• GL
Choose your location?
  • Global Global
  • Australian flag Australia
  • French flag France
  • German flag Germany
  • Irish flag Ireland
  • Italian flag Italy
  • Polish flag Poland
  • Qatar flag Qatar
  • Spanish flag Spain
  • UAE flag UAE
  • UK flag UK

Direct marketing using email: ICO publishes new guidance

30 November 2022

The ICO has published guidance on how the Privacy and Electronic Communications Regulations 2003 (PECR) apply to direct marketing using email.

In DWF Data Protection Insights October 2022 we covered the ICO's guidance on direct marketing using live calls. The ICO has also published guidance on how the Privacy and Electronic Communications Regulations 2003 (PECR) apply to direct marketing using email. The key points are:

What is electronic mail marketing?

  • What is electronic mail? This is widely defined, so it includes email and text messages, picture or video messages, voicemail, in-app messages and direct messaging on social media. It does not include advertising on websites or social media, although these are covered by other areas of PECR, such as the rules on cookies.
  • What is direct marketing? Again, this is widely defined, including any type of electronic mail marketing, whether commercial, fundraising or campaigning. It does not cover messages sent for administrative or customer services purposes (service messages), but if you include promotional content in your service messages, those messages will count as marketing.
  • Do we need to know the name of the person we want to send the marketing to for PECR to apply? Some of the PECR rules are not limited to messages that include personal data, but protect subscribers, which may be individuals or corporate bodies.

What are the rules on direct marketing using electronic mail?

  • Who is responsible for complying with the rules on sending marketing by electronic mail? The sender or the instigatoris responsible, so if your organisation appoints a third party to send messages on your behalf, you are responsible.
  • What are the rules on sending marketing by electronic mail? PECR says that you can only send direct marketing to individuals by electronic mail if you have consent or you can meet all of the requirements of the soft opt-in exception to consent. The soft opt-in requirements are complex and require care, but please see the ICO guidance for details, or contact DWF for advice as there are policy decisions to be taken as well.
  • What does solicited and unsolicited mean? Some of the rules only apply to unsolicited messages, meaning mesages that the recipient has not specifically requested. Only specifically requested messages are solicited, so unsolicited messages include those that the recipient has agreed to, or not objected to.
  • What is consent? If you rely on consent as the lawful basis for the personal data processing under the UK GDPR, remember that the consent needs to meet the UK GDPR standard: freely given, specific, informed and unambiguous. You must also make it easy to withdraw consent. If relying on soft-opt in, you do not rely on consent.
  • What information do we need to provide when sending marketing by electronic mail? When you send marketing by electronic mail to any type of subscriber you must not disguise or hide your identity, and you must provide a valid contact address for people and businesses to opt-out or unsubscribe.

How do we comply with the rules on sending marketing by electronic mail?

  • How do we use consent to send marketing by electronic mail? If you want to rely on consent, your consent request mustbe prominent, concise, easy to understand and separate from your general terms and conditions. You mustensure that the consent specifically covers receiving that particular type of electronic mail from you. See the ICO guidance for examples of how to present requests for consent, or ask DWF for advice.
  • How do we use the soft opt-in to send marketing by electronic mail? As above, the rules are complex, so please refer to the ICO guidance or ask us for specific advice for your circumstances.
  • Can we use the soft opt-in for fundraising or campaigning? No, at present the soft opt-in only applies to commercial marketing of products or services. (Note that the Government proposed extending it, but these plans are currently on hold.)
  • Can we use bought-in lists to send electronic mail marketing? In order to use such a list for electronic mail marketing, the people on it musthave given their consent to receive such marketing from you. You must check that any consent is valid and covers you. The soft opt-in does not apply to bought-in lists.
  • Can we use publicly-available contact details to send marketing by electronic mail? You musthave consent or meet all of the soft opt-in requirements to send unsolicited direct marketing by electronic mail to people, including sole traders and some types of partnership. It’s unlikely that you can use contact details obtained from publicly available sources to send them unsolicited electronic mail marketing, as you won't have their consent and the soft opt-in will not apply.
  • Can we ask people to send our electronic mail marketing? This section covers viral marketing, such as "tell a friend" schemes. Due to the need for consent before sending the message, you should not encourage customers to send email or text messages to their friends, as this will make you the instigator of the messages for which you do not have the recipient's consent.
  • Can people object to our electronic mail marketing? Yes, you must not send electronic mail marketing to anyone that has opted-out or unsubscribed and you must stop sending electronic mail marketing based on consent where someone withdraws that consent. You shouldhave a process in place to deal with anyone who tells you they no longer want your electronic mail marketing, and keep them on a suppression list.

What else do we need to consider?

This section covers:

  • the need to comply with the UK GDPR as well as PECR, including the data protection principles of fairness, lawfulness and transparency;
  • the rules on cookies and tracking pixels; and
  • the ICO's enforcement powers, which include serving an enforcement notice and imposing fines of up to £500,000. Again the Government had proposed to increase this to the greater of 4% of global group annual turnover and £17.5million, but these are still under consideration.

Running direct marketing campaigns in accordance with the law can be difficult, due to the need to comply with the UK GDPR, PECR and sector-specific requirements. Please contact one of our privacy specialists for advice on your marketing plans. We also assist clients where marketing plans are coming under scrutiny from individuals, regulators or claims.

Further Reading