How to advertise in the UK in compliance with the law?
What you need to know about direct marketing in the UK.
The laws that directly regulate the rules of marketing in the UK are:
- The Data Protection Act 2018 (DPA) – based on eight principles of good information processing. They give people certain rights in relation to their personal data and impose certain obligations on organisations that are responsible for processing them.
- The Privacy and Electronic Communications Regulations (PECR) – specify the rules for sending marketing materials and advertisements electronically, such as by telephone, fax, email, text message, image, or video. PECR also covers other rules related to cookies, telephone directories, traffic data, location data, and security breaches.
PECR is broader than DPA in the sense that it applies even when an organisation is not processing any personal data – this applies even when the organisation doesn’t know the name of the person they are contacting.
Direct marketing includes the promotion of goals and ideals as well as the sale of products and services. This means that the regulations will cover not only commercial organisations but also non-profit organisations (e.g. charities, political parties, etc.).
A key element of the definition is that the material must be directed at specific individuals. Mass or collective marketing, such as distributing leaflets to every house in an area, inserts in magazines, or advertisements shown to every person browsing a website, will not therefore be covered by the definition of direct marketing.
The rules of direct marketing will not apply if an organisation contacts customers for the purpose of conducting genuine market research. However, organisations conducting market research will still need to comply with other provisions of data protection laws, particularly by ensuring the fair, secure, and solely research-related processing of any personally identifiable data.
Organisations may not ask research companies that perform research for them to: promote their products or provide them with collected data for future sales or marketing purposes – unless the contact persons agree to it and all communication is PECR compliant (e.g. connections are checked in the TPS register).
Solicited and unsolicited marketing
There are no restrictions on sending requested marketing materials, i.e. marketing materials that a person has explicitly asked for.
PECR rules only apply to “unsolicited” marketing messages, and the data protection authority will not prevent organisations from delivering information that someone has requested.
Consent is essential to direct marketing laws. Organisations will typically need an individual’s consent before they can send marketing texts, e-mails or faxes, make calls to a TPS-registered number, or make any automated PECR marketing calls.
For consent to be valid, it must be given knowingly and voluntarily, be clear and specific. Organisations should keep clear records of what an individual has consented to, when, and how that consent was obtained, to demonstrate compliance in the event of a complaint.
To have valid consent, there must be some form of communication or positive action by which the individual clearly and knowingly gives consent. This could include clicking an icon, sending an email message, subscribing to a service, or giving oral confirmation.
The crucial issue is that the individual must fully understand that their action will be treated as consent and must fully understand what they are consenting to. There must be a clear and explicit statement explaining that the action signifies consent to receive marketing messages from that organisation.
Remember, organisations cannot send emails or text messages to individuals asking for consent to future marketing messages.
Indirect consent (given to a third party)
The term “indirect consent” covers situations where a person tells one organisation that they agree to receive marketing communications from other organisations. This is sometimes called “indirect consent” or “third party consent”.
Indirect consent may be valid if the organisation based on it was specifically indicated in the text of the consent.
If the consent was more general (e.g. for marketing “from selected third parties”), it will not constitute valid consent for marketing phone calls, SMS or emails.
There is no set time after which consent automatically expires. However, consent will not remain valid forever. How long consent remains valid will depend on the context.
Of course, consent can be explicitly withdrawn at any time.
To always keep
"RECORD OF CONSENT"
if you run a Newsletter
and provide marketing content
Marketing phone calls
Organisations can make unsolicited live marketing calls, but they cannot call any number registered with the TPS unless the subscriber (i.e. the person who receives the phone bill) has explicitly informed them that they do not object to their calls.
In practice, this means that to comply with the requirements of the PECR, organisations should check the list of numbers they intend to call against the TPS register.
According to PECR, organisations are not prevented from making marketing calls to numbers not registered with TPS. However, if the organisation knows the name of the person they are calling, they can only make a marketing call to them if they have previously obtained their consent to do so, in accordance with data protection principles.
Organisations cannot make a marketing call to a number that was originally collected for a completely different purpose without obtaining prior consent to change the way the consent is used.
The rules regarding automated calls, i.e. calls made by an automated calling system that play a recorded message, are stricter.
Organisations can only make automated marketing calls to individuals who have given prior consent to receive such calls from them.
Consent to receive live marketing calls is not sufficient.
All automated calls must include the identity of the caller and a contact address or free telephone number. Organisations must enable the display of their number (or an alternative contact number) to the recipient of the call.
Remember that there is no need to check the TPS when making automated calls. It doesn’t matter if the number is registered with the TPS. Even if the number is not on the TPS list, the call cannot be made without the person’s consent.
The same rules apply to marketing calls directed at businesses.
Individual entrepreneurs and partnerships can register their numbers with the TPS in the same way as individual consumers, while companies and other corporate entities register with the Corporate Telephone Preference Service (CTPS).
Therefore, an organisation making marketing calls between businesses will need to check both the TPS and CTPS registers.
Marketing texts and e-mails – to individuals
Organisations can generally send marketing texts or emails to individuals (including sole traders/self-employed individuals and partnerships) only if that person has given explicit consent to receive them.
Indirect consent (i.e. consent originally given to a third party) is unlikely to be sufficient.
The same rule applies to any marketing materials sent and stored in electronic form, including emails, texts, images, videos, voicemail, automated voicemail, and some social media messages.
Organisations must provide a valid contact address in such a message for individuals to unsubscribe or cancel their subscription.
A good practice is to allow individuals to directly reply to the message and unsubscribe in that way, or provide a clear and functional unsubscribe link in email messages, or at least provide a toll-free telephone number.
Marketing texts and emails – to businesses
Consent is not required – the only requirement is that the sender must identify themselves and provide contact information.
Corporate subscribers do not include sole traders or partnerships, which instead enjoy the same protection as individual consumers.
Moreover, many employees have personal corporate email addresses (e.g. firstname. lastname @ org. co. uk), and individual employees will have the right under section 11 of the DPA to opt-out of any marketing communications sent to such email addresses.
Marketing mail – traditional letters
PECR does not cover direct mail marketing, but organisations sending marketing mail to designated individuals must comply with the Data Protection rules.
Marketing letters cannot be sent if the address was collected for a completely different purpose. Organisations are also not allowed to send marketing letters to individuals who have expressed objection or opted out. Organisations must promptly comply with any written objections under section 11 of the DPA.
Individuals can register their address with the Mail Preference Service (MPS), which works on a similar principle to the TPS.
The DPA does not require organisations to check the recipient of a letter against the MPS, but it is a legal requirement under the Consumer Protection from Unfair Trading Regulations 2008. Therefore, we advise organisations to always check compliance with the MPS.
If an organisation sends marketing mail to every address in an area and does not know the identities of the individuals, it is not processing personal data for the purposes of direct marketing, and the DPA rules will not apply.
Examples of fines in the UK
ICO has issued monetary fines under PECR to a number of organisations.
Home2 Sense Limited, a home improvement company, was fined £200,000 for making over half a million unsolicited marketing phone calls.
Other fines issued include:
- Managing home energy and lifestyle – £200,000
- Direct Security Marketing Ltd – £70,000
- Telecom – Protection Service Ltd – £80,000 for making multiple live marketing calls to numbers listed in TPS without prior consent and ignoring people’s objections to these calls
- Nuisance Call Blocker Ltd – £90,000
- Telegraph Media Group Ltd – £30,000 for sending marketing emails without consent
- Parklife Manchester Ltd – £70,000 for sending marketing text messages without consent
- Pharmacy 2U, an online pharmacy, offered to sell the names and addresses of their customers through an online marketing company without informing their customers that their data was being sold. ICO found that the company violated the first principle of data protection, which requires fair and lawful processing of personal data, and imposed a fine of £130,000.
In another case, an employee of a motor industry firm was accused of unlawfully disclosing personal data of customers to a claims management company without authorization. She compiled lists of data about road accidents, including partial names, mobile phone numbers, and registration numbers, without permission from her employers. She then unlawfully passed on the obtained data to the director of the claims management company.
Both of these individuals were sentenced to eight months of suspended imprisonment and were ordered to carry out 100 hours of unpaid work and pay £1,000 in costs. Additionally, the court ordered the employee to pay £25,000 and the director of the claims management company to pay £15,000.
It should be noted that according to Section 55 of DPA, selling or offering to sell a marketing list is a criminal offence if any customer data was knowingly or recklessly obtained from another data controller without their consent.