The ICO exists to empower you through information.

In brief…

PECR restrict unsolicited marketing by phone, fax, email, text, or other electronic message. There are different rules for different types of communication. The rules are generally stricter for marketing to individuals than for marketing to companies.

You will often need specific consent to send unsolicited direct marketing. The best way to obtain valid consent is to ask customers to tick opt-in boxes confirming they are happy to receive marketing calls, texts or emails from you.

In more detail…

What is ‘direct marketing’?

Direct marketing is defined in section 122(5) of the Data Protection Act 2018 as:

“the communication (by whatever means) of advertising or marketing material which is directed to particular individuals”.

This covers all advertising or promotional material, including that promoting the aims or ideals of not-for-profit organisations – for example, it covers a charity or political party campaigning for support or funds.

The marketing must be directed to particular individuals. In practice, all relevant electronic messages (eg calls, faxes, texts and emails) are directed to someone, so they fall within this definition.

Genuine market research does not count as direct marketing. However, if a survey includes any promotional material or collects details to use in future marketing campaigns, the survey is for direct marketing purposes and the rules apply.

Routine customer service messages do not count as direct marketing – in other words, correspondence with customers to provide information they need about a current contract or past purchase (eg information about service interruptions, delivery arrangements, product safety, changes to terms and conditions, or tariffs). General branding, logos or straplines in these messages do not count as marketing. However, if the message includes any significant promotional material aimed at getting customers to buy extra products or services or to renew contracts that are coming to an end, that message includes marketing material and the rules apply.

What kinds of electronic marketing are covered?

PECR cover marketing by phone, fax, email, text or any other type of ‘electronic mail’.

There are different rules for live calls, automated calls, faxes, and electronic mail (this includes emails or texts).

PECR marketing provisions do not apply to other types of marketing, such as mailshots or online advertising. However, you must always still comply with the Data Protection Act and the UK GDPR; and if your online advertising uses cookies or similar technologies, the provisions about cookies may apply.

When is marketing ‘solicited’ and when is it ‘unsolicited’?

Most of the rules in PECR only apply to unsolicited marketing messages. They do not restrict solicited marketing.

Put simply, a solicited message is one that is actively requested. So if someone specifically asks you to send them some information, you can do so without worrying about PECR (although you must still say who you are, display your number when making calls, and provide a contact address).

An unsolicited message is any message that has not been specifically requested. So even if the customer has ‘opted in’ to receiving marketing from you, it still counts as unsolicited marketing. An opt-in means the customer agrees to future messages (and is likely to mean that the marketing complies with PECR). But this is not the same as someone specifically contacting you to ask for particular information.

This does not make all unsolicited marketing unlawful. You can still send unsolicited marketing messages – as long as you comply with PECR.

What counts as consent?

You will often need a person’s consent before you can send them a marketing message. If you do need consent, then – to be valid – consent must be knowingly and freely given, clear and specific. It must cover both your particular organisation and the type of communication you want to use (eg call, automated call, fax, email, text). It must involve some form of very clear positive action – for example, ticking a box, clicking an icon, or sending an email – and the person must fully understand that they are giving you consent. You cannot show consent if you only provide information about marketing as part of a privacy policy that is hard to find, difficult to understand, or rarely read.

The clearest way to obtain consent is to ask the customer to tick an opt-in box confirming they are happy to receive your marketing calls, faxes, texts or emails.

You should keep clear records of what a person has consented to, and when and how you got this consent, so that you can demonstrate compliance in the event of a complaint.

You should be very careful when relying on consent obtained indirectly (consent originally given to a third party). You must make checks to ensure that the consent is valid and specifically identifies you. Generic consent covering any third party is not enough.

Remember that the customer is entitled to withdraw their consent at any time. You must make it easy for people to withdraw consent, and tell them how.

What is the difference between ‘opt in’ and ‘opt out’?

‘Opt in’ means a person has to take a specific positive step (eg tick a box, send an email, or click a button) to say they want marketing. ‘Opt out’ means a person must take a positive step to refuse or unsubscribe from marketing.

Some organisations provide opt-in boxes that are automatically pre-ticked. However, the UK GDPR is clear that pre-ticked boxes do not give valid consent.

You must use an ‘affirmative’ method of getting consent. We recommend you use unticked opt-in boxes wherever possible.

Do the rules apply to business-to-business marketing

Yes, but there are different rules for marketing to companies and marketing to individuals (which includes sole traders and some partnerships). In general, the rules on marketing to companies are not as strict.

For more information, see our separate guidance on business-to-business marketing.

What rules apply to international marketing campaigns?

If you are sending messages to countries outside the UK, you must also comply with their laws. Currently, EU countries have very similar laws to ours, based on the e-privacy Directive. Some of them are stricter than the UK regulations, especially for marketing to companies.

We cannot offer guidance on the law of other countries. You will need to seek your own legal advice if you wish to carry out an international marketing campaign.

What if we pay someone else to do our marketing?

You are both responsible for complying with PECR. Even if someone else actually makes the calls or sends the messages, you are still responsible, as you are ‘instigating’ those calls or messages. If we needed to take enforcement action, we would usually take it against you as the instigator. In some cases we might consider taking action against a specialist subcontractor as well if they deliberately or persistently ignored the rules.

You should make sure you have a written contract that sets out your contractor’s responsibilities. You may also want to ask your contractor to indemnify you (protect you against loss) for any breach of PECR. If they break the law and expose you to enforcement action (and reputational damage with customers), you may then be able to seek legal advice about taking action for breach of contract. However, an indemnity is not a substitute for proper checks of your contractor – remember it is still your name and reputation at stake.

Having a written contract with your contractor ties in with your contract obligations under the UK GDPR. See our separate Guide to the UK GDPR for more information on contracts.