Do I need consent for direct marketing?

Hands typing on a laptop on a desk



With less than 50 working days until GDPR takes effect on 25th May 2018, many businesses are starting to consider the ‘hot topic’ of whether their marketing lists will still be valid.  But it’s not just GDPR that needs to be considered……

Current Rules (up until 25th May 2018)

Data Protection Act 1998 (DPA98)

Privacy and Electronic Communications Regulations 2003 (PECR)

After 25th May 2018

General Data Protection Regulation (GDPR)

Privacy and Electronic Communications Regulations 2003 (PECR) BUT only until the Regulation on E-Privacy and Electronic Communications (the E-Privacy Regulation) comes into force

General Principles

Under DPA98 “An individual is entitled at any time by notice in writing ……to require the data controller…to cease, or not to begin processing for the purposes of direct marketing….”

Whilst referenced in DPA98, the majority of the rules around direct marketing can actually be found in PECR.  Take a look at the ICO’s current direct marketing guidance, based on PECR.

Direct marketing can currently be carried out following a variety of opt-ins or opt-outs but under GDPR the rules become more challenging because giving consent (or opting in) to direct marketing has specific requirements.

GDPR says:

“Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time….”

“Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.”

As we all know, under GDPR, organisations can only process personal data if they have a lawful basis for doing so (GDPR Article 5 clause 1).  The test for ‘lawfulness of processing’ includes that the data subject has given consent for the processing, but this does not automatically mean that you need consent to carry out direct marketing (or any other type of processing).

Legitimate Interests

Recital 47 of the GDPR states “The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.”

Even the ICO acknowledge that obtaining valid consent under GDPR (Art 7) will be challenging and they urge businesses to consider whether consent is the correct lawful basis for the processing of any data.

But when deciding whether the sending of direct marketing can be done as a legitimate interest, an organisation still needs to consider the rules under PECR.

Postal marketing – not covered by PECR so as long as the organisation identifies itself, offers an opt-out and screens addresses against the mail preference service then it’s ok to send first party marketing (about your own products and services) as long as the client has not previously opted out.  If they haven’t previously opted out but have registered with the mail preference service then you need to leave them alone.

Email/SMS marketing – you must follow the rules in PECR which require an opt-in unless you have obtained the contact details of the individual during the course of a sale (or negotiations of the sale) of a product or service.  The marketing must be of a similar product or service and the individual must have been given the opportunity to opt-out.

Telephone Marketing – for live marketing calls, the rules say you can contact anyone as long as they have not previously opted out and are not registered with the telephone preference service.  You must not make automated calls to anyone unless they have specifically opted in to receive this type of call from you.

So what do you need to do?

  • Consider whether consent is the most appropriate lawful basis for processing – can you use legitimate interests instead?

  • Make sure your privacy notice covers direct marketing if you will be sending it to clients

  • Ensure that there is an easy way for clients to opt-out of marketing and that your system can record the opt-out

  • Ensure your marketing teams screen all marketing data against both the telephone preference service and mail preference service

  • If you do need (or want to rely on consent) then review your current opt-in’s, if they don’t meet the requirements of Article 7 then you will need to ask your clients to opt-in again

  • Keep an eye out for our updates on the E-Privacy Regulation – it was supposed to be ready for 25th May 2018 but this is looking increasingly unlikely as the text is yet to be finalised

Get in touch

We will be talking about the practicalities of GDPR at our upcoming conference in London on 26th April.  However, if you’d like to discuss data protection and GDPR with one of our experts, simply contact us today.


Testimonial from Right Legal
"We have been using Teal to support our compliance frameworks, and every aspect of our experience with them has been fantastic. From the training to the audits, and especially the ‘Ask Teal’ helpline, nothing is too much trouble, and you get quick support from some of the industry’s best compliance experts. Just having them there to support our continued growth takes a huge weight off my mind. Highly recommend to firms of all size and structure!"
Get in touch
Testimonial from Constantine Law
"We rely on Teal Compliance to provide responsive, practical compliance services to Constantine Law (we do not have an in-house compliance officer/function). I would encourage all solicitor firms without their own resource to engage with Teal: they know what they are doing and they provide peace of mind regarding day-to-day compliance matters as well as responses to unforeseen (tricky) compliance matters. They have become an indispensable partner to Constantine Law in our growth journey."
Get in touch
Testimonial from Streathers Solicitors
"We have worked with Teal for several years. They have provided us with AML training and also helped us put together our firm-wide AML risk assessment and our updated AML policy, along with assisting us with various issues as and when they arose. We have always found them to be very helpful, friendly, responsive and knowledgeable, and are happy to recommend them."
Get in touch
Testimonial from Streathers Solicitors
"We have had a relationship with Teal for a number of years and they have provided a valuable resource to our compliance team. Teal combine the delivery of a personal and friendly service with city level expertise."
Get in touch
Previous slide
Next slide