The ICO exists to empower you through information.

What is direct marketing?

Direct marketing is any type of advertising or promotional material aimed at a particular person. Mass marketing, such as an advertisement in a magazine, isn’t aimed at anyone in particular.

The direct marketing rules apply to any type of communication. They’ll apply to you if you’re sending someone information about your latest products, services, fundraising or other campaigns by email or post. They also apply if you’re contacting people through social media or calling to ask if they’re interested in something you offer.

Do we need consent for postal marketing?

If you’re sending direct marketing by post, you don’t need consent.

However, if you’re putting someone’s name on a letter or flyer, you’ll need a lawful basis for using their personal data. This also applies if you know the name or other information which can identify the person you’re sending the marketing to.

Make sure you’re clear and open about how you’ll use people’s information from the outset. As with all forms of direct marketing you also must stop sending direct marketing by post if the person asks you to stop.

If you’re unsure about marketing and consent, you can contact us for more advice.

Does PECR still apply?

Yes. If you want to use email, telephone, or text messages to tell people about your products, services, ideas or fundraising, it’s not just data protection you’ll need to think about. You should also consider the rules around electronic marketing. These are known as the Privacy and Electronic Communications Regulations (PECR).

What does the ‘soft opt-in’ mean?

‘The soft opt-in’ is a term used for where an organisation sends marketing emails or texts using customer data they gathered when that customer bought or expressed interest in their products or services. There are certain criteria which need to be met to rely on the soft opt-in.

When can we use the ‘soft-opt in’?

You can only use the soft opt-in when you're sending marketing emails or texts to offer similar goods or services. For example, if a customer buys a car from you and gives you their contact details, you’d only be able to market to them things that relate to the car eg offering services or MOTs. You need to give the customer a chance to opt-out at the time that you collected their data, and every time after that when you contact them for marketing purposes, and it must be clear and easy to do so.

The soft opt-in can only be used when you’re selling something or negotiating to sell something. This means that charities can’t use soft opt-in for campaigning, for example.

If you’re unsure whether you can use soft opt-in in your situation, you can contact us for more advice.

Do we need consent in order to process personal data?

Not necessarily. There’s more to data protection than consent and relying on consent isn’t always appropriate.

To process personal data, you’ll need to choose a valid reason, and once you’ve chosen your reason you must stick to it. There are six valid reasons, known as ‘lawful bases’, to choose from and the one you choose will be your lawful basis for processing personal data. Consent is one of these six lawful bases, but if you choose a different one instead, you won’t need consent. No lawful basis is better or stronger than any of the others, it just depends on your situation.

You can use our lawful basis checker to help you decide which lawful basis is right for you.

For example, Rachel collects contact details of her customers so that she can post their orders to them. It’s necessary to have the names and postal addresses of her customers, otherwise Rachel wouldn’t know where to send the goods that have been ordered. She records and uses these contact details under the lawful basis of ‘performance of a contract’.

However, if Rachel wanted to add customers to a social media group connected with her business, or use photographs of her customers or staff in a marketing campaign, she needs to consider what lawful basis she uses for this, as she wouldn’t be able to rely on her original lawful basis. This is because Rachel is doing something more with the personal data than fulfilling a customer order – it’s an optional extra use of the data that people wouldn’t necessarily expect when they’re ordering her products. Rachel decides that to be lawful, fair, and transparent, she needs to seek the consent of her customers and staff before she starts up her social media group or marketing campaign. Rachel would also need to consider PECR when thinking about sending marketing to people electronically, such as by email or text message.

If you’re unsure whether you need consent in your situation, you can contact us for more advice.

What are the rules on marketing emails or texts?

Marketing emails or texts need to comply with the electronic marketing rules in PECR as well as data protection laws, where relevant. The rules are different depending on who you’re contacting and what you’re promoting.

If you want to send any marketing emails or texts to corporate subscribers, which include limited companies and limited liability partnerships, you don't need consent under PECR. For example, emailing a generic business email address such as [email protected] with information about your products or services would usually be considered marketing to a corporate subscriber.

Data protection laws do apply to business-to-business marketing, where you’re using personal data such as the name or phone number of a business contact, rather than only their company’s name. The person you’re planning to email or text could be an individual customer, sole trader or in a certain type of partnership. If this is the case, you’ll need to have their consent before you can market to them (unless the soft opt-in applies). You should also let them choose how they want to hear from you.

For any  marketing emails or text messages to people you must say who you are and tell them how to opt-out. You must do this on every such message that you send.

If you’re unsure about the rules around marketing emails or texts, you can contact us for more advice.

What are the rules on live telephone marketing calls?

Live telephone marketing calls need to comply with the electronic marketing rules in the Privacy and Electronic Communications Regulations 2003 (as amended) (PECR) as well as data protection laws.

The rules for most types of live marketing calls are that you can’t call anyone who has told you they don’t want your calls. You can’t call anyone whose number is registered on the Telephone Preference Service (TPS) or the Corporate Telephone Preference Service (CTPS) either. These services allow people and businesses to opt-out of unsolicited live marketing calls. Even if someone’s number isn’t on the register, if they’ve previously told you not to call them, then you can’t call them.

There are some specific types of live marketing call that have stricter rules. If you want to make live calls about claims management services (eg PPI and accident claims) you must have consent. If you want to make live marketing calls about pension schemes you:

  • must be a trustee or manager of a scheme, or authorised by the Financial Conduct Authority; and
  • must either have consent for the call, or your relationship with the person must meet a strict criteria.

If you’re unsure about the rules around live marketing calls, you can contact us for more advice.

What are the rules for making automated marketing calls?

Automated marketing calls use an auto-dialling device that plays a recorded message when the call is answered. To make these calls, you must get consent from the customer that they want to receive your marketing in this way. Consent for general marketing, or live marketing calls, isn’t enough.

When you make your automated marketing call, you must display your number and your message must say who you are, as well as giving your contact details or a freephone number.

What counts as consent for direct marketing?

Data protection law has a high standard for what counts as consent. For consent to be valid, you must make it very clear to people exactly what they’re consenting to, and they need to give their consent freely. This means you can’t require consent in exchange for a service. You also need to make sure consent is given by an ‘affirmative action’ – or, in other words, the person actively takes a step to give you their consent. You can’t use pre-ticked opt-in boxes. People can withdraw their consent at any time and you should make it as easy as possible for them.

If you’re relying on consent, you can’t use people’s personal data for any purpose other than the one they originally consented to. For example, if someone gives you consent for their details to be used for a prize draw, they’re hoping to hear from you if they win. However, the consent they’ve given for their details to be used for the prize draw can’t be carried over for anything else. They don’t expect to hear from you about anything else.

If you’re unsure what counts as consent in your situation, you can contact us for more advice.

When can we rely on legitimate interests for sending marketing?

You need to be able to justify that sending marketing is in your legitimate interests – or someone else’s – and you need to balance these interests against people’s rights and expectations. But that’s only if PECR doesn’t apply, such as when you’re marketing by post, or if you don’t need consent under PECR.. This is because electronic marketing has to comply with PECR as well as data protection laws. When you need consent under PECR, it makes sense to use this as your lawful basis under the UK GDPR. This will mean legitimate interests is unlikely to be appropriate or necessary.

Make sure you’re open and clear about how you’ll use people’s information.

Does data protection law apply to business-to-business marketing?

Data protection law applies to personal data which essentially means any information that identifies someone personally and tells you something about them such as their name, where they work, or their home address.

Therefore, data protection law applies to business-to-business marketing if the business details you use contain personal data, rather than business data.

The work email address [email protected] and a business card with John Smith’s name on it are both examples of John’s personal data, so data protection laws would apply to how you use this information. John would be able to use his data protection rights to ask you to stop using his personal data for marketing purposes, for example.

Business-to-business marketing doesn’t only have to comply with data protection laws, but also the ones around electronic marketing known as the Privacy and Electronic Communications Regulations (PECR). And the rules about not sending unsolicited emails to individuals also apply to sole traders and people who work for themselves. This means that if you send business marketing to a sole trader’s email address, and you haven’t got that person’s prior consent, that’s likely to breach PECR.

You can’t rely on an email address to determine whether a person is a sole trader or a limited company.

If you’re sending marketing emails to the business email address of a limited company and it doesn’t contain any personal data, such as [email protected], then data protection laws won’t apply. PECR doesn’t stop you sending electronic marketing emails or texts to these email addresses, but you’ll need to say who are you are and tell people how they can opt-out from receiving further messages from you.

But if you’re planning on calling businesses to market your services, you need to check the Corporate Telephone Preference Service. This is a register of businesses that don’t want to receive unsolicited marketing calls.

If you’re unsure about business-to-business marketing and data protection for a small business, you can contact us for advice.

What is a service message?

Sometimes you might need to send important information to a particular person, such as an appointment reminder or a notification of payment failure. We call these service messages and they don’t count as direct marketing.

A service message is for information only, it can’t contain anything promotional.

For example, if you sent a customer a text saying, “Our engineer will be round to service your central heating system at 10am on Tuesday”, that would be a service message. It’s a factual piece of information that isn’t promoting anything.

But, if that text included “You can save money on your service by signing up to our Home Care plan”, it would be promotional material and therefore counts as direct marketing.

Think about why you’re sending the message. If you want to encourage a specific person to do something, such as buy a product or sign up to a campaign, it’s likely to be direct marketing. This is the case, even if that’s not the main purpose of the message. But note, simply including your logo or branding on the message is unlikely to be considered direct marketing on its own.

Do we need to pay compensation if we don’t follow the PECR rules about marketing and cookies?

You’ll be breaking the law if you don’t follow the Privacy and Electronic Communications Regulations (PECR) about sending direct marketing messages or using cookies. This can result in us taking action against you. But the ICO can’t award compensation to people, even if we’ve said you’ve broken the law.

If someone suffers damage because you breached PECR they can make a claim for compensation against you in court without involving the ICO. A possible defence is to prove you took all reasonable care to comply with the law. The ICO is unable to advise on court claims so you should seek independent legal advice in these circumstances.

Even if somebody doesn’t make a complaint or claim against you, it’s good practice to periodically review your marketing or use of cookies and make any changes necessary to comply with the law. If you’re not sure on the PECR rules, contact us – we’re here to help.