you process and why; adding a new source of personal data without updating the notice is a breach in itself.
Sending cold email from your transactional sending domain. If a regulator or ESP penalises you, you risk losing your password-resets and order confirmations along with your marketing campaigns. Use a dedicated marketing subdomain.

Pre-send compliance checklist

Before you press send on any NRI marketing campaign, confirm:

You have evidence of marketing-consent at source for every record (vendor confirmation, written).
You have a privacy notice on your website that names this dataset as a source.
You have a one-click unsubscribe in every email; it works in test.
You suppress unsubscribers within 24 hours, across every channel.
You include sender name, address, and contact info per CAN-SPAM if any records are USA-resident.
You have a process to action erasure / access requests within one calendar month, with named owner.
You have a personal-data-breach response plan and a named owner.
Your data-processing agreement with each ESP / CRM / sub-processor contains the UK Addendum to the SCCs (for non-UK transfers).
You have a written lawful-basis analysis for this campaign, on file.

One more thing: get a lawyer

This guide is informational, not legal advice. The compliance framework is well-trodden but the application to your specific business — your products, your audiences, your other lawful-basis claims — has nuances that benefit from an English data-protection solicitor's review. Budget £1,500–£3,000 for an initial review; it's substantially cheaper than a single ICO investigation, and it lets you scale outreach without compounding risk on every new campaign.

Frequently asked questions

Do I need a Data Protection Officer (DPO) if I use NRI data?

Under UK GDPR, you must designate a DPO if your processing involves "regular and systematic monitoring of data subjects on a large scale". Using a 100K+ record NRI dataset for ongoing marketing usually qualifies. The DPO can be an employee or external contractor; the key requirements are independence, expertise in data-protection law, and reporting directly to senior management.

What's the difference between UK GDPR legitimate interest and consent for NRI marketing?

Consent is the only safe lawful basis for cold consumer email or SMS marketing under UK GDPR. Legitimate interest is theoretically available but rarely sustainable for cold B2C marketing — and PECR (which sits on top of UK GDPR) requires consent regardless for electronic marketing to individuals. For NRI campaigns, build everything on consent at source.

How long can I retain a purchased NRI dataset?

There's no statutory maximum, but UK GDPR requires retention to be no longer than necessary for the purpose. Practical guidance: retain the working list for 24 months from import, suppress dormant records (90+ days no engagement) earlier, and remove any record on opt-out within 24 hours. Document your retention policy and apply it consistently.

What happens if my NRI list includes EU residents?

EU GDPR applies to those records, alongside UK GDPR for the rest. EU enforcement is by member-state regulators (CNIL, BfDI, AEPD). Practical options: (a) suppress EU-resident records before campaign; or (b) segregate them and apply EU-specific compliance overlay including any national-law specifics. Always ask vendors for a country-of-residence breakdown before import.

Do I need the UK Addendum to SCCs in my data-processing agreement with my ESP?

Yes, if your ESP processes UK-resident NRI data and is based outside the UK adequacy zone (most US ESPs are). The UK Addendum to the EU Standard Contractual Clauses is the standard contractual mechanism. Add it as an annex to your DPA. Without it, the cross-border transfer is technically unlawful even if functionally invisible.

What's a qualifying personal-data breach that needs ICO notification?

Any unauthorised access, accidental loss, destruction, alteration, or disclosure of personal data. Common scenarios: a phished CRM credential, an employee downloading the dataset to a personal device, an email accidentally bcc'd to all recipients, a vendor breach. UK GDPR requires ICO notification within 72 hours of becoming aware (regardless of whether the breach is contained).

Ready to put this into action?

NRI Financial Services has verified, opt-in NRI marketing data for the UK, UAE, and USA — segmented by remittance, real estate, tax, shopping, travel, and card-spending behaviours. Pick a segment and click Buy Access to get started, or email contact@nrifinancialservices.com for a free 50-row sample.