Direct marketing: a quick guide

A quick guide to the main rules relating to direct marketing.

This is one of a series of quick guides, see Quick guides.

NOTE: Please note that this Practice note is currently being updated.


What is direct marketing?

Direct marketing consists of any advertising or marketing communication (whether trying to sell a product or promoting an organisation) that is directed to particular individuals or companies, and includes market research calls.


Why do you need to comply with rules on direct marketing?

You need to comply with law and regulation on direct marketing to avoid the risk of:


Regulatory framework

The main laws and regulations relating to direct marketing are:

  • Data Protection Act 1998 (DPA) and Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/ 2426) (Privacy Regulations). Using personal data for marketing purposes is subject to regulation. Individuals (data subjects) have rights in relation to their personal data, including the absolute right to object to their personal data being used for marketing purposes under the DPA. Individuals need to be informed that their personal data will be used for marketing and given the option to opt out. In some cases, they must opt in, for example, for most fax and e-mail marketing. Customers who are individuals should be provided with an easy way to opt out. As well as personal opt-outs, there are preference services which traders must consult when planning telephone and fax marketing campaigns as it is a legal requirement and it good practice to consult the preference services for mail and e-mail.
  • Consumer Protection from Unfair Trading Regulations 2008 (SI 2008/1277) (CPUT). The CPUT is enforced by Trading Standards Services (TSS) and the Competition and Markets Authority (CMA). Regulation 3 of the CPUTs prohibits unfair commercial practices generally. Direct marketing is a commercial practice. A commercial practice is unfair if it contravenes the requirements of professional diligence (and materially distorts the economic behaviour of the average consumer in relation to a product (or is likely to do so)), for example, giving misleading information about a product to encourage a customer to buy it. Schedule 1 to the CPUT lists 31 practices which will always be considered to be unfair. An example would be promoting a prize draw in a marketing e-mail without awarding the prizes described or a reasonable equivalent. Another example would be making persistent and unwanted solicitations by telephone, fax, email or other remote media (such as mail).
  • UK Code of Non-broadcast Advertising, Sales Promotions and Direct Marketing (CAP Code) ( . The CAP Code is administered by the Committee of Advertising Practice (CAP). However, it is enforced by the ASA which can refer persistent offenders toTSS. The CAP Code contains general rules about advertising as well as good database practice.
  • Code of Practice of the Direct Marketing Association (DMA). The DMA is the national trade association for the direct marketing industry in the UK. The Code is enforced by the Direct Marketing Commission.

How to comply and potential pitfalls

Main considerations

Individuals have rights in relation to their personal data. Use of personal data for direct marketing purposes is subject to regulation.

Personal data includes, among other things:

  • Names.
  • Addresses.
  • E-mail addresses.
  • Telephone numbers.
  • Location data.
  • IP addresses.
  • Expressions of opinion about individuals.
  • CCTV images.

In certain circumstances, it can include anonymised or aggregated data.

Some personal data is sensitive, including details about:

  • Health.
  • Criminal record.
  • Sexual orientation.
  • Trade union membership.
  • Racial or ethnic origin.
  • Political or religious views.

This information must, therefore, be treated with special care (section 2 and Schedule 3, DPA).

Individuals have an absolute right to object to their personal data being used for direct marketing purposes (section 11, DPA).

Collecting personal data

When you collect personal data, it is important to ensure that the individuals concerned understand that you may use their data for marketing purposes and to give them the opportunity to opt in or out of contact.

You will need to provide individuals with a fair processing notice, which sets out what you will do with the personal data once you have collected it.

It is good practice to have a privacy statement on any website that collects personal data, which should also set out your fair processing notice.

Storing customer data

Customer data, whether in electronic or paper form, must:

  • Be stored in a secure manner and must be disposed of carefully. It is important to consider that some of the data may be sensitive.
  • Be kept up to date, and must be relevant and accurate.
  • Not be left lying around on printers or desks, and do not download it onto portable media without permission or encryption.

It is good practice to treat businesses the same way as individuals, so you should ensure your storage process also applies to data of business customers.

Marketing by post or telephone

An individual may have registered with the Mail Preference Service (MPS) to say that they do not want to receive direct marketing material by post. It is good practice to check databases against the MPS and take account of the individual's preference, although this is not a legal requirement. However, screening against the MPS is required under the CAP Code and the DMA Code.

If you are carrying out telephone marketing (including sending SMS), you need to check your database regularly with the Telephone Preference Service (TPS) to ensure that the people (businesses and individuals) you are calling are not registered. This is a legal requirement under the Privacy Regulations.

If a business has told you directly that they do not wish to receive marketing by telephone, you must stop marketing to that business.

You can make marketing calls, or send direct marketing by post, to people on your database unless they have said that they do not want to receive the calls or post.

The caller (or instigator) of the direct marketing call must display their telephone number.

Marketing by automated calls, SMS, fax or e-mail

To market by SMS or e-mail you will need prior consent from individuals, but not businesses.

However, businesses can opt-out of marketing faxes (not email and texts) by telling you directly that they do not wish to be contacted or register their fax number with the Fax Preference Service to opt out of all unsolicited faxes.

If the individual is an existing customer, businesses (but not charities or third sector organisations) may be able to market similar products or services to them by email or SMS without prior consent. This rule is called the "soft opt-in" and applies where:

  • You have obtained the individual's details as part of the sale, or negotiations for the sale, of a product or service to that person.
  • The marketing message contains only a similar product or service.
  • The customer has a simple means of refusing unsolicited marketing at the time their details are collected and if they do not opt-out, they are given a simple way of doing so in every future message.

If you are carrying out marketing by fax, check your database against the Fax Preference Service regularly. This is a legal requirement under the Privacy Regulations.

If the marketing is by way of automated calls, the caller or instigator of the call must display their telephone number.

If you want to distribute e-mail marketing, it is good practice (and consistent with the preference services of other means of marketing) to regularly check your databases against the E-mail Preference Service. However, this is not a legal requirement.

Dealing with opt-out requests

When dealing with opt-out requests, consider the following:

  • Ensure that whenever you contact a customer you provide a clear statement of the marketing company's identity and contact details.
  • Individuals can opt out of marketing contact at any time. The only cost to the customer of opting out should be the cost of sending the message; they must not incur a premium rate charge. It is important to record such requests accurately and to act on them promptly.
  • It is good practice to include an opt-out opportunity on all pieces of direct marketing, whether sent by mail, e-mail or SMS.
  • If someone calls your call centre, a recorded message should let them know that they may opt out of marketing contact and how to do so.
  • Opting in or out of marketing contact should be made as simple as possible for the individual, for example, by providing a link to unsubscribe in an e-mail, or allowing individuals to text STOP to a given number.
  • If someone opts out of marketing, ensure that you retain their record on the system and note that they have opted out (known as "suppressing" the details). If you simply delete their details, you may obtain their data later from another source and will not know that they have opted out of marketing contact.
  • It is not acceptable to rely on silence as an opt-in. You need some positive action by the customer, such as returning a form or an e-mail.
  • If someone has opted in to marketing contact from your organisation but is listed on a preference service, you can market to them if the opt-in is more recent than the preference service registration.

Current developments

Greenwashing. Many advertisers are keen to promote their eco-friendly credentials, especially in the light of the new duty for directors to consider the impact of their company's operations on the community and the environment when promoting that company (section 172, Companies Act 2006). Many organisations are falling foul of the ASA because their claims to be environmentally friendly cannot be substantiated. The ASA has issued guidance for advertisers on eco-friendly claims and the latest edition of the CAP Code contains new rules on environmental claims. See Practice note, Making green claims in advertising ( .

EU proposals on spam. The European Commission has passed legislation in the revised E-Privacy Directive (2002/58/EC), giving legal persons, with a legitimate interest in combating the sending of unsolicited commercial e-mails ("spam"), the right to take legal action against spammers in civil proceedings. In particular, this would enable ISPs and consumer protection organisations to take action against spammers that are placing a strain on the ISPs' networks. However, the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 (SI 2011/1208) which implement the amendments to the E-Privacy Directive do not contain this provision.

EU's General Data Protection Regulation and European Commission consultation on the E-Privacy Directive. Organisations have until 25 May 2018 to comply with the EU's General Data Protection Regulation (GDPR) which will replace the Data Protection Directive (see Legal update, General Data Protection Regulation to apply from May 2018 ( ). The GDPR will bring about a number of important changes for direct marketers, including:

  • They will have to provide more detail in their privacy notices, including for example whether profiling takes place. In the UK, the ICO is already consulting on a draft Privacy Notices code of practice, which it has drafted with the GDPR in mind (see Legal update, ICO consults on revised privacy notices code of practice) (

  • The rules on obtaining consent will be stricter and will require an individual's "clear affirmative action" and until further regulatory guidance is available, it is unclear whether organisations will be able to rely on implied consent.

  • The GDPR expands the reach of EU law as non-EU data controllers and data processors will be subject to the GDPR if they either offer goods or services to data subjects in the EU irrespective of whether payment is received or monitor data subjects' behaviour insofar as their behaviour takes place within the EU. Many non-EU businesses that are not currently required to comply with the Data Protection Directive will, therefore, be required to comply with the GDPR.

In addition, now that the GDPR has been finalised the European Commission has launched a consultation on the E-Privacy Directive and the consultation closed on 5 July 2016 (see Legal update, European Commission consults on E-Privacy Directive) ( . The ICO has responded to the consultation (see Legal update, ICO publishes response to European Commission consultation on E-privacy Directive ( ) and the Article 29 Working Party and the European Data Protection Supervisor have both published their opinions (see Legal updates, Article 29 Working Party publishes opinion on review of E-Privacy Directive ( and EDPS publishes opinion on review of E-Privacy Directive ( ). All three agree on many aspects as to how the E-Privacy Directive should be reformed, including the requirement that a recipient's prior consent should be introduced for all types of unsolicited electronic direct marketing, irrespective of whether the marketing is carried out by telephone, fax, email or text. The European Commission has published a summary report on the responses and is expected to publish a new legislative proposal on e-privacy by the end of 2016 (see Legal update, European Commission publishes summary report on E-Privacy Directive consultation ( ).

Brexit and the GDPR. Following the UK's decision to leave the EU, the UK Data Protection Minister at the Department for Culture Media & Sport published a statement explaining that if the UK remains within the Single Market, EU rules on personal data might continue to apply fully in the UK, but in other scenarios, all EU rules might be replaced with national ones. The Minister's view on the importance of consistency in data sharing across national borders aligns with that of the ICO (see Legal update, ICO publishes statement on GDPR following Brexit vote ( ) and this will be particularly important for multi-national businesses. The Minster commented, "One thing we can say with reasonable confidence is that if any country wishes to share data with EU Member States, or for it to handle EU citizens' data, they will need to be assessed as providing an adequate level of data protection. This will be a major consideration in the UK's negotiations going forward" (see Legal update, DCMS view on Brexit, the GDPR and EU-US Privacy Shield ( ). The ICO will be speaking with government to discuss the implications of the referendum and to present its view that, given the growing digital economy, reform of the UK's data protection regime remains necessary. It is still too early to say what form the UK's data protection law will take but, the ICO has been clear throughout that organisations should continue to prepare and comply with the GDPR. For further information on the concept of "adequacy" see Practice note, Cross-border transfers: Adequate level of protection. ( .

For further information see:


Key reading

{ "siteName" : "PLC", "objType" : "PLC_Doc_C", "objID" : "1247268755007", "objName" : "Direct marketing a quick guide", "userID" : "2", "objUrl" : "", "pageType" : "Resource", "academicUserID" : "", "contentAccessed" : "true", "analyticsPermCookie" : "25e8a493e:15b1573f31c:4ca9", "analyticsSessionCookie" : "25e8a493e:15b1573f31c:4caa", "statisticSensorPath" : "" }