Why is it important to plan our direct marketing activities?
You should plan your direct marketing activity before you start so that you can build-in data protection and PECR compliance. It is hard to retrofit legal requirements once you have started your activity and it may be costly. You may find that not planning properly means you are infringing the law. This may harm your reputation and your relationship with people. It may also result in us taking action against you.
In general, the data protection rules covering direct marketing are the same as when you use people’s information for any reason (the main difference is people have an absolute right to object to direct marketing).
You must take a ‘data protection by design’ approach when planning your direct marketing campaign or activity. For example, you should consider:
what type of information you want to use (eg is it personal information, special category data or children’s information?);
what direct marketing activity you want to use the information for;
who is responsible for compliance when you work with others;
what data protection reason (“lawful basis”) applies to your activity; and
how will you ensure the information is accurate and not kept longer than you need it.
You must also be aware of whether any additional rules apply to the information you want to use or to the activity you want to carry out. You must be clear which legislation applies to your direct marketing activities so you can follow all the relevant rules. In some cases only data protection law or only PECR will apply, but in other circumstances all may apply.
You should think about what type of information you want to use for your direct marketing activity before you start. This will help you know which rules apply.
For example, if you want to use personal information, then you must comply with data protection law. Personal information can simply be someone’s name and address but it is also broader. It covers distinguishing between people and singling them out. For example, in the direct marketing context, personal information covers:
online identifiers such as cookie IDs, IP addresses or advertising IDs.
If you want to use contact details, such as a phone number or electronic mail address (eg email address), then PECR applies (as well as data protection law if your marketing involves using personal information).
Can we use special category data for direct marketing?
Special category data includes information about people’s racial or ethnic origin, political opinions, religious beliefs, health or sexual life. It is more sensitive and therefore the law requires a higher standard of protection. This means that you must have a special category condition, as well as a data protection reason (“lawful basis") to use the information.
You should have “explicit consent”. This is because it is unlikely that any other special category condition applies.
Explicit consent has to meet the usual standard for consent (see How does consent apply to direct marketing?). However, the key difference, is that people must agree in a clear statement to you using such information rather than an ‘affirmative action’. You must also specify the type of special category data you want to use and your explicit consent request should be separate from any other consents.
You may be using special category data if you are trying to better target your direct marketing by profiling people. For example, drawing inferences about people’s race, political opinions or health from other information.
Can we use children’s information for direct marketing?
Direct marketing to children has significant potential for harm. Other regulators have rules that specifically protect children from advertising (see the further reading box). Therefore, you should be very careful when you plan such a campaign.
You must take into account the risks to children of using their information for direct marketing and think about how you can mitigate these. For example, children might:
not realise that you want to use their information for direct marketing (this may lead to them getting direct marketing that they don’t want);
not understand what direct marketing is or how it works (this may mean they don’t recognise when something is direct marketing);
lack awareness of the consequences of giving you their information;
be unable to critically assess the content of direct marketing (eg they may be influenced to make unhealthy food choices or spend money on things they can’t afford).
You should also comply with advertising standards and make sure that your direct marketing is not detrimental to a child’s health or wellbeing.
If you’re providing online services that are likely to be accessed by children, you should read the ICO’s Children’s code.
You must also think about what information is necessary and proportionate to use for your activity and how you will make sure the activity is fair to people.
Can we use ‘live’ calls for our direct marketing?
‘Live’ direct marketing calls are when a person is speaking live on the telephone. Direct marketing by live calls is covered by different provisions of PECR, depending on what the call is about. The live call rules protect individual and corporate subscribers (see the Glossary for definitions).
Live calls can be a useful direct marketing method, allowing you to speak directly to people and discuss your promotions with them. However, some people find live direct marketing calls intrusive or a nuisance. For example, Ofcom nuisance calls research in 2019 found that 82% of people receiving live sales calls found these annoying (see the further reading box). Therefore, you must make sure you understand how to comply. For example:
Be clear what your live marketing call will be about.
There are different rules in PECR for live calls depending on what you are marketing. However, for most types of marketing you can make live calls if:
there is no objection to your calls; and
the number isn’t registered on the Telephone Preference Service (TPS) or the Corporate Telephone Preference Service (CTPS).
A company has a list of telephone numbers that it wants to use to make live marketing calls about its products.
In order to comply with PECR, it checks the numbers against the TPS and CTPS registers and against its own ‘do not call’ list. It doesn’t make calls to any numbers that it finds on the register or its own list. It calls the remaining numbers.
However, there are stricter rules for direct marketing calls about claims management services and pensions. For claims management services marketing calls, you must have consent.
For pension scheme marketing calls:
you must be a trustee or manager of a pension scheme or authorised by the Financial Conduct Authority; and
the person you are calling must have consented to your calls or your relationship with them must meet strict criteria (see the further reading box).
Understand what the TPS and CTPS are.
The TPS and CTPS registers are statutory registers that act as a way to let people record a general objection to receiving live direct marketing calls that you must respect. You can only call a number on these registers if the subscriber has specifically told you they want your live marketing calls.
Be considerate to people.
You shouldnot make calls to people that would unduly distress them or cause them other unjustified harm. Be particularly careful if you are aware that someone is elderly or vulnerable, or if the nature of the direct marketing call might cause offence or stress. You should avoid frequent redialling of unanswered numbers or making calls at anti-social hours.
Can we use automated calls for our direct marketing?
Direct marketing by automated telephone calls are made by an automated dialling system that plays a recorded message. The automated marketing call rules in PECR protect individual and corporate subscribers (see the Glossary for definitions).
You may be considering automated marketing calls as a cheaper alternative to live calls. However, the rules are stricter as many people find such calls very intrusive and sometimes disturbing. For example, Ofcom research from 2019 on nuisance calls found that 84% of people found recorded sales calls annoying and 14% found this type of call distressing (see the further reading box).
You must have consent to make automated marketing calls. General consent for direct marketing, or even consent for live calls, is not enough. The consent must specifically cover automated marketing calls from you. (See How does consent apply to direct marketing?)
You don’t need to check against the TPS or CTPS because you mustnot make the call without consent, even if the number is not on these lists.
Can we use electronic mail (including emails and texts) for our direct marketing?
Electronic mail means any electronically stored messages (eg emails, text messages, picture or video messages, voicemails, and direct messaging on social media). In particular, emails and text messages are a popular, cost-effective way to deliver marketing messages to people.
If you want to send direct marketing by electronic mail, you must do the following:
Be clear what type of subscriber you want to send messages to.
There are two types of subscribers in PECR (individual and corporate). Some of the rules for electronic mail only protect individual subscribers (which includes sole traders and some types of partnership). So, if you want to send electronic mail marketing to corporate subscribers the PECR rules on having either consent or the ‘soft opt-in’ (see below) don’t apply. (See the Glossary for more information on subscribers.)
Understand when you need consent.
You must have consent to send electronic mail marketing to individual subscribers (unless the ‘soft opt-in’ applies, see below). If you want to rely on consent, you must ensure it is specific to the particular type of electronic mail you want to send. For example, consent specifically for emails or consent specifically for text messages; simply saying ‘electronic mail’ is not specific or informed enough.
It is important to remember that consent to use someone’s phone number for live or automated marketing calls doesn’t cover direct marketing by text message. (See the section How does consent apply to direct marketing?)
A customer is buying a pair of jeans from a high street retailer. At the end of the payment the shop assistant asks them if they would like their receipt sent by email. The customer agrees and gives their email address.
Later that day the customer receives an email that contains an electronic receipt of their purchase. However, the following day they receive a further email promoting the retailer’s footwear sale.
While the first email was compliant because it didn’t contain any marketing, the second email is not compliant with PECR. This is because although the customer consented to their email address being used to receive an e-receipt, they didn’t consent for it to be used for direct marketing. Consent for an e-receipt doesn’t cover sending direct marketing. The retailer should have clearly and separately asked for consent to send direct marketing by email.
As no information was given to the customer about their email address being used for direct marketing purposes, there are also likely to be data protection issues (eg fairness and transparency).
Understand how to comply with the ‘soft opt-in’.
The term ‘soft opt-in’ is not used in PECR, but is commonly used to describe the exception in the law to the electronic mail consent requirement. Many organisations find that the soft-opt in is a good option to use to send electronic mail to their existing customers. However, if you want to use it instead of consent, you must meet all of its requirements. The soft opt-in breaks down into five requirements:
You obtained the contact details – you must have obtained the contact details directly from the individual subscriber you want to send electronic mail to.
You did this during the course of a sale, or negotiation of a sale, of a product or service – they must have bought something from you or have actively expressed an interest in buying your products or services (eg by asking for a quote or more details of what you offer).
You are marketing your similar products and services – you must be sending electronic mail about your similar products and services. This means you can’t send messages about things that people wouldn’t reasonably expect from you in that context and you can’t send the marketing of other organisations.
You provided an opportunity to refuse or opt-out when you collected the details – you must give a clear, simple opportunity to opt-out of your electronic mail marketing at the time you first collect their details (eg an online form with a prominent opt-out box).
You give an opportunity to refuse or opt-out in every subsequent communication – you must give people a chance to unsubscribe or opt-out of every subsequent communication you send. It must be simple and free of charge for them to do so (apart from the cost to them of sending the message).
An online clothing retailer decides it wants to use the soft opt-in to send marketing emails to its customers.
It adds the following opt-out box to the customer purchasing journey:
☐ Tick here if you don’t want to receive marketing emails from us about our clothing ranges.
The retailer doesn’t send email marketing to customers who tick the box. Instead it sends marketing emails about its clothing ranges to those customers who didn’t tick the opt-out box when they bought its products.
It includes the following information at the end of every email that it sends:
If you no longer want to receive our marketing emails, please click unsubscribe.
If the customer clicks unsubscribe, it stops sending them marketing emails.
The retailer is complying with the soft opt-in requirements of PECR.
Currently, the soft opt-in only applies to commercial marketing of products or services. This means you must have consent if you want to send direct marketing about fundraising, campaigning or to otherwise promote your aims or ideals.
You should check names and addresses against the Mailing Preference Service (MPS) before sending out direct marketing. Although this is not a statutory preference service, checking against the MPS is a requirement under some industry codes (eg the DMA’s code, see Annex B).
Can we use online advertising for our direct marketing?
When you are considering using online advertising for your direct marketing, remember that the information you can collect on people is wider than what they actively give you. For example, it can include information gained by observing how someone uses the online environment (such as the devices they use) and inferred information based on this (such as predictions about their interests). This inferred information can also be special category data (eg inferring that someone suffers from a particular condition because their browsing history contains particular medical websites).
People may not understand how online advertising works or how their information is used. As a result they are less empowered to make choices about how their information is used.
If you are considering online advertising you must do the following:
Tell people what you’re doing.
You must give people concise, easy to understand privacy information for online advertising. The volume of organisations involved in online advertising and the technical complexity make it difficult for people to understand why their information is being collected and who is using it. (See Collect information and generate leads.)
Social media platforms process large amounts of personal information about their users, including their behaviour and interactions. The platforms may allow you to target people for direct marketing purposes using particular tools. One of the most common is known as “audiences”. This can involve targeting:
your existing customers on the platform. For example, giving your customers’ contact details to the platform and it then checks its userbase and those who match are added to this audience; and
people that look like your existing customers. For example, setting targeting parameters based on an existing audience (such as demographics or interests) and the platform finds its users who are similar.
The activities in social media targeting are complex and you must make sure that you comply with the law. For example:
Be clear what information you need to achieve your purpose.
You should be clear about what information you want to use and why it is necessary. This applies to when you want to use your social media presence to target direct marketing at people and when you want to use the platform’s advertising services.
Ensure what you want to do is fair, lawful and transparent.
You must ensure that your use of people’s information is fair to the people involved. You must be upfront and clear about what you want to do, particularly if people are unlikely to expect it to take place (eg people without social media accounts will not expect you to share their information with a platform they don’t use).
Research from Which? found that 79% of those questioned were unaware that a social media platform matches profiles to customer lists that have been uploaded by organisations (see the further reading box).
Some types of audience may include people that you don’t have any direct relationship with. You should be satisfied that the platform has taken all necessary steps to tell people what is happening.
Define roles and responsibilities between you and the platform.
Although the platform may undertake most of the actual processing, you are instigating it. This is because you provided the original information and defined the targeting parameters you want it to use. In many cases, it is likely that you and the platform are joint controllers, as you are both deciding what the information is being used for.
Is there any information we must give people when we send direct marketing to them?
Some of the activities that involve sending direct marketing have additional rules in PECR that say what you must do or tell people.
When you make live or automated direct marketing calls, you must:
say who is calling (eg the name of your organisation);
display your number (or an alternative contact number) to the person receiving the call; and
provide your contact details or a Freephone number (for live calls this is only if you are asked for this information).
When you send electronic mail marketing, you must:
not disguise or conceal your identity; and
provide a valid contact address for people to opt out or unsubscribe.
Can we share information for direct marketing purposes?
Sharing information for direct marketing purposes can include:
selling, licensing or renting data or contact details;
sharing or transferring databases; or
supplying information obtained from a variety of sources to other organisations to add to people’s existing records or profiles.
If the ultimate aim is that the organisation receiving the information uses it to inform their direct marketing, then you are sharing it for direct marketing purposes.
If you are involved in the trade of information for direct marketing purposes (eg data brokers offering direct marketing services), you must assess the compliance risks of these activities and comply with data protection law and PECR. For example:
If you want to share using consent make sure it is valid.
You must make sure that consent to share someone’s information for direct marketing purposes is valid. For example, you can’t infer you have consent just because you are sharing information with an organisation that has a similar aim to you. (See How does consent apply to direct marketing?)
Be able to justify sharing using legitimate interests.
If you want to use legitimate interests as your data protection lawful basis, you must look at whether people would reasonably expect you to share their information with others for direct marketing. You also must consider what the impact of sharing will have on people (eg will they have a loss of control over their information if you share it?). (See How does legitimate interests apply to direct marketing?)
Give people a chance to opt out of the sharing.
If you are not relying on consent, then as a safeguard when you first collect information from people, you should include a clear, simple opt-out opportunity. People can use this if they want to object to you sharing their details with other organisations for direct marketing.
Take PECR into account.
If you want to share a marketing list for other organisations to use to send electronic marketing messages, you must take PECR into account. For example, you should ensure that lists of phone numbers for others to use for automated marketing calls have consent for that organisation to use for that purpose.
You should keep records of:
your decision-making (eg why do you want to share the information);
how and when you collected the information; and
what you told people.
You should be able to demonstrate to those you share information with, or who use your direct marketing services, that you collected the information in compliance with data protection law and, where applicable, PECR.
Often you will do your direct marketing activity within your own organisation without any input or assistance from others. However, sometimes it may be beneficial to work with others.
If you do work with others, you must be clear who has responsibility for ensuring compliance. This is an important part of keeping people’s information safe and making sure you respect their preferences. Responsibility depends on a number of factors including:
who is making the decisions about how people’s information is being used;
the relationship between the different parties involved; and
the type of direct marketing that is taking place.
Working with others for direct marketing can take different forms. For example:
Using other organisations to help with your direct marketing.
In many cases, from a data protection perspective you are likely to have responsibility for making sure your direct marketing complies. This makes you the controller. The organisation helping you is likely in most cases to be acting on your instructions, and is therefore the processor. For example, they might check your telephone marketing list against the TPS or print and send your postal marketing to your customers. (See the Glossary for definitions.)
Using other organisations to send your electronic marketing messages on your behalf.
Responsibility for complying with PECR is with the “sender”, “caller” or “instigator” of the direct marketing message. You are likely to be instigating if you encourage, incentivise, or ask someone else to send your direct marketing message. This means that PECR may still apply to you, even if you don’t send the message yourself or you don’t hold the contact details that your messages are sent to.
Often both you and the organisation you ask to send your messages are responsible for complying with PECR. But this may be different if you are entering into an agreement with a marketing platform or using a webmail provider. In this case, you may be the sender for PECR purposes with the other party having no responsibility under PECR for your messages. You may wish to seek legal advice if you are not clear who has responsibility for compliance.
Conducting joint direct marketing campaigns with third parties.
If you and the other party are both using people’s information for the same purpose, you are likely to have joint responsibility for ensuring your marketing complies with data protection law and be joint controllers (see the further reading box). If you are conducting a joint campaign that involves sending electronic direct marketing messages, you both must comply with PECR.
Asking your customers to send your direct marketing to their friends and family.
This is often known as a ‘refer a friend’ campaign. You must comply with PECR, if you are instigating people to send or forward your marketing messages (eg you may need consent from the friends and family). (See the further reading box.)
How do we decide what our data protection reason (“lawful basis”) is for direct marketing?
You must have a valid data protection reason, if you want to use people’s information for your direct marketing activity (known as a “lawful basis”). You must choose which is the most appropriate, depending on your direct marketing activity, the context and your relationship with the person.
In general, consent and legitimate interests are the two lawful bases most likely to apply to your direct marketing.
Sometimes you need consent under PECR to send your marketing. PECR uses the same standard of consent as data protection law. Therefore, if you have consent for PECR, then you have already done the work needed to meet the consent lawful basis (assuming you are processing people’s information and need a lawful basis). You don’t need to find an alternative lawful basis to cover sending that direct marketing message. (See How does consent apply to direct marketing?)
If PECR doesn’t require consent for sending electronic marketing, then legitimate interests may be appropriate for your activity. For example, sometimes you don’t need consent under PECR to make marketing calls and send electronic mail marketing. (See How does legitimate interests apply to direct marketing?)
Apart from sending electronic marketing (such as by phone, email, text etc), other direct marketing activities are not covered by the marketing provisions in PECR. Therefore, PECR won’t affect your choice of lawful basis for those.
If you want to ask people to give you consent for direct marketing, you must make sure it is:
freely given: People must have genuine choice and control over whether or not to consent to your direct marketing. In many cases it is unlikely you can make consent for direct marketing a condition of your service. They must be able to refuse consent without detriment (there’s usually some benefit of consenting to direct marketing, such as access to special offers, but it is important to avoid unduly incentivising people to consent). They must also be able to withdraw their consent at any time (see What do we do if someone withdraws their consent?);
specific and informed: Your request for consent must be prominent, in plain language and separate from your privacy information. It must clearly explain what the consent is for (eg to send direct marketing emails), who wants to rely on the consent (eg you or another organisation) and how people can withdraw consent; and
unambiguous: It must be obvious that someone has consented to your direct marketing activity. This must be a deliberate and specific action by someone to agree (pre-ticked boxes or default settings do not show consent).
If the company wants to use consent, it needs to provide a clear, separate opportunity for customers to choose to consent to its direct marketing.
You should also be aware of the following:
Consent for your direct marketing could come via a third party.
It is possible for people to consent to your direct marketing via a third party but you must make sure the consent was valid. We generally recommend that you should not use consent for direct marketing that was given via a third party more than six months ago (unless people would expect your marketing at a later date, eg seasonal offers). This is because people may be happy to hear from you around the time they gave consent but they’re unlikely to expect to start getting your marketing at a much later date.
Consent for direct marketing does not last forever.
How long consent for direct marketing lasts depends on the circumstances (such as people’s expectations and their relationship with you). For example, consent for a one-off message, or consent that is clearly only intended to cover a short time or a particular context, doesn’t count as ongoing consent for all your future direct marketing.
How does legitimate interests apply to direct marketing?
If your direct marketing activity doesn’t need consent under PECR, then you might be able to rely on the legitimate interests as your data protection reason (“lawful basis”). For example, if you can show the way you use people’s information:
has a minimal privacy impact; and
is not a surprise to people or they are not likely to object to what you are doing.
Legitimate interests is made up of a three-part test (known as a legitimate interests assessment or LIA):
Purpose test: Identify whether you have a legitimate interest to use people’s information for your particular direct marketing activity (eg to increase your revenues or grow your business).
Necessity test: Decide if using people’s information in that way is necessary for your purpose. Consider if:
what you want to do is a targeted and proportionate way of achieving your purpose; or
if you could achieve it in some other way (eg is it necessary to send the direct marketing to all your customers or is it be more proportionate to only send it to a particular group?).
Balancing test: Objectively balance the necessity of your interests against the interests and rights of the people your direct marketing activity will affect. Typically this will involve considering:
what type of information you want to use for your direct marketing activity (eg is it likely to be considered sensitive or private?);
whether people will expect you to use their information in this way; and
any impacts your direct marketing activity may have on people (eg the potential nuisance factor of unwanted messages, any harm those messages could cause or the effect the frequency of your contact method might have on them).
If you want to use legitimate interests for your direct marketing activity, you should give people a clear option to opt-out of your direct marketing when you initially collect their details. People have the right to object to direct marketing and an opt-out can provide a safeguard to ensure they keep control of their information and can easily exercise their right.
A theatre wants to send details of its programme of summer performances by post to people who have attended events in the past and have not previously objected to receiving its direct marketing.
The theatre’s purpose of direct marketing to increase its revenues is a legitimate interest. The theatre considers it is necessary to process the name and address details for this purpose and that posting the programme is a proportionate way of achieving this.
The theatre decides that the impact of this postal marketing on people is likely to be minimal but it includes details within the mailing about how to opt-out. In light of the above it decides that it can apply the legitimate interests lawful basis to send the mailing. It has complied with the requirement to have a lawful basis.
How do we make sure the information we use for direct marketing is accurate?
It is important for your direct marketing that the information you use is good quality and accurate. Also data protection law requires that you must keep people’s information accurate and where necessary up-to-date:
Record information accurately.
You must ensure that you accurately record people’s information for direct marketing. For example, you should accurately record:
the information you have been provided with (eg contact details);
the source of that information;
which methods of direct marketing people have consented to;
any objections, opt-outs, or withdrawals of consent; and
A retailer sends direct marketing by post to a customer. The marketing is returned to the retailer marked with the words ‘no longer at this address’.
The retailer complies with accuracy requirements by making a note on the customer’s record to say that the address is no longer correct.
Keep up-to-date suppression lists.
You should make sure that any direct marketing suppression lists you use are kept up-to-date. This is so that you don’t inadvertently use someone’s information for direct marketing when they have made clear that they don’t want this. For example, you must use the most recent version of the TPS to check phone numbers before making live marketing calls. (See What are direct marketing suppression lists?)
Deal promptly with challenges to the accuracy of personal information.
People may challenge the accuracy of the information you hold on them. They have a data protection right to have their inaccurate information corrected, so you must deal with any such request.
How long should we keep information for direct marketing purposes?
You must only keep people’s information for as long as you need it:
Be clear why you need to keep it.
Data protection law doesn’t have specific timescales for how long you need to keep people’s information for direct marketing. This means you should:
consider why you need to keep their information; and
be able to justify why it is necessary for your direct marketing purpose to keep it.
You should keep a record of your retention periods. You also must tell people how long you will keep their information (this is one of the things you must tell them when you collect their information, see Collect information and generate leads).
Don’t keep information that you don’t need.
You should regularly review the information you hold, in order to reduce the risk that it has become irrelevant, excessive or inaccurate.
If you no longer need the information for direct marketing purposes, you must delete or anonymise it (ie so it is no longer in a form that allows someone to be identified). This is unless you need to keep a small amount for another purpose, such as a suppression list (eg where someone has unsubscribed from your marketing, see What are direct marketing suppression lists?).
A retailer is planning a new product range. It wants to generate interest so it decides to give people an opportunity to submit their email address on a ‘coming soon’ webpage, so they can keep up-to-date with the product launch.
The retailer also decides that many people may want to hear about its other products as well. Therefore it decides to include an opt-in box on the webpage, so that when people submit their email address they can also choose to tick a box to also get emails about the retailer’s other products.
Once the retailer has launched the product, it is unlikely to still need to keep the email addresses of those who didn’t also agree to its general marketing. However, this is different for those people that also opted into the retailer’s general marketing emails, as they gave consent for wider marketing too.