The ICO exists to empower you through information.

We’ve written this blog to help small businesses market their products and services in ways people will trust. Small clubs and groups will also find these tips useful.

As a small business owner, you know that marketing can be vital to your success. But reputation is important too. If you use unlawful marketing tactics to promote your business, you’ll not only annoy people, but you’re also more likely to come to the ICO’s attention. That’s because nuisance marketing calls, texts and emails are among the complaints we receive most often.

Here are five marketing tips for small businesses to help you comply with the UK GDPR and the Privacy and Electronic Communications Regulations 2003 (as amended) (PECR).

1. Show customers that you care

Some people like to receive promotional messages and enjoy being kept in the loop. But it’s not the same for everyone. As a responsible business, you’ll want to comply with the law and respect people’s privacy.

You should:

  • tell them you want to send them direct marketing;
  • let them choose if they want to be on your marketing list; and
  • let them choose how they want to hear from you.

However you choose to get in touch, make sure you’re fair with people, tell them how you’ll use their information, and explain how they can opt out of receiving marketing messages from you. Even if they’ve opted in before, people can change their mind and decide to unsubscribe from marketing.

If some people don’t want to hear from you at the moment, you must:

  • respect their wishes;
  • keep a ‘do not contact’ list; and
  • refer to your ‘do not contact’ list before contacting anyone about your products or services.

Referring to an up-to-date ‘do not contact’ list will help you to build your reputation as a business that cares about people’s privacy.

2. Know what people want

Small business owners can build their customer base if they have a good understanding of what people want to do or buy.

When receiving marketing information, people are more likely to respond to products and services they’re interested in – which can maximise your profits. You can use information already available to you to understand your customers’ spending preferences. For example, what are your most popular products based on your sales history? Which services do you receive the most enquiries about? Good information handling practices are essential though, so make sure you’re clear and open about how you’ll use people’s information and don’t use it in ways they wouldn’t expect.

If you want to conduct genuine market research this wouldn’t be considered direct marketing. But you mustn’t include any promotional content. It’s unfair and unlawful to give people the impression you’re gathering their information for one purpose and then later change it to another.

3. Maximise your telephone marketing budget

Telephone marketing can be costly, so if you call people who don’t want to hear from you, this will be wasteful as well as potentially unlawful. Complying with the rules makes good business sense because those on your call list are more likely to be receptive.

You don’t usually need consent to make live marketing calls to people or other businesses. However you can’t call anyone who has previously asked you not to call them or who has registered their number with the Telephone Preference Service (TPS) or Corporate Telephone Preference Service (CTPS). The TPS and CTPS hold registers of numbers of people and businesses who don’t want to receive live direct marketing calls.

If you want to override a previous objection or registration with either the TPS or CTPS, the person or business you’re calling must have specifically told you they want your live marketing calls.

When making marketing calls, you’ll need to say who’s calling, make a valid contact number visible and give your contact details or freephone number if asked.

If you want to make live marketing calls about pension schemes or claims management services there are specific rules you must follow. See our marketing and consent FAQs for more information.

You must have consent from the recipient before making any automated marketing calls. This rule applies to individuals and businesses.

4. Give your customers options

When a new customer interacts with you for the first time, this is your opportunity to find out what marketing they would like from you. You can do this by including clear opt-in boxes for each method of contact so they can tick to agree to your chosen methods of marketing.

Your existing customers might like to hear about your similar products or services, including your upcoming deals and special offers. It’s possible to send electronic marketing mail (eg emails and texts) without an opt-in. But only if you’re using customer contact details you gathered when that customer bought or expressed an interest in what you’re selling. You also need to make sure:

  • you collected the customer’s details directly from them;
  • the message is about your similar products or services;
  • you gave them a clear and easy way to opt out of your marketing messages when you first collected their details; and
  • you give them a chance to opt out each time you message them.

This is often known as the soft opt-in and can work well for small businesses with lines of products or services that are similar.


Luke owns a medium-sized online clothing store. As he collects his customers’ details directly from them via his website, he decides to use the soft opt-in to send them marketing emails. He updates the purchase process on his website to include a prominent, clear opt-out box for his customers to use if they don’t want to receive email marketing from his store. He also puts an unsubscribe button on each of his marketing emails in case his customers want to change their mind. By relying on the soft opt-in, Luke can send marketing about his new clothing ranges to those customers who didn’t opt out from receiving such emails, without needing their consent.

5. Know when you can send marketing emails and texts to other businesses

The rules around sending email and text marketing to other businesses  aren’t always as strict as for marketing to individual customers.

But it’s important to understand that sole traders and some types of partnership are viewed by PECR in the same way as individual customers. So you’ll need their consent or you’ll need to meet all the requirements of the soft opt-in before sending marketing emails or texts.

You can send marketing emails and text messages to any corporate body (eg limited companies) as long as you’re clear in each message about who you are and how they can opt-out.

There may be times when you want to send direct marketing addressed to a specific person at another business. This could be if you know their name, or if their email address identifies them eg [email protected]. You can do this as long they haven’t previously asked you not to send them marketing. You must tell them what you’re doing and make sure you have a lawful basis. If this marketing is in your legitimate interest, and you’ve balanced this against the person’s rights and expectations, it’s likely legitimate interests can be used as your appropriate lawful basis.


Rachel runs a small catering business, and wants to let companies know about her new catering line. Her privacy notice is linked clearly in her email signature and explains that she may contact clients about other products she offers, using legitimate interests as her lawful basis.               

She uses the email addresses stored on her invoice system to contact events companies she’s worked with before. As she knows they’re corporate subscribers, she doesn’t need consent or the soft opt-in to contact them. Rachel keeps a record of which businesses she has contacted and why and also includes an opportunity to opt out in the marketing email she sends.