Jointly Prepared Statement from the Information Commissioner’s Office (ICO) and Financial Conduct Authority (FCA) on Targeted Support and Direct Marketing
11 December 2025
Introduction
It is important for your customers to receive timely and relevant information to support decisions about their finances, while having their direct marketing preferences and data protection rights respected. This is crucial in order for customers to trust the information they receive, helping them to make informed decisions and pursue their financial goals.
Under the framework set out in the FCA’s policy statement (PS25/22), authorised firms would be able to offer a new type of help called ‘targeted support’ and make suggestions to an individual based on them being in a group of consumers with common characteristics. These could include customers who may be currently drawing down on their pension unsustainably, not saving enough for retirement, or who could be in a position to invest some of their cash savings. Targeted support aims to help consumers navigate their financial lives and tackle some of the difficult financial decisions we all face: how to save; invest; and prepare for a comfortable retirement.
We have heard from firms that they would benefit from regulatory clarity on how targeted support messaging interacts with existing direct marketing rules under data protection law.
This joint statement addresses these calls for regulatory clarity. The statement has also been published in parallel to the publication of the FCA’s Policy Statement on targeted support and HM Treasury’s response to its policy note on targeted support.
Summary of firms’ data protection and direct marketing obligations
Data protection law enables people’s personal information to be used in ways that empower and benefit them, while safeguarding their rights. The ICO’s regulatory approach supports this, seeking to create an environment in which people are protected, while ensuring that organisations which process personal information can operate and innovate efficiently and responsibly 1.
For targeted support, you will need to process personal information to align customers with a particular consumer segment before sending tailored messages. You must ensure that you comply with UK General Data Protection Regulation (UK GDPR), Data (Use and Access) Act (DUAA) and the Privacy and Electronic Communication Regulations 2003 (PECR) when delivering targeted support, for example by:
- upholding data protection principles, including being transparent and fair with consumers about what you want to do with their personal information for targeted support;
- having a valid lawful basis for processing personal information, and an additional condition if processing any special category data 2;
- respecting individual's information rights, including their rigjoint ht to be informed about the processing of their personal information, rights concerning automated decision making (including profiling) and their absolute right to object to direct marketing;
- not sending electronic mail marketing (eg emails, text messages, direct messages on social media) to individuals unless:
- they have specifically consented to receiving electronic mail marketing from you or
- they are an existing customer, and you gave them a simple way to ‘opt out’ of direct marketing, both when you first collected their details and in every message you have sent (this is known as the ‘soft opt-in’).
ICO guidance explains how the soft opt-in can be used to send marketing by electronic mail. Under the soft opt-in you can only send electronic mail marketing about similar products and services that people would reasonably expect to receive. For example, a bank that provides a customer with a current account may consider that the customer would reasonably expect emails about other products commonly sold byjoint banks.
When a message is not direct marketing, it can be communicated to all customers, including those who have opted out of direct marketing, not consented, or when no ‘soft opt-in’ opportunity was available.
How firms can engage their customers about targeted support
You can engage with your customers about targeted support, so that customers can find out how you support effective decision making and better financial outcomes, while ensuring the UK GDPR, the Data Protection Act 2018 and PECR are complied with.
Ways that firms can actively promote their targeted support offering that are not covered by direct marketing rules
You can promote targeted support to all of your customers in ways which are not covered by direct marketing rules and PECR. For example:
- displaying a message on your website or mobile application (eg showing the same message to everyone that visits the site or to everyone that logs into their online account).
- during inbound calls (eg everyone who calls your helpline hears a recorded message about targeted support, and/or your operative tells the person about it during the conversation).
- posting messages about targeted support on your social media accounts (eg broadcasting it to all your followers or all users of the platform).
These types of messages can be broadcast to all customers and can be promotional and marketing material so long as the messaging is not directed at any one particular individual.
Respecting people’s direct marketing preferences, and providing clear choices
You must carefully consider what messages the permissions from customers cover.
If a customer agrees to receive direct marketing in relation to targeted support, this means that you can only use their information for this purpose and send messages promoting actions, products or services that relate to the provision of targeted support (including initiating its delivery). It doesn’t mean that you can use their information for other purposes which are not part of targeted support (unless these customers have, for example, given previous permissions for other such purposes).
When customers are seeking to give or change their direct marketing and/or targeted support permissions, they must be given clearly communicated options, which may cover the different types of processing and messages you envisage. Consent must not be bundled with other purposes.
You can also remind people about their direct marketing and targeted support preferences, if the reminder forms a minor and incidental addition to a message that you are sending anyway. The content must be for another purpose and not include marketing material. For example, an annual statement that includes a message at the end saying how a customer can update their preferences for direct marketing and targeted support (but not encouraging them to change their mind).
Engaging customers who have provided permission to receive direct marketing
For some customers, you may already have appropriate direct marketing permissions to send targeted support messages. As this is a new processing activity, you will need to consider how you comply with data protection requirements such as having an appropriate lawful basis for the underlying processing of personal data (likely consent or legitimate interest), provide clear information about the processing and give customers a way to opt out.
This includes ensuring you are transparent with customers about the data processing taking place, including any profiling, and the messages customers should expect to receive from you; and ensuring customers are given the opportunity to object to this data processing.
Engaging customers who have not provided permission to receive electronic direct marketing
Where customers have not consented to receiving electronic direct marketing, and the soft opt in does not apply, you must respect the direct marketing preferences of your customers. However, this does not prevent you from making customers aware of your new authorisation to provide targeted support, where you have been provided with this authorisation.
You could do this by sending a message (eg an email) to customers which doesn’t constitute direct marketing but ensures customers are aware of your targeted support authorisation from the FCA so that the customer can choose, if they wish, to be part of it.
For example, such a message could factually and neutrally reference information (but not encourage a course of action such as clicking on a particular link) on:
- what targeted support is (eg by telling them that further information is available on the MoneyHelper website);
- your authorisation to provide this service with a reference to information found on the FCA’s website; and
- where customers can go to find out more information on how to receive targeted support (eg such as a link to your website or in app where they will find general messaging directed at all customers);
- how their personal information will be used in line with data protection laws if they receive targeted support; and
- the fact that other firms may provide targeted support.
Engaging with customers to provide important messages about their finances
Customers must still continue to receive important messages about their finances regardless of whether or not they’ve given permission for direct marketing or targeted support. The ICO and FCA have previously produced joint statements 3 on examples of messages which are important for supporting all customers along their financial journey, such as:
- warning a customer they are under-saving for retirement;
- considering an important pension access decision;
- drawing down on a pension unsustainably;
- telling customers about the performance of their investments or savings and the choices they have available; or
- telling customers where they can access support.
In these messages, you can remind customers that you are authorised to offer targeted support, using a neutrally toned, non-promotional factual message to tell them where to find more information (eg on your website or in app). You can also tell customers why you are contacting them, for example, because you think they may be in one of the above situations.
Next steps
The ICO and FCA will consider further options for future engagement from early 2026 to continue to support firms who want to contact customers about targeted support.
Further reading/resources
- How do we comply with the rules on sending marketing by electronic mail?
- Electronic mail marketing
- A guide to lawful basis
- A guide to the data protection principles
- A guide to individual rights
- Respect people's direct marketing preferences
- Direct marketing and regulatory communications
- Identify direct marketing
- Should we test, review and update our privacy information?
- Guidance on direct marketing using electronic mail
- What is valid consent?
- What is automated individual decision-making and profiling?
- What does the UK GDPR say about automated decision-making and profiling?
- What if Article 22 doesn’t apply to our processing?
- CP24/27: Advice Guidance Boundary Review – proposed targeted support reforms for Pensions - FCA
- CP25/17: Supporting consumers’ pensions and investment decisions: proposals for targeted support - FCA
- CP25/26: Consequential Handbook changes following the proposals in CP25/17 - FCA
- PS25/22: Supporting consumers’ pensions and investment decisions: rules for targeted support - FCA
- Policy paper - Targeted support - Gov.uk
1 The ICO will take fair, proportionate and timely regulatory action to protect people’s information rights. When considering whether a regulatory response is necessary, we will take into account any steps organisations have taken in good faith to comply with the law and to protect people from harm. While every case is different, the ICO will always use its powers in a robust, targeted and proportionate manner, ensuring that organisations are not concerned that the ICO may impose disproportionate sanctions.
2 What is special category data?
3 Joint letter from the ICO and FCA to UK Finance and Building Societies Association; Joint statement from the FCA, ICO and TPR for retail investment firms and pension providers