The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

Electronic mail (Regulations 22 and 23)

How do the Regulations apply to marketing by electronic mail?

The Regulations define electronic mail as ‘any text, voice, sound, or image message sent over a public electronic communications network which can be stored in the network or in the recipient’s terminal equipment until it is collected by the recipient and includes messages sent using a short message service’ (Regulation 2 ‘Interpretation’ applies).

In other words, email, text, picture and video marketing messages are all considered to be ‘electronic mail’. Marketing transmitted in WAP messages is considered to be ‘electronic mail’. WAP Push allows a sender to send a specially formatted SMS message to a handset which, when received, allows a recipient through a single click to access and view content stored online, through the browser on the handset.

We consider this rule also applies to voicemail and answerphone messages left by marketers making marketing calls that would otherwise be ‘live’. So there are stricter obligations placed on you if you make live calls but then wish to leave messages on a person’s voicemail or answerphone.

Faxes are not considered to be ‘electronic mail’. Fax marketing is covered elsewhere in the Regulations. These regulations also do not cover so-called silent calls or calls where a fax or other electronic signal is transmitted; this is because no marketing material is transmitted during these calls.

This is what the law requires:

  • You cannot transmit, or instigate the transmission of, unsolicited marketing material by electronic mail to an individual subscriber unless they have previously notified you, the sender, that they consent, for the time being, to receiving such communications. There is an exception to this rule which has been widely referred to as the soft opt in (Regulation 22(2) refers).

  • You cannot transmit, or instigate the transmission of, any marketing by electronic mail (whether solicited or unsolicited) to any subscriber (whether corporate or individual) where:
    • Your identity has been disguised or concealed; or
    • you have not provided a valid address to which the recipient can send an opt-out request.
    • That electronic mail would contravene regulations 7 or 8 of the Electronic Commerce (EC Directive) Regulations 2002 (SI 2002/2013); or
    • That electronic mail encourages recipients to visit websites which contravene those regulations (Regulation 23 refers).
  • A subscriber must not allow their line to be used to breach Regulation 22(2) (Regulation 22(4) refers).

For further information, read our guidance on direct marketing (pdf).

What is the difference between a ‘solicited marketing message’ and an ‘unsolicited marketing message that the subscriber consents to receiving’?

A ‘solicited message’ is one the subscriber has actively invited - in other words, if someone specifically asks you to send them some particular information.

An ‘unsolicited marketing message is any message that has not been specifically requested - even if the subscriber has 'opted in' to receiving messages from you. An opt-in just means that they do not object to future messages. This is not the same as soliciting a particular message. If challenged, you would need to demonstrate that the subscriber has positively opted into receiving further information from you.

What would be a ‘valid address’ for the purpose of Regulation 23?

Online, this could be a valid email address. We accept that short code numbers could be used as a ‘valid address’ in text messages, as long as they do not incur costs other than the cost of sending the message (that is, using the short code does not incur premium-rate charges). As good practice, promotional text messages should include a valid website address (where further valid contact details can be found) or a valid PO Box number.

Is there any difference between an individual subscriber and the recipient of marketing material by electronic mail (Regulation 22(2))?

Yes, there is a difference.

The Directive that these Regulations implement says unsolicited marketing should not be sent by electronic mail to an individual subscriber unless the subscriber has given consent. However, this Regulation refers to the recipient’s consent. We consider ‘the recipient’ to mean the intended recipient. If a household member has an individual email address, then the consent of that individual is required unless the soft opt-in criteria are satisfied. If a household has a household email address (for example, familyname@domainname.com) then the consent of someone whom it is reasonable to believe speaks on behalf of the family is sufficient, unless the soft opt-in criteria are satisfied.

What is ‘soft opt-in’ (Regulation 22(3))?

This is what the law states:

You may send or instigate the sending of electronic mail for marketing purposes to an individual subscriber where:

  • you have obtained the contact details of the recipient in the course of a sale or negotiations for the sale of a product or service to that recipient;

  • the direct marketing material you are sending relates to your similar products and services only; and

  • the recipient was given a simple means of refusing (free of charge except for the cost of transmission) the use of their contact details for marketing purposes when those details were initially collected and, if they did not refuse the use of those details, at the time of each subsequent communication.

If you satisfy these criteria, you do not need prior consent to send marketing by electronic mail to individual subscribers. If you cannot satisfy these criteria, you must not send marketing by electronic mail to individual subscribers without their prior consent.

How does the ICO interpret ‘in the course of a sale or negotiations for the sale of a product or service’?

A sale does not have to be completed for this to apply. It may be difficult to establish when negotiations begin. However, you may continue to market someone by electronic mail:

  • if they have actively expressed an interest in buying your products and services; and
  • if they have not opted out of further marketing of that product or service or similar products and services when their details were collected (despite being offered the opportunity to do so); and
  • unless and until they opt out of receiving such messages at a later date (despite being offered the opportunity to do so in each communication).

We do not consider that ‘negotiations for the sale of a product or service’ includes the use of cookie technology to identify someone’s area of interest when they are browsing your website. Unless they have expressly communicated their interest to you by, for example, asking for a quote, no ‘negotiations’ can be said to have taken place for the purpose of these Regulations.

As another example, if you are a national retailer and someone emails you asking if you are going to open a branch in their town, the expected response would be ‘yes’ with details, or ‘no’, perhaps with details of your other stores in that area. This query does not do any of the following:

  • form part of a negotiation for the sale of a product or service;
  • form an invitation to you to send the person further information about your products or services;
  • indicate consent to receive further promotional emails from you.

You could send a person emails promoting your products and services if they:

  • expressly invited you to;
  • consented to your suggestion that you send them promotional emails; or
  • did not object to receiving emails during a sale or negotiations for a sale.

For more information, see our guidance on direct marketing (pdf).

How does the ICO interpret ‘similar products and services’?

We believe the intention of Regulation 22 is to ensure someone does not receive promotional material about products and services they would not reasonably expect to receive. For example, someone who has shopped online at a supermarket’s website (and has not objected to receiving further email marketing from that supermarket) would expect at some point to receive further emails promoting other goods available at that supermarket.

For more information, see our guidance on direct marketing (pdf).

A recipient can opt out if they think a company has gone beyond the boundaries of what they would reasonably expect that company to do – something most responsible marketers will be keen to avoid. So for the time being we will focus in particular on failures to comply with opt-out requests. We will continue to monitor how far marketers take account of the reasonable expectations of individual subscribers.

Regulation 22 does not spell out our obligation to respect an opt-out request from individual subscribers. Does this mean we don’t have to comply with such requests?

In our view, if you can send marketing by electronic mail to individual subscribers only if they have provided prior consent, this implies the option to withdraw that consent at a later stage. We would quote the inclusion of the phrase ‘for the time being’ to support our view. We will take enforcement action against companies in the UK jurisdiction who persistently fail to comply with opt-out requests from individual subscribers.

Surely SMS marketing can’t be subject to the same rules as conventional email – after all, the standard mobile phone screen can only hold 160 characters.

The practical limitations of standard mobile screens do not mean marketers can ignore the rules. You can give information about the marketing you intend to do before actually sending a marketing message or even before you collect the mobile number in question. For example, in an advert, or on a website where the recipient signs up for the service.

Assuming the recipient has clearly consented to receiving messages, each message will have to identify the sender and provide a valid suppression address. Originally, we took the view that only a postal or email address would satisfy this Regulation. We were concerned that ‘pay as you go’ mobile phone users may not have a permanent record of any opt-out message they had sent (as opposed to an itemised bill available for users of contract phones which would, at the very least, be proof that a message of some kind had been sent). Given widespread use of ‘pay as you go’ mobile phones, particularly by children, we were concerned that ‘pay as you go’ users would not be able to present a strong case to us (or to a court if they sought to pursue an action for compensation) due to a lack of evidence showing they had asked the marketer to stop and that request was being ignored.

Many marketers have said that people are less likely to bother writing a formal letter and it would be easier for individuals if they could text an opt-out to a short code number at the bottom of a message. This would be more consistent with our approach regarding valid addresses for emails.

So we are now prepared to allow the use of short codes as a valid address, provided the sender ensures that:

  • they clearly identify themselves in the message (for example, ‘PJ Ltd’);
  • using the short code does not incur a premium-rate charge; and
  • the short code is valid.

If you use a short code as a valid address, we suggest you use the format ‘PJLtd2STOPMSGSTXT’STOP’TO (then add a 5-digit short code)’.

Marketing messages that claim to be from ‘a good friend’ or from ‘someone who fancies you’ and so on, are unlikely to comply with the Regulations if the company whose goods and services are being promoted, for example, the dating agency, does not clearly identify itself at some point in the message.

Do we have to screen against the TPS if we are sending unsolicited marketing by text, picture or video messages?

No. TPS registration indicates a general objection to receiving live marketing calls. Text, picture and video messages are defined as ‘electronic mail’ under the Regulations. They should not be sent without the prior consent of the individual subscribers unless the soft opt-in criteria are satisfied. So you do not have to screen against the TPS because you should already have established prior consent or satisfied the ‘soft opt-in’ criteria.

However, you must make sure you identify yourself in any text, picture or text messages you send and provide a valid address to which recipients can send an opt-out request. If you are sending the message on a soft opt-in basis, you must provide a simple means of refusing further messages that is free of charge except for the cost of transmitting the refusal. You will not satisfy this obligation if you only supply a premium-rate or national-rate number in these circumstances.

We will collect email addresses or mobile phone numbers as part of a competition. Could this be considered as being ‘in the course of negotiations for the sale of a product and service’?

It depends – on the context and on what you tell the person when you collect their details. If a competition is part of an inducement to raise interest in a product or service,  there might be some cases where this forms part of the negotiations for a sale. However, if you are unclear about what you will do with someone’s email address or mobile phone number when you collect those details, or if you are clear but your reasons are not readily accessible, you are unlikely to be able to rely on the ‘soft opt-in’. If you have collected someone’s name with their email address or mobile phone number (or both) and you have not been clear about what you are going to do with that information, you may also breach the first data protection principle.

For more information on how to comply when collecting contact details, see our guidance on direct marketing (pdf).

Third-party electronic mailing lists

Do we always have to obtain any consent or invitation to market by electronic mail directly from the recipient, or can we use consent obtained by a third party?

You need to be very careful when relying on indirect consent originally obtained by someone else. This is because the Regulations require that the customer has notified you that they consent to your messages. On a strict interpretation, indirect consent would not meet this test – as the customer did not directly notify you, they notified someone else. So it is best practice to only send marketing texts or emails if you obtained consent directly from that person.

However, we do accept that indirect consent might be valid in some circumstances, if it is clear and specific enough. In essence, the customer must have anticipated that their details would be passed to you, and that they were consenting to messages from you. This will depend on exactly what they were told when consent was obtained.

For more information on indirect consent, see our guidance on direct marketing (pdf).

If we buy in or rent a list, can we use it?

If you buy or rent a marketing list you must perform your own due diligence checks to satisfy yourself that the details were obtained fairly and lawfully, that the individuals understood their details would be passed on for marketing purposes, and that you have the necessary consent for your marketing.

You should take extra care if you are using a bought-in list to send marketing texts or emails or to make automated calls. You must have very specific consent for this type of marketing, and indirect consent (ie generic consent originally given to another organisation) will not always be enough.

You can use a bought-in list to make marketing calls, but you must screen the list against both the TPS and your in-house suppression list.

For more information on using bought-in marketing lists, see our guidance on direct marketing (pdf).

Can we advertise the products and services of third parties by electronic mail?

If you are offering a ‘host mailing’ service, you are not disclosing your mailing list to a third party but you are willing, for a fee, to promote their goods and services alongside yours. It is unlikely you could send such messages on a soft opt-in basis because they are not your similar products and services. However, you could send such material on a clear ‘opt-in’ basis, provided you make clear that you and not the third party are the sender.

Can we pass our list of email addresses or mobile numbers on to a third party for them to use for marketing purposes?

If the email addresses or mobile numbers in question are those of individual subscribers, the third party will not be able to use them to send unsolicited marketing material unless the subscriber has consented to receiving it from that third party (that is, ‘the sender’). You must make clear who you are proposing to pass the details to and what sort of products and services they will be offering.

For example, a positive response to a question such as ‘We would like to pass your details to specially selected tour operators so they can send you more information by email about holidays in America. Do you agree to this?’ is likely to be enough to allow tour operators to use those contact details for promoting holidays in America by electronic mail. You would not be able to sell those details to other types of business, or to a generic list broker.

A phrase such as ‘We will pass your details to third parties unless you write to us and tell us you don’t agree’ will not be enough. You should not use contact lists that have been obtained like this.

Only the individual should decide what happens to their electronic contact details. You must not disclose an individual’s contact details to third parties for their marketing purposes unless that individual actively consents to this.

For more information on selling marketing lists, see our guidance on direct marketing (pdf).

Group companies and trading names

How do the rules on marketing by electronic mail apply to marketing by different companies within a group of companies?

If you disclosed individual subscribers’ contact information within your group in line with existing data protection rules before 11 December 2003 and those other group companies had already used that information before that date and have continued to use it and not received an opt-out request, then those other group companies may still use that contact information as long as further opt-out opportunities are given with every subsequent message.

After this date and in the future, you must, as a minimum, ask individuals whether they consent to receiving unsolicited marketing by electronic mail from other group companies when you collect their contact details. Online, you could provide a link listing those group companies. You may even want to consider providing separate opt-in opportunities for each company on that list to give the individual greater choice and to target your group’s marketing more efficiently. Another option may be to provide an opportunity for the individual to invite (solicit) contact from other companies in the group.

Our company has a number of different trading names; surely an opt-in for one of the trading names is an opt-in for all because there is only one legal entity?

If you trade under several different names, particularly where those names are strong brands, you should not assume that a customer who agrees to receive mailing from one trading entity is agreeing to receive marketing from your other trading entities. Customers may not even be aware of any connection between different trading names. Under the Data Protection Act, if you are collecting personal data, you will need to ensure the different entities are clearly explained to your customers.

You would need to ensure they know that they will receive unsolicited marketing from all your trading names when they opt in to receiving marketing from you. Similarly, when an individual opts out of receiving unsolicited marketing from one of your trading names, this opt-out applies to all your trading names, unless they make it clear otherwise.

If you are collecting information on a soft opt-in basis, you may have considerable difficulty satisfying the similar products and services criteria if you want to send further unsolicited marketing relating to your full range of trading names. You could avoid this by providing an opportunity for the individual to invite contact from the wide range of trading names within the company.

Business to business

How do the Regulations apply to business-to-business marketing by electronic mail?

Your obligations are as follows:

  • You must not conceal your identity when you send, or instigate the sending of, a marketing message by electronic mail to anyone (including corporate subscribers); and

  • you must provide a valid address to which the recipient (including corporate subscribers) can send an opt-out request (Regulation 23 applies).

Only individual subscribers have an enforceable right of opt-out under these Regulations. This is where that individual withdraws the consent they previously gave to receiving marketing by electronic mail (that consent only being valid for the time being (Regulation 22(2) applies)). Corporate subscribers do not have this right.

Recipients who are corporate subscribers do not have an enforceable opt-out right under the Regulations. But where your sending of marketing material to the employee of a company includes processing their personal data (that is, you know the name of the person you are contacting), then that individual has a fundamental and enforceable right under Section 11 of the Data Protection Act to ask you to stop sending them marketing material.

In our view, it makes no business sense to continue sending marketing material to a business contact who no longer wishes to hear from you. Arguably, by failing to respect a business-to-business opt-out request you may appear indifferent to your commercial reputation.

How do these Regulations apply to unsolicited marketing material sent by electronic mail to individual employees of a corporate subscriber if that material promotes goods and services that are clearly meant for their personal or domestic use?

The ‘Spam’ report of an Inquiry by the All-Party Parliamentary Internet Group (APPIG) recommended that the Information Commissioner set out clear guidance as to how business-to-business communications are to be distinguished from messages intended for individual subscribers. This recommendation was prompted by an observation that an invitation to buy Viagra, sent to the sales address of a shipping company, could only be interpreted as being sent to an individual, since it would be of no business relevance. The problem is that the ‘opt-in’ and soft opt-in rules do not extend to sending marketing emails to corporate subscribers. In the example above the subscriber will be the shipping company, because that is the person who is party to a contract with a provider of public electronic communications systems. So this means that even an email addressed to an individual in the company will not be covered by the Regulations, although that email may be subject to the DPA, and an opt-out request under Section 11 of the DPA could be issued.

For the purposes of the Regulations, it is irrelevant that an email sent to a corporate subscriber’s address is obviously aimed at an individual because it promotes a product that is for personal or domestic use. The Regulations simply do not cover emails sent to a corporate subscriber, except that you must identify yourself and to provide contact details. However, such emails are likely to be covered by the individual’s right to object to direct marketing under the Data Protection Act.

We understand that the Committee of Advertising Practice (CAP) Code restricts the sending of such emails to corporate email addresses. For more on the CAP Code visit their website www.cap.org.uk.

How do the Regulations apply to sending text, picture and video messaging to mobile phones that are supplied to individual employees by corporate subscribers?

The law applies in exactly the same way as it does to sending emails to corporate subscribers.

Electronic mail marketing to partnerships

How do the Regulations apply to sending marketing messages by electronic mail to partnerships?

Under these Regulations, a non-limited liability partnership in England, Wales or Northern Ireland is an individual subscriber. This means that such a partnership (which may consist of several individuals and which may have a large number of employees) is given the same protection under these Regulations as a residential subscriber or a sole trader. This protection is not available to limited liability partnerships, to Scottish partnerships or to corporate subscribers that include small- and medium-sized limited companies.

Strictly speaking, you must get prior consent to send emails to any email address used by an unincorporated partnership, unless the soft opt-in criteria apply. This may be the generic contact email address of the partnership, for example, mail@partnershipname.com or it may be the separate email addresses used by individuals (partners, associates, other employees) working at that partnership.

This issue was debated during the Department of Trade and Industry’s consultation exercise before these Regulations were implemented.

What does this mean in practice?

Strictly speaking, the partnership could be viewed as the commercial equivalent of a large household. Yet we recognise there may be circumstances when the wishes of the subscriber, that is, the unincorporated partnership (which is legally responsible for charges incurred on its lines) might override the wishes of the employee. For example, an employer may insist that an employee keeps in regular contact with conference organisers. The employer’s wishes for unsolicited emails from conference organisers would override the wishes of the employee.

However, if someone working at the partnership consents to receiving unsolicited marketing material from the organiser, this does not mean everyone working at the partnership has consented to it.

Marketers must also remember that where they know the name of the person they want to contact, that person’s contact details must be processed in accordance with the eight data protection principles of the Data Protection Act. For example, where the Act applies, all individuals have a fundamental opt-out right under Section 11.

Who can give consent on behalf of individuals working at a partnership?

If you are targeting an individual working at a partnership, you must make sure you obtain the consent of the individual (or someone who can be reasonably assumed to be entitled to give consent on that individual’s behalf, for example, a secretary or assistant) before sending unsolicited electronic mail to that individual, unless the soft opt-in criteria apply.

Partnerships may wish to make sure their key frontline staff, for example, switchboard operators, receptionists, administrators, secretaries are informed of any office policy regarding the disclosure of employee contact details.

Individuals employed by partnerships must remember that for their work email address and mobile phone, it is ultimately their employer’s consent choices that take precedence.

Who can give consent on behalf of the partnership?

You must make sure you have obtained consent from someone working for that partnership who it is reasonable to assume has the authority to give such consent. Partnerships may wish to make sure their key frontline staff, for example, switchboard operators, receptionists, administrators, secretaries, are informed of any office policy regarding the disclosure of office contact details.

Electronic mail marketing to sole traders

How do the Regulations apply to sending marketing messages by electronic mail to sole traders?

Under the Regulations, sole traders are also individual subscribers.

That said, we have recognised in earlier enforcement that marketers may have difficulty distinguishing sole traders from small limited companies, particularly where a sole trader’s contact details are available in business directories. However, you should do your best to ensure you do not send marketing messages by electronic mail to sole traders, in breach of the Regulations. For example, you can check free of charge on the Companies House website whether or not a trading entity is a limited company.

Charities, political parties and not-for-profit organisations

We are a charity, political party, or not-for profit organisation; can we take advantage of ‘soft opt-in‘?

Only if you are promoting commercial goods and services, for example, those offered by your trading arm. We recognise that this disadvantages you and we raised this point in our response to the consultation by the Department of Trade and Industry in advance of these Regulations. However, the EU Directive from which these Regulations are derived specifies that the soft opt-in rules on marketing by electronic means apply to commercial relationships.

You may wish to look again at the wording of your data protection and privacy statements so that you are asking a person to actively ‘invite’ promotional information from you through electronic mail. As outlined above, there is a difference between someone actively soliciting promotional material by electronic mail and consenting to receiving any promotional material you choose to send them by electronic mail (unsolicited marketing material). One option would be to ask them if they consent to receiving unsolicited marketing material.

You must still identify yourself and provide a valid address for opt-outs in each electronic mailing.