Privacy and data protection in direct marketing

Direct marketing is any marketing or advertising material that is directed at particular individuals. It includes messages trying to sell goods or services and those promoting an organisation or its values or beliefs, such as material from charities or political parties asking for support. Direct marketing could be an email advertising car insurance or a phone call from a charity asking for a donation. It does not include calls that are purely for market research.

This guide explains what you need to do to comply with the Data Protection Act and the Privacy and Electronic Communications Regulations when carrying out direct marketing activities.

Data Protection Act

The Data Protection Act governs the use of personal information by businesses and other organisations. You will need to comply with the act if you use personal information as part of your business, for example, because you hold customer details or details of employees.

Personal information is information about a living individual who is identified or who is identifiable. It includes information such as a name and address, bank details, and opinions expressed about an individual.

If you are processing personal information covered by the Act you must comply with the data protection principles. These require that personal information is:

processed fairly and lawfully
processed for one or more specified and lawful purposes, and not further processed in any way that is incompatible with the original purpose
adequate, relevant and not excessive
accurate and, where necessary, kept up to date
kept for no longer than is necessary for the purpose for which it is being used
processed in line with an individual’s rights
kept secure with appropriate technical and organisational measures taken to protect the information
not transferred outside the European Economic Area (the European Union member states plus Norway, Iceland and Liechtenstein) unless there is adequate protection for the personal information being transferred

You can find out about the data protection principles on the Information Commissioner’s Office (ICO) website- Opens in a new window.

You can also find practical data protection advice on the ICO website- Opens in a new window.

The Act also requires some organisations to tell the Information Commissioner what they use personal information for. This is called notifying.

Data protection and marketing

The Data Protection Act applies to the use of personal information for marketing purposes. To comply with the first data protection principle of the Act you have to tell individuals:

who you are
what you will use their information for
anything else necessary to make sure you are using their information fairly, including whether you plan to pass your marketing lists to other organisations and how you will be contacting people, such as by post, phone or email

If you share your marketing lists with other organisations, you’ll need to tell individuals about who you will pass their information to and give them an opportunity to object. By telling them about a specific organisation, or providing a more general statement such as “we will pass your details to other organisations with similar aims and objectives”, you are being open about how you will use their information. If it is impractical to name these organisations, you should make this information freely available on request.

When you collect information from people you are in direct contact with, such as in a phone call or on a website, you should give them an immediate opportunity to object to future contact. You could also find out how they would like to be contacted in future.

An individual’s right to object

You need to be aware that section 11 of the Act gives all individuals the right to stop their personal information being used for direct marketing. A request must be made in writing – if you receive one you must act on the request in a reasonable period of time. Normally this should not be longer than 28 days.

You are using personal information for marketing purposes if you use an individual’s details to send them mail advertising your products or services. Some email addresses will be personal information, eg an email address in the format firstname.surname@company.com. An email address that does not name or identify an individual will not be personal information.

Under the Data Protection Act individuals have the right to see the information you hold about them. Individuals also have the right to have any personal information you hold about them corrected if it is wrong or misleading.

For further information on the data protection rights of individuals, see our guide on how to comply with data protection legislation.

Providing personal information to third parties

Under the Data Protection Act 1998, you may provide personal information about individuals to a third party if:

they are authorised to obtain that personal information on behalf of the individual
your business outsources the processing of personal information – for example, payroll processing
the police need it as part of an investigation

You can download data protection best practice advice for businesses – including guidance on individuals’ rights online [opens in a new window].

Data protection when buying marketing databases

If you buy databases containing customers’ personal information, you must comply with data protection requirements. Under the Data Protection Act, businesses generally may only sell personal information held in a database if the individuals have been warned that their information may be passed on.

However, a business that is insolvent, bankrupt, being closed down or sold may sell its database under the following circumstances:

the information will only be used for the purposes for which it was originally collected
consent is sought if the information is to be used for a different purpose
the individuals are informed about the new owner and given their contact details

For more information, see the page on rules about buying databases in our guide on email marketing.

The Privacy and Electronic Communications Regulations

The Privacy and Electronic Communications Regulations are the rules that govern how you conduct your marketing by electronic means, such as by email or by telephone. The regulations will also affect you if you use cookies on your website or if you operate telephone or similar directories.

Key elements of the regulations are that you must obtain consent before installing cookies on a user’s machine and in some cases you must have the customer’s consent to be able to send them electronic marketing. If an individual has opted out of receiving marketing information, you are not allowed to send it.

To comply with the regulations you must:

Ensure that you have the customer’s consent to electronically market to them by phone, fax or email.
Identify yourself when you carry out marketing.
Provide appropriate contact details when sending marketing material or messages so that the individual or organisation receiving the marketing can contact you. This should be a postal address, email address or Freephone number.

For telephone marketing, you must identify yourself. You must also give your address or Freephone number if the person you are calling asks for it.

Since 26 May 2011, businesses must tell visitors to their website that they use cookies and obtain their consent. You must also tell your site users how you use cookies.

You can find out how to comply with the law on cookies on the Information Commissioner’s Office (ICO) website- Opens in a new window and download guidance on how the ICO will enforce the law on cookies [opens in a new window].

You can find how to manage cookies on the All About Cookies website- Opens in a new window.

For more information on the rules applying to different forms of electronic marketing, see the page in this guide on marketing regulations.

Marketing regulations

There are different rules governing the various methods of marketing.

Electronic mail

The rules covering electronic mail apply to any message that consists of text, voice, sound or images, eg email, voicemail and answer phone messages.

You can only carry out unsolicited marketing – marketing an individual has not specifically requested – by electronic mail if the individual you are sending the message to has given you permission.

There is an exception to this rule, known as the ‘soft opt-in’ that applies where:

you have obtained the individual’s details in the course of a sale or the negotiations for a sale of a product or service to that person
the messages are only marketing your similar products or services
the individual is given the opportunity to refuse the marketing when their details are collected and, if they do not opt out, you give them a simple way to do so in every future message

The opt-out option should allow the individual to reply directly to the message. In the case of text messages, an individual could opt out by sending a stop message to a short code number, for example, text ‘STOP’ to 12345. The only cost should be the cost of sending the message.

Individuals can opt out of receiving marketing at any time and you must comply with any opt-out requests promptly.

For more advice on the rules when sending promotional emails, see our guide to email marketing.

Email marketing to organisations

If you are sending marketing to organisations, you don’t have to have their consent but you must include the name of your business in the email and provide a valid address where opt-out requests can be sent. However, if you have an email address which is ‘personal data’, for example name.surname@company.co.uk, the individual employees of that organisation still have the right to prevent that email address being used for direct marketing.

Telephone marketing

You can’t make unsolicited telephone calls to an individual or organisation who has told you they do not want your calls, or has registered with the Telephone Preference Service (TPS). Find out about the TPS on the TPS website- Opens in a new window. Businesses can register with the Corporate Telephone Preference Service (CTPS) – find out about the CTPS on the TPS website- Opens in a new window.

Automated calls

You cannot make automated calls (pre-recorded phone messages) without getting the individual or organisation’s permission first.

Fax

Organisations cannot send unsolicited marketing faxes to individuals unless they have agreed to receive them. You can’t send faxes to individuals or organisations who have registered their number on the Fax Preference Service (FPS). Find out about the FPS on the FPS website.

Privacy issues when using cookies

Cookies are text files that are stored on a user’s computer when they visit a website that uses them. Thereafter, the cookie sends information back to the website and can be used to monitor browsing preferences of users, eg types of goods searched for, pages visited and length of dwell time on each page. However, you need to be open with your customers about how you will use this information.

Since 26 May 2011, if you use cookies as part of your website you will need to tell individuals about how you are using them. In particular, you must give clear and comprehensive information about why you are using cookies and obtain their consent.

This information should be easy to understand and should tell users of the website that cookies will be used to collect and store information about them. You should also give users the opportunity to refuse the continued storage of any cookies on their computer or access to it and explain how users can turn the cookies off. There are very few circumstances where this information does not have to be provided.

You can also download data protection best practice advice for businesses which collect and use personal data online [opens in a new window].

Frequently asked questions about data protection

Can we advertise the products and services of third parties by electronic mail?

If you are offering a ‘host mailing’ service, you are not disclosing your mailing list to a third party but you are willing, for a fee, to promote their goods and services alongside yours. It is unlikely you could send such messages on a ‘soft opt-in’ basis because they are not your own ‘similar products and services’. However, you could send such material if the individual has agreed to receive it, provided you identify that you and not the third party are the sender.

Can we use third-party email marketing lists?

The law does not stop you using rented email marketing lists. However, you are responsible for any emails you send so make sure that the individuals you are sending the email to gave their consent for their details to be passed to third parties. You should check with the list rental business that they have the consent of the individuals concerned.

See the page in this guide on data protection when buying marketing databases.

What are ‘similar products and services’?

You can only send unsolicited electronic marketing if the messages are marketing similar products or services offered by your business.

Find guidance on the Privacy and Electronic Communications Regulations’ marketing guidelines from the Information Commissioner’s Office (ICO) website- Opens in a new window.

Find guidance on the Privacy and Electronic Communciations Regulations security guidelines from the ICO website- Opens in a new window.

You can find frequently asked questions on the ICO website- Opens in a new window.

Data protection offences and enforcement

The main offences under the Data Protection Act relate to the following:

Notification – particularly where an organisation has failed to notify the Information Commissioner’s Office (ICO) about the way they process personal information or to make necessary changes to their notification entry.
Obtaining or disclosing personal data without the consent of the data controller. Employees have been prosecuted for selling their employers’ information or even disclosing it to friends or family for their own purposes. Employees also need to be trained to recognise attempts to ‘con’ information out of them by unscrupulous individuals who trade in this type of information.
Breaching formal notices issued by the Information Commissioner.

The Information Commissioner has the power to prosecute those who may have committed a criminal offence. An enforcement notice could be issued if an organisation has not complied with one or more of the data protection principles. The Information Commissioner can issue an information notice to demand information needed to consider a complaint or decide if a principle has been breached. This is usually a last resort if the information is being withheld. Both notices can be appealed to the Information Tribunal.

Since 6 April 2010, the Information Commissioner has also had the power to impose civil penalties on any data controller where:

there has been a serious violation of data protection principles
the violation was likely to cause substantial damage or distress
the violation was deliberate or the data controller knew (or should have known) that a damaging or distressing violation was possible but failed to take reasonable steps to prevent it

The data controller will be served with a notice of intent detailing the nature, circumstances and seriousness of the violation along with an indication of the penalty amount. The maximum penalty is capped at £500,000.

Data controllers can make a representation to the Information Commissioner (providing information on the mitigating circumstances and any relevant documents and evidence) on receipt of a notice of intent.

Find guidance on data protection penalties on the ICO website- Opens in a new window.

You could be liable for a financial penalty if you fail to notify or comply with an enforcement or information notice. If you are convicted of any other offence under the Act, you could face a fine.

Could this article be better? Are details incorrect? Do you have something to contribute or a relevant article we can link to?

We’d love to hear from you and continue to keep this a free, useful resource for everyone! Get in touch.

Every effort has been made by the author(s) to ensure this article’s accuracy but it does not constitute legal advice tailored to your circumstances. If you act on it, you acknowledge that you do so at your own risk. We cannot assume responsibility and do not accept liability for any damage or loss which may arise as a result of your reliance upon it.

Outsourcing

Outsourcing is when you contract out a business function – a particular task, role or process…
Read more →
Responsibilities to employees if you buy or sell a business

Under the Transfer of Undertakings (Protection of Employment) Regulations 2006 (TUPE), when all or part of…
Read more →
When an employee resigns

When an employee wants to resign, you can try to persuade them to change their mind…
Read more →