The ICO exists to empower you through information.

At a glance

You must tell people that you want to collect and use their information for direct marketing purposes. You must be clear about what you want to do and your privacy information must be easy for people to understand.

Getting new information about people from other sources or by profiling their interests and habits can help target your direct marketing more effectively. But you must ensure that doing this is fair and tell people about it.

In more detail

What is collecting information and generating leads for direct marketing?

There are a number of ways that you may decide to seek contact details and additional information to use for your direct marketing, including from:

  • the people who buy your products and services or support your cause (ie people you have a direct relationship with);
  • third parties who sell or rent lists of contact details or who can provide additional information on your customers; or
  • publicly available sources.

You may be seeking this information to:

  • reach potential new customers (eg obtaining contact details for people you don’t already have a relationship with);
  • find new contact details for your existing customers (eg adding new contact channels for them); or
  • profile your customers (eg analysing their behavioural characteristics to find out their preferences or predict their behaviour).

Whichever way you collect information or generate leads on potential or existing customers, you must ensure that what you want to do is fair, lawful and transparent. You must be open and honest.

What do we need to tell people if we collect their information directly from them?                       

Being transparent about what you’re doing with people’s information is a key part of data protection law. People have the “right to be informed” when you collect and use their personal information for direct marketing purposes.

There is a list of information in the UK GDPR that you must provide to people if you collect their information directly from them. For example, you must:

  • explain why you want to use their information (eg to send postal marketing, to profile their buying habits);
  • tell them if you intend to share their information with other organisations for direct marketing purposes; and
  • make them aware of their data protections rights (including the right to object to direct marketing).

You must provide this privacy information to people at the time you collect their details. If, at a later date, you want to use the information for other activities, you must give them further privacy information (assuming the new things you want to do are fair and lawful).

Your privacy information must be in clear and plain language. It should be easy for people to understand what you are saying to them. You should tailor it to your audience (eg who are your customers and what are they likely to understand?) and use language and terms they will be familiar with and will understand. If you find it difficult to explain what you want to do, or you don’t want to tell people because you think they might object, this is a sign that you should rethink your intended marketing activity.

There is no set way to provide your privacy information. The method depends on your audience and the way you collect the information (eg online, over the phone, by post). For example, you could consider:

  • ‘just in time notices’ in an online context where a brief message appears at the point where people give you a particular piece of information that explains how you will use it for marketing; or
  • a layered approach with a short notice giving key privacy information immediately and more detailed information elsewhere for those that want it.

The key point is that you must be upfront about your direct marketing and make the important information the most visible.

Further reading

  • If you need more detailed information on drafting and providing privacy information, see our right to be informed guidance.

What do we need to tell people if we collect their information from other sources?

It is particularly important to be transparent with people if you don’t have a direct relationship with them. This is because people may have no idea that you collect their information from other sources to use for direct marketing unless you tell them.

There is a list of information in the UK GDPR you must provide to people if you don’t collect their information directly from them. In general, this list is the same as when you collect people’s information directly from them, and the requirements for this information to be clear and in plain language still apply. But you also must give them details about:

  • the categories of their information you hold (eg contact details, interests); and
  • the source of their information (eg the particular organisation it came from).

You must give people your privacy information within a reasonable period and at the latest within a month of obtaining their information (unless an exception applies, see below).

There are additional requirements if you plan to use the information to send direct marketing to the person it relates to, or to disclose it to someone else. In that case, the latest point at which you must provide your privacy information is when you first communicate with that person or disclose their information to someone else. But the one month time limit still applies, so it is a case of whichever is sooner.

Example

A company obtains a list of contact details from Company Z.

Three weeks after obtaining the contact details, the company wants to send out its brochure to people on the list. It includes details of its privacy information, including the types of information it holds (names and addresses) and details of the source of the personal information (Company Z). The company has complied with the requirement to give people its privacy information.

In some cases you might not have to comply with these requirements, if you can rely on an exception. These exceptions are limited and many are unlikely to apply for direct marketing, but the following may be relevant:

  • The person already has the information.

If you want to rely on this exception, you must be able to demonstrate and verify what privacy information people already have. You must ensure they have been provided with all the required information. You must provide anything that you are unsure about or is missing.

  • Disproportionate effort.

If you want to rely on this exception, you must assess and document whether there is a proportionate balance between the effort involved for you to give privacy information and the effect of your direct marketing activity on people. The more significant the effect it has on people, the less likely you are to be able to rely on this exception.

If disproportionate effort applies, you still must publish your privacy information (eg on your website).

The right to be informed is a fundamental part of data protection law and this is an exception to the general obligation of transparency. You should not use it routinely across a range of activities, without considering the impact of each. As part of planning your direct marketing activities, you should take into account the transparency requirements that data protection law places on you (see Plan direct marketing).

Further reading

Can we use publicly available personal information for direct marketing purposes?

The term “publicly available” can refer to information sourced from various places, including:

  • the open version of the electoral register;
  • Companies House;
  • websites and social media; and
  • press articles or ‘rich’ lists.

You might be considering seeking people’s information from publicly available sources to find new customers or supporters, or to add to the profile or information you already hold about people. Data protection law and PECR don’t necessarily prevent you from doing this but there may be restrictions. For example, you must tell people that you have their information and what you want to do with it, as well as ensuring what you want to do is fair and lawful.

You must consider whether your direct marketing activities will be unexpected to the people whose information you are collecting from public sources. For instance, because someone’s social media page has not been made private or they are seeking a large audience for their social media post doesn’t mean that you are free to use their personal information for direct marketing purposes. They won’t expect you to do this.

Can we find out additional contact details for people from other sources?

Finding out additional contact details for your customers or supporters from other sources for direct marketing is often known as data matching or appending (where you match information you already hold on people with other contact details that you didn’t have). For example, adding phone numbers for your customers to the address details you already hold. Often these additional contact details are bought from third parties, such as data brokers.

If you are considering this:

  • Let people choose if you can have their additional details.

If people have consented to you having their additional contact details for direct marketing, then it is likely that you can match these with what you already hold.

If people have not agreed, then it is likely to be unfair in most cases to obtain such details for direct marketing. This is the case, even if you explain in your privacy information that you might seek out further information about people from third parties. This is because it removes people’s choice about what channels you can contact them on for direct marketing.

For example, some people use different email addresses as a way of managing their information and relationships, including to limit or manage the direct marketing they receive. By getting an additional email address from another source, you may be going directly against their wishes.

  • Don’t assume people want direct marketing by other channels.

You can’t assume someone wants you to contact them by other channels or has forgotten to give you the information. Even if they have forgotten, they still won’t reasonably expect you to market them using details they never gave you or agreed to you having. People must be able to choose what contact details they give you.

Can we get new contact details for people from other sources, if their details are no longer correct?

Often you may become aware that someone’s contact details you have for direct marketing are no longer correct, but they haven’t told you about the change. For example, because your direct marketing material is being returned to you due to them no longer living there, their email address is no longer valid, or their phone number is no longer in service.

If this happens, you should take into account the following:

  • People don’t have to tell you when their contact details change.

You can’t assume someone has forgotten to tell you they have changed their details. Even if they had previously consented to your direct marketing at their old postal or email address, this consent is not transferrable to a new address that they didn’t give you (it was specific to their old details).

However, if people express a wish for their updated contact details to be shared, you can continue to send marketing to them at the new address (assuming your initial collection of the information at the old address was compliant). They might do this by making it clear to a third party data source, by ticking a box, or some other positive action, that they wanted it to inform other organisations about a recent change of address.

  • Tracing people’s new contact details for direct marketing isn’t needed to maintain accuracy.

You should not seek out new contact details from other sources or use the tracing services of other organisations for direct marketing. Your commercial interests in continuing to market people who have changed details are unlikely to outweigh their interests in this context. This is because it would be unfair to trace people in these circumstances as it takes away their control and right to choose not to share their new address.

You don’t need to do this to comply with data protection accuracy requirements. (See How do we make sure the information we use for direct marketing is accurate?)

If you have traced someone for a non-direct marketing purpose (such as non-payment of bills or fraud), this doesn’t automatically mean that you can use these new details for direct marketing as well.

Example

A university sends fundraising newsletters by post to the last address that they held for their alumni. Some of the alumni graduated a number of years ago. A large number of the mailings are returned to the university because the address details are now incorrect.

The university places a ‘do not use’ marker against the address details if the mailing has been returned, in order to comply with data protection law.

If the university had instead taken steps to trace the new addresses of their alumni, it would have risked infringing data protection law.

  • Make it easy for people to tell you when their details change.

If people have an account with you, you could make it easy for them to proactively update their contact details within their account. Likewise, if you already hold other contact details, you could consider using these to remind people how they can keep their details updated. But you must check that this contact is fair, lawful and transparent, as well as complying with PECR, where applicable.

Can we create profiles of people for direct marketing?

Profiling is where you look at people’s interests, habits and behaviour, for example. Profiling for direct marketing often also involves predictions or assumptions about people. It can help you target your direct marketing messages to people who are more likely to buy your product or support your cause. It can also make your messages more relevant to the people that receive them.

Profiling can simply be realising that your customer likes a to buy a particular type of product from you and tailoring your marketing accordingly. But sometimes it can be more intrusive, for example due to the type of information used (eg health, financial), or the amount being gathered on someone.

If you’re thinking about using profiling for your direct marketing it is important to do the following:

  • Be fair and tell people what you want to do.

You must make sure the profiling is fair to people. For example, they are unlikely to anticipate you seeking to learn more about them and adding information from other sources to create a profile on them.

You must tell people about your profiling and clearly explain to them what you will be doing. This includes if you are going to use third parties or public sources to expand the profile on them. You must also ensure the information you hold for the profile is accurate and not excessive.

Example

When a company collects a customer’s information from them it provides them with the following information in order to meet its transparency obligations:

“We will use your purchase history to tell you about our offers and products that we think you will be most interested in.”

This makes clear to customers that the company will be analysing the things they have previously bought and it will use that analysis to determine the content of the marketing messages they receive.

  • Ensure you have a lawful basis.

You must have a data protection reason (“lawful basis”) for your profiling activity. (See How do we decide what our data protection reason (“lawful basis”) is for direct marketing?)

If you are profiling people for direct marketing using their special categories of data, you are likely to need explicit consent. (See Can we use special category data for direct marketing?)

  • Understand any potential risks.

In many cases profiling for direct marketing can be positive, both for you and your customer. But it can potentially cause people harm and you should effectively address these risks. For example, it might perpetuate stereotypes if you make general assumptions based on the information you hold, or might cause discrimination if you exclude people from products or services based on your profiling.

  • Respect people’s preferences.

People have the right to object to direct marketing and this includes any profiling related to such direct marketing. You must comply with such an objection (see What do we do if someone objects to our direct marketing?).

  • Understand when the rules on solely automated decisions apply.

There are data protection rules to protect people when you carry out solely automated decision-making, including profiling, that has legal or similarly significant effects on them. Solely automated means making a decision without any human involvement (eg using an algorithm to make the decision).

Solely automated decision making is likely to occur in online behavioural advertising because this happens without human involvement. However, the majority of direct marketing based on solely automated profiling is unlikely to have a legal or similarly significant effect, which means these rules don’t apply. But there could be situations where it does, for example targeting known problem gamblers with betting adverts. (See the further reading box.)

What do we need to consider when buying or renting information from other sources?

Many organisations, including data brokers, offer information for direct marketing for sale, rent or on licence. For example, marketing lists of potential customers or new information for you to add to what you already hold on your customer. This can help you reach new customers or target your direct marketing more effectively to existing ones.

However, it is important to remember that you are responsible for ensuring compliance with data protection law and PECR. It is not enough to simply accept a third party’s assurances that the information they are supplying to you is compliant.

This means that you must undertake proportionate checks and due diligence before you get the information. This helps you reduce the risk of infringing data protection law and PECR. For example, this could include ensuring you have certain details:

  • Who compiled the information – was it the organisation you are buying it from or someone else?
  • Where was the information obtained from – did it come from people directly or has it come from other sources? Is it fair that the third party uses these sources?
  • What privacy information was given when people’s information was collected – do people know the third party has their information and what were they told it would be used for?
  • When was the information compiled – what date was it collected and how old is it?
  • Which type of information is it – is any of it special category data?
  • How was the information collected – what was the context and method of the collection?
  • What records of the consent are there (if it is ‘consented’ information) – what did people consent to, what were they told, were you named, when and how did they consent?
  • What evidence is there that the information has been checked against suppression lists (if claimed) – can it be demonstrated that the TPS has been checked against and how recently?
  • How does the seller deal with people’s rights – do they pass on objections?

A reputable third party should be able to demonstrate to you that the information it is supplying is reliable. You should not use the information if it cannot do this, or if you aren’t satisfied with its explanations.

  • Your own compliance

You must be clear how your use of the information complies. For example:

  • You must be able to demonstrate what your data protection reason (“lawful basis”) is for using people’s information that is being provided to you.
  • If you’re getting a list of potential new customers or supporters, you should check the information against your own suppression lists, so you don’t contact anyone who has previously asked you not to (unless they have given you consent that overrides their previous objection). (See Respect people’s preferences.)
  • If you want to get more information on people, you must tell them that you want to do this.
  • You must ensure that what you intend to do with the information is fair, reasonable and proportionate.
  • Once you have obtained a list of potential customers or supporters, you must provide them with your own privacy information detailing anything they’ve not already been told. (See What do we need to tell people if we collect their information from other sources?)

You also must be prepared to deal with any inaccuracies or complaints arising from your use of the information. If you receive complaints from people whose details came from a particular source, this might suggest that the source is unreliable and you should not use it.