The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

Does PECR still apply?

Yes. If you want to use email, telephone, or text messages to tell people about your products, services, ideas or fundraising, it’s not just data protection you’ll need to think about. You should also consider the rules around electronic marketing. These are known as the Privacy and Electronic Communications Regulations (PECR).

Is soft opt-in allowed under data protection?

‘Soft opt-in’ is a concept from the Privacy and Electronic Communications Regulations (PECR). It’s where an organisation sends marketing messages using customer data they gathered when that customer bought or expressed interest in their products or services.

You can only use soft opt-in when you're offering similar goods or services. For example, if a customer buys a car from you and gives you their contact details, you’d only be able to market to them things that relate to cars. You need to give the customer a chance to opt-out at the time that you collected their data, and every time after that when you contact them for marketing purposes, and it must be clear and obvious.

Soft opt-in can only be used when you’re selling something or negotiating to sell something. This means that charities can’t use soft opt-in for campaigning, for example.

If you’re unsure whether you can use soft opt-in in your situation, you can contact us for more advice.

Do we need consent to process personal data?

Not necessarily. There’s more to data protection than consent and relying on consent isn’t always appropriate.

To process personal data, you’ll need to choose a valid reason, and once you’ve chosen your reason you must stick to it. There are six valid reasons, known as ‘lawful bases’, to choose from and the one you choose will be your lawful basis for processing personal data. Consent is one of these six lawful bases, but if you choose a different one instead, you won’t need consent. No lawful basis is better or stronger than any of the others, it just depends on your situation.

You can use our lawful basis checker to help you decide which lawful basis is right for you. 

For example, Rachel collects contact details of her customers so that she can post their orders to them. It’s necessary to have the names and postal addresses of her customers, otherwise Rachel wouldn’t know where to send the goods that have been ordered. She records and uses these contact details under the lawful basis of ‘performance of a contract’.             

However, if Rachel wanted to add customers to a social media group connected with her business, or use photographs of her customers or staff in a marketing campaign, she needs to consider what lawful basis she uses for this, as she wouldn’t be able to rely on her original lawful basis. This is because Rachel is doing something more with the personal data than fulfilling a customer order – it’s an optional extra use of the data that people wouldn’t necessarily expect when they’re ordering her products. Rachel decides that to be lawful, fair, and transparent, she needs to seek the consent of her customers and staff before she starts up her social media group or marketing campaign. Rachel would also need to consider PECR when thinking about sending marketing to people electronically, such as by email or text message.

If you’re unsure whether you need consent in your situation, you can contact us for more advice.

What are the rules on marketing emails or texts?                                                          

Your marketing emails and texts not only have to comply with data protection laws, but also the ones around electronic marketing known as the Privacy and Electronic Communications Regulations (PECR).

The rules about sending electronic marketing such as emails and text messages to ‘corporate subscribers’ and ‘non-corporate subscribers’ are different.

A subscriber is a person who has a contract with the service provider, such as the person named on the bill for an internet connection.

Corporate subscribers are limited companies and limited liability partnerships. Non-corporate subscribers are private individuals, sole traders, and some partnerships.

If your customer is a non-corporate subscriber, you’ll need to have their consent before you can send marketing emails or texts to them (unless soft opt-in applies).

You don't need consent if you're marketing to a corporate subscriber. But you’ll need to say who you are and tell people how they can opt-out from receiving further marketing from you.

If you’re unsure about the rules around marketing emails or texts, you can contact us for more advice.

What are the rules on telephone marketing calls?

Marketing calls not only have to comply with data protection laws, but also the ones around electronic marketing known as the Privacy and Electronic Communications Regulations (PECR).

We get a lot of complaints from people – including sole traders – who find telephone marketing calls annoying and disruptive. The Telephone Preference Service (TPS), which allows people and businesses to opt-out of unsolicited live sales and marketing calls, keeps a register of landline and mobile numbers that you mustn’t call for marketing purposes. Even if someone’s number isn’t on the register, if they’ve previously told you not to call them, then you mustn’t call them.

There are also some specific products and services which you mustn’t call people about without prior consent, including pension products and claim services, such as PPI and accident claims.

In addition to the TPS, there’s also a Corporate Telephone Preference Service which is a register of businesses that you mustn’t call for marketing purposes. Again, you also need to make sure they haven’t previously told you not to call them.

If you’re unsure about the rules around marketing calls, you can contact us for more advice.

Does data protection mean we need consent for marketing?

Direct marketing – which is usually sent electronically or by post – means marketing messages aimed at someone, rather than a mass marketing appeal such as a flyer in a magazine.

If you’re sending direct marketing by post, even if it’s to a named person at a address, you don’t need their consent. However, you still need a lawful basis for using their personal data. This is because by putting their name on a letter or a flyer, you’re using their personal data, which means that data protection laws apply.

Most of the time you’ll need consent if you’re sending electronic marketing to a named person, but in some cases you might be able to rely on soft opt-in.

If you’re unsure about marketing and consent, you can contact us for more advice.

What counts as consent?

Data protection law has a high standard for what counts as consent. For consent to be valid, you must make it very clear to people exactly what they’re consenting to. You also need to make it so they take ‘affirmative action’ – or, in other words, actively take a step to give you their consent. You can’t use pre-ticked opt-in boxes for this reason, and they’re specifically banned.

If you’re relying on consent, you can’t use people’s personal data for any purpose other than the one they originally consented to. For example, if someone gives you consent for their details to be used as part of a prize draw, they’re hoping to hear from you with details of their prize if they win. However, they don’t expect to hear from you about anything else, and the consent they’ve given for their details to be used as part of the prize draw can’t be carried over for anything else.

If you’re unsure what counts as consent in your situation, you can contact us for more advice.

When can we rely on legitimate interests for marketing?           

If you want to send some marketing to your customers by email or text, you’ll probably need their consent in addition to your lawful basis (which could be that you have a legitimate interest in sending it). This is because that type of marketing doesn’t only have to comply with data protection laws, but also the ones around electronic marketing known as the Privacy and Electronic Communications Regulations (PECR).

If you want to carry out telephone marketing, you first need to check if the person or sole trader is registered with the Telephone Preference Service (TPS). This is a service which allows people to opt-out of unsolicited live sales and marketing calls. If someone’s landline or mobile number is on this register, you mustn’t call them for marketing purposes. And if they’ve previously told you not to call them, even if their number isn’t on the TPS register, then again you mustn’t call them.

For marketing sent by post, only data protection law applies (not PECR). If sending it is in your legitimate interests, then you might be able to rely on this, but you’d need to check and be able to justify it. If you’re unsure whether you can use ‘legitimate interests’ for marketing in your situation, you can use our lawful basis checker or contact us for more advice.

Does data protection law apply to business-to-business marketing?        

Data protection law applies to personal data which essentially means any information that identifies someone personally and tells you something about them such as their name, where they work, or their home address.

Therefore, data protection law applies to business-to-business marketing if the business details you use contain personal data, rather than business data.

The work email address johnsmith@workplace.com and a business card with John Smith’s name on it are both examples of John’s personal data, so data protection laws would apply to how you use this information. John would be able to use his data protection rights to ask you to stop using his personal data for marketing purposes, for example.

Business-to-business marketing doesn’t only have to comply with data protection laws, but also the ones around electronic marketing known as the Privacy and Electronic Communications Regulations (PECR). And the rules about not sending unsolicited emails to individuals also apply to sole traders and people who work for themselves. This means that if you send business marketing to a sole trader’s email address, and you haven’t got that person’s prior consent, that’s likely to breach PECR.

You can’t rely on an email address to determine whether a person is a sole trader or a limited company.

If you’re sending marketing emails to the business email address of a limited company and it doesn’t contain any personal data, such as companyname@workplace.com, then data protection laws won’t apply. PECR doesn’t stop you sending electronic marketing emails or texts to these email addresses, but you’ll need to say who are you are and tell people how they can opt-out from receiving further messages from you.

But if you’re planning on calling businesses to market your services, you need to check the Corporate Telephone Preference Service. This is a register of businesses that don’t want to receive unsolicited marketing calls.

If you’re unsure about business-to-business marketing and data protection for a small business, you can contact us for advice.