Do I need consent to send marketing to my contacts?
Key Contact: Lowri Morgan-Macdonald
One of the common misconceptions, particularly since the GDPR came into force in May 2018, is that you always need express opt-in consent in order to send marketing to customers, clients, or other contacts. However, that is not necessarily the case. Although consent is often required, the requirements depend on how you are carrying out your marketing and to whom such marketing is directed. In this article, we will therefore give you an overview of what the law actually says around consent and direct marketing and what steps you may need to take in order to comply.
There are two sets of privacy laws that are relevant when you are undertaking unsolicited direct marketing (i.e. marketing that is directed at particular individuals and which has not been specifically requested):
- Privacy and Electronic Communications Regulations (PECR); and
- The UK GDPR and the Data Protection Act 2018 (DP Laws).
The PECR sits alongside the DP Laws and you will need to ensure that you comply with both sets of laws whenever you are undertaking such marketing.
The PECR sets out, amongst other things, the rules for carrying out unsolicited direct marketing by email, phone, fax, text, and other electronic messages (such as picture/video messages, voicemails and direct messages via social media).
The PECR does not apply to marketing by post or online advertising – but you will still need to ensure that you comply with the DP Laws if you are processing personal data as part of any such marketing or advertising.
The concept of ‘direct marketing’ covers the communication by any means of advertising or marketing material which is directed at particular individuals. It does not cover genuine market research or customer service messages such as correspondence regarding a contract or purchase, provided that such research and/or messages do not contain any promotional material such as inducements to purchase other products or to renew a contract.
The rules are also generally more relaxed for business-to-business marketing.
Email, text, and phone marketing are likely to be the most relevant forms of marketing for most businesses nowadays and we have therefore set out a summary of the rules below:
Email / text marketing
The general rule is that you must not send email or text marketing to individuals (which includes sole traders and some partnerships) unless they have provided specific opt-in consent to receive such marketing from you.
The only exception to that rule is known as the ‘soft opt-in’ which allows you to send email or text marketing to an individual who is an existing customer who has bought (or negotiated to buy i.e. actively expressed an interest in buying your products or service such as by asking for a quote) a similar product or service from you in the past. However, the marketing message must relate to similar products or services and you must have given the individual an option to opt-out both when you first collected their details and in each subsequent marketing message. This exception does not apply to prospective customers or contacts on a marketing list that you have purchased.
You can however send email or text marketing to any corporate body (i.e. a company, LLP, or government body) without consent. But you will still need to ensure that you comply with the DP Laws where you are processing personal data of any individual employees for the purposes of such marketing.
In general, you must not make live marketing calls to any number registered with the Telephone Preference Service (TPS) or the Corporate TPS (CTPS) unless that person has specifically consented to receive such calls. You must also not make such calls to any person who has objected to your calls in the past.
In terms of automated calls (i.e. a call made by automated dialling which plays a recorded message), you must not make such marketing calls unless the person has specifically consented to receiving such calls from you.
Whether you are making live or automated calls, you must always give your name, allow your number to be displayed and provide a contact address or freephone number (only if requested in the case of live calls).
The same rules apply to individuals and businesses.
If direct marketing involves any processing of personal data (which will generally be the case if you are contacting a specific individual), then you will also need to ensure that you comply with the DP Laws when undertaking such marketing.
In order to process such personal data in accordance with the principles of the DP Laws, you must have a valid lawful basis for such processing. The lawful bases that are most likely to be relevant for marketing are consent and legitimate interests.
If consent is required to carry out any marketing under the PECR, then you will also need consent to process such data under the DP Laws.
The consent standard under both the PECR and the DP Laws is the same – it must be a freely given, specific, informed and unambiguous indication of the individual’s wishes by which he/she by a statement or by a clear affirmative action signifies agreement to the processing of personal data relating to him/her. That means, amongst other things, that the consent must relate to the specific method of marketing to be used and must be a positive opt-in action such as ticking a box or signing a statement; pre-ticked boxes or opt-outs are not valid forms of consent for these purposes.
You must also give individuals the right to withdraw their consent at any time.
If consent is not required to carry out marketing under the PECR, then you may not need consent to process such data under the DP Laws and you may instead be able to rely on legitimate interests.
In order to do so, you must be able to demonstrate that (1) you are pursuing a legitimate interest; (2) the processing is necessary for that purpose; and (3) such interests are not overridden by the interests or fundamental rights and freedoms of the data subject (this is known as the ‘three-part test’). You must be able to satisfy each limb of the three-part test in order to rely on this lawful basis.
It is worth noting that the recitals to the UK GDPR specifically refer to direct marketing as an activity that may indicate a legitimate interest. But this does not mean that it definitely will; you will still have to satisfy the requirements of the three-part test in order to rely on this as a lawful basis.
Some important factors to consider when assessing the three-part test include whether individuals would expect you to use their personal data in this way and what negative effects your marketing could have on individuals, particularly vulnerable individuals.
If you cannot satisfy the three-part test, then it is likely that you will need to rely on consent as your lawful basis to process such data under the DP Laws.
Although the focus of this article is on whether consent is required for sending marketing to customers, you will also need to ensure that you comply with your other obligations under the DP Laws when doing so. These include informing individuals, usually in the form of a privacy notice, that you intend to use their personal data for marketing purposes and if you plan to transfer their personal data to a third party for such purposes, ensuring that any personal data held is accurate and up-to-date, and allowing individuals to object to the processing of personal data for direct marketing purposes at any time.
We have set out below a quick guide as to whether consent is likely to be required for different forms of direct marketing. However, please note that this is only a general guide and its applicability will depend on your assessment of the appropriate legal basis under the DP Laws in the particular circumstances and your general compliance with the PECR and DP Laws in all other respects.
|Marketing Method||Recipient (Individuals includes sole traders and some partnerships)||Is consent required under the PECR?||Is consent required under DP laws?|
|Emails or Text||Individuals||Yes OR||Yes|
|Soft Opt-In||Legitimate Interest may be appropriate|
|Emails or Text||Business Contacts||No||Legitimate Interest may be appropriate|
|Live Phone Calls||Individuals / Business Contacts||No but must screen against TPS/CTPS||Legitimate interest may be appropriate where number not registered to TPS/CTPS|
|Automated phone calls||Individuals / Business Contacts||Yes||Yes|
|Post||Individuals / Business Contacts||No||Legitimate Interest may be appropriate|
For more information, please contact Lowri Morgan-Macdonald from our Data Privacy & Cyber Security Team