The ICO exists to empower you through information.

This guidance covers the UK data protection regime which is the Data Protection Act 2018 (DPA 2018) and the UK General Data Protection Regulation (UK GDPR). It also covers the Privacy and Electronic Communications Regulations 2003 (as amended) (PECR), where this applies to direct marketing.

In more detail

Who is this guidance for?

This guidance is for everyone who intends to conduct marketing directed to particular people and those more broadly involved in direct marketing. It supports and empowers responsible direct marketing, helping you develop positive, trusted relationships with your customers and supporters while protecting people from unwanted intrusion. It provides you with practical guidance on the law and good practice.  

It is for you, if you use information with the intention to market, advertise, or promote products, services, aims or ideals. For example:

  • commercial businesses marketing products and services;
  • charities and third sector organisations fundraising or promoting aims and ideals;
  • political parties fundraising or canvassing for votes;
  • public authorities promoting commercial services or sending promotional messages that aren’t necessary for public tasks or functions (eg messages from a local authority promoting its gym);
  • organisations involved in buying, selling, or profiling personal information for direct marketing purposes; or
  • telemarketing companies, lead generators, marketing agencies, and those providing advice on marketing campaigns.

It is likely that the majority of organisations, large and small, will at some stage use direct marketing to connect with customers or supporters or find new ones.

Further reading

If you are involved in political campaigning, you can find tailored advice in our guidance for the use of personal data in political campaigning.                   

If you are a public authority considering promotional messages necessary for your task or function, you can find tailored advice in our guidance on direct marketing and the public sector.

Why is it important to get direct marketing right? 

Direct marketing is important. It can help you grow your business or further your aims, and it can benefit competition across markets. It can add value to the customer experience, making people aware of new products and services that they may benefit from, giving them opportunities to take part in events or find out about important causes. When done responsibly direct marketing can also increase trust and confidence in your brand or organisation.

It is important to get direct marketing right so you maintain these benefits. Bombarding your customers with direct marketing messages they don’t want can alienate them and damage relationships.

When organisations don’t get things right, direct marketing can cause nuisance or anxiety or other harm. Ofcom research published in 2019 found that 83% of those who received any type of sales calls found them annoying and 11% found them distressing, both of which were increases on its previous research (see the further reading box for more information).

In some cases direct marketing can result in significant harm. For example, someone in financial difficulties who is regularly targeted with direct marketing for high interest loans might sign up for these offers and potentially incur more debt. This is harmful for the people affected, can undermine the important role direct marketing plays in the UK economy, and create negative perceptions. For example, Gambling Commission research in 2019 on consumer attitudes towards gambling advertising found that people perceived that those at most risk of problematic play were being targeted with the advertising (see the further reading box for more information).

The rules are not there to stop you from engaging in direct marketing. They are there to make sure you think about the privacy of those who will be affected by your activity. The law enables good direct marketing practices to happen for the benefit of all involved.

The benefits for you in following the guidance may include:

  • greater trust in you by the public and your customers in how you use people’s information for direct marketing purposes;
  • greater confidence within your organisation that you are engaging in direct marketing responsibly and in a way that complies with the law;
  • economic benefits from effective, responsible direct marketing; and
  • better protection for people from unwanted or nuisance marketing.

What laws cover direct marketing?

Where direct marketing uses personal information, it is covered by the UK data protection regime. This is set out in the Data Protection Act 2018 (DPA 2018) and the UK General Data Protection Regulation (UK GDPR).

Where direct marketing is carried out using electronic marketing messages (eg phone calls or electronic mail such as emails or text messages), it is also covered by the Privacy and Electronic Communications Regulations 2003 (as amended) (PECR). PECR also covers cookies and similar technologies. In some ways it has a broader application than data protection law, as it can apply even if you are not using any personal information.

There are other rules and industry standards affecting direct marketing that are regulated by other bodies. For more information see Annex B.

What is a legal requirement in this guidance and what is good practice?

This guidance covers what you must do to comply with data protection law and PECR. Where we use the word “must”, this means that the law requires you to do something (so it is a legal requirement).

Where we use the word “should”, this isn't a legal requirement but is what we expect you to do to comply effectively with the law. You should follow this unless you have a good reason not to (good practice). If you take a different approach, you must be able to demonstrate that this complies with the law. Where we use the word “could”, this refers to an option(s) that you may want to consider to help you comply (good practice). We have highlighted these words throughout the guidance for ease of reference.

How should we use this guidance?

This guidance helps you understand what you need to do at each stage of your direct marketing:

Step 1: Identify

Step 2: Plan

Step 3: Collect

Step 4: Respect


It explains the steps you are likely to go through as part of your direct marketing activities. It starts with a section about identifying what is direct marketing to help you decide if what you want to do is covered. Further sections cover planning your marketing activities, collecting information, and respecting people’s preferences. There is a Glossary to help you understand the terms we use in the guidance.

The guidance is designed to set out the main things you need to consider or do when you carry out direct marketing. However, we know some of you may want more detail about particular areas, so we have included “further reading” boxes. These boxes do not form part of the guidance but highlight where to find more detail if you want it.

Also, our website has further practical direct marketing resources and tools to help you.

Further reading

What happens if we don’t follow this guidance?

If you don’t follow this guidance you may find it more difficult to show that your direct marketing complies with data protection law and PECR.

We can take action against you if you send direct marketing or use personal information in a way that infringes the UK GDPR, DPA 2018 or PECR. For more information, see the Enforcement section.

As long as you can demonstrate that you found another way to comply with the law, you will not receive a penalty if you fail to adopt our good practice recommendations.