top of page

Updated Direct Marketing Guidance – April 2023

The ICO has recently updated their Direct Marketing Guidance with a helpful guide for users. Here we summarise the key points to assist Direct Marketing professionals with their campaigns. As an initial point of clarification, Direct Marketing is defined as the business of selling products or services directly to the end user. This is typically through postal, email or telephone communications.

To start with, all campaigns need to be clear about three key areas: 1) what personally identifiable information is being used, 2) what steps have been taken to protect the use of this data and, 3) what lawful basis does the campaign fall under. Remember that users have the Right to Object and the Right to Opt Out at any time.

There are a number of real benefits for constructing a well-considered campaign, and being thoughtful about the content in your offer and how that relates to the recipients. Done well, a good direct marketing campaign can help to grow your business, add value to your products and services, extend the proposition to your customer base, and finally build trust and confidence with your customers insofar as you are sending them relevant propositions and offers.

Remember, the rules are not there to stop you running campaigns, rather they are there to encourage you to think about the data, purpose and actions. Of course, a well-run campaign that uses the data appropriately will also be economically more effective as well!

All direct marketing campaigns are covered by DPA (2018) and UK GDPR laws. If the campaign is electronic in nature (email, SMS or live calls) it will be covered by PECR. All businesses running direct marketing campaigns need to demonstrate compliance and there are a number of ways to do this. Follow our best practice tips and guidelines:

1) Use a plan that demonstrates that key questions relating to data management have been asked, such as, what type of data are you using, what is the campaign objective, how will you ensure that the data will not be used for longer than it is needed and so on. By asking these questions, it indicates that your approach is steered towards ‘Data Privacy by Design’ which is a best practice approach.

2) You must be clear as to which law applies to your campaign and your lawful basis for processing, and by doing so if there are any additional rules that you need to consider before you carry out the campaign.

3) Consider all of the different points of personally identifiable information when you are selecting your customer data. Not only are names and email addresses personal information, but other online identifiers such as cookies, IP addresses or advertising IDs.

4) If you are using any Special Category Data, you must have a special category condition to justify its usage. This needs to be teamed with the lawful basis for processing to demonstrate your justification for using the data. You must also be able to demonstrate consent from the user in a clear statement rather than simply indicating ‘affirmative action’. This explicit consent needs to sit separately from any other consent indicators within the data.

5) When planning your marketing activity, you must think about whether the information is necessary and proportionate when undertaking your campaign. Including this in your plan will ensure that you can demonstrate that you have considered the campaign is fair to your customers.

6) Live calls can be used for Direct Marketing and there is specific guidance about how you manage these. First, check that your contact is not on the Telephone Preference Service (TPS) or the Corporate Telephone Preference Service (CTPS). Next, check that there is no objection to your call by clearly stating what the call is about. To do this you must state the name of your organization, you must display your phone number, and you must provide contact details if asked. There are further details for claims management calls, so take the time to check these points on the ICO website before you proceed.

7) Social Media audience (paid) advertising is classed as Direct Marketing. This includes campaigns where your customer lists are added to social media platforms in order to reach or identify look a like profiles. For these campaigns, you must ensure that using individual’s information is fair to those involved. Equally, at the point of data collection, you must be clear about the different activities in which you want to use the data, and this includes social media profiling… and don’t forget to ensure you clearly have your lawful basis for processing clearly defined for these campaigns.

8) If you are sharing data for Direct Marketing purposes (and this includes supplying supplementary data to augment an existing database), the business involved in the trading of this information must assess the compliance of their data collection in accordance with the relevant laws. For example, users must be clear that their data is being used to share with other organisations for Direct Marketing purposes, and you must ensure that the consent to share the data is valid. This means that it has been freely given and is not simply inferred to another business with a similar aim.

9) If you are relying on Legitimate Interests for your lawful basis for processing your Direct Marketing campaign, you need to be able to demonstrate that it’s usage is proportionate, has a minimal privacy impact and the user will not be surprised or will object to what you are doing. To demonstrate this, using a Purpose test, a Necessity test and a Balancing test are good tools and are best practice.

10) If you are using Direct Marketing in partnership with other organisations, such as joint promotions, you must ensure that there is clarity over who is responsible for the data privacy compliance, for example, who is making the decisions about what data is being used, what is the relationship between the parties involved, and the type of activity being used. In many cases it will fall under joint responsibility in which case both parties will be expected to demonstrate their data privacy compliance for the campaign.

11) When using a ‘Refer a Friend’ mechanism, you must comply with PECR if you instigate the sending or forwarding of messages between parties. For example, by generating a pre-prepared email for your customers to use to forward to their contacts, could be construed as instigating the messaging and falls within PECR. By clearly informing the users of the campaign, without expressly asking them to send an email or text message to their friends, the organisation is complying with PECR by not instigating marketing without consent.

12) And finally, remember that you must not send any communications to users that have opted out or unsubscribed, and also you must stop sending communications to those who withdraw their consent. Your customers are free to change their mind and organisations must respect that.

For any further guidance or support for your Direct Marketing campaigns, contact The Data Project, or visit

Recent Posts

See All

Decoding the EU Digital Markets Act: An Overview

The digital landscape is evolving rapidly, transforming the way businesses operate and consumers engage with online platforms. In response to the challenges posed by digital markets, the European Unio


bottom of page