Marketing to customers – ICO changes to its direct marketing guidance

The Information Commissioner's Office (ICO) (the regulatory body in the UK for data protection issues) has introduced some new changes to its direct marketing guidance. Businesses should familiarise themselves with the updated guidance to ensure their marketing practices are compliant.

What is direct marketing?

Direct marketing has been defined in the Data Protection Act 1998 (the "DPA") as “communication (by whatever means) of any advertising or marketing …directed to particular individuals”.

This means that almost any type of marketing or advertising would fall under this definition so long as it was directed to a particular individual. 

What is the law on direct marketing?

The law regarding direct marketing is covered under:

  • the Privacy and Electronic Communications (EC Directive) Regulations 2003 ("PECR") which regulates marketing by email, phone, text or fax; and
  • if you are processing personal data, the Data Protection Act 1998.

Consent should always be obtained from the individual before a business markets to them. Consent has not been defined in the DPA; although the European Data Protection Directive, which the DPA is based on, states that consent to the processing of personal data (which a business would do when direct marketing to individuals) must be "freely given, specific and informed".

The ICO has a wealth of guidance on how businesses can comply with the DPA and the PECR including its comprehensive "direct marketing guidance".  This guidance has recently been amended.

What are the changes to the direct marketing guidance?

  1. The ICO emphasises that the DPA and the PECR apply to not-for-profit organisations as well as commercial organisations generally and new guidance has been added, which focuses on non-profit organisations. The direct marketing guidance highlights that, in the not-for-profit sector as well as any other sector, any messages that have a marketing element will still be caught by the definition of direct marketing even if the main purpose for the communication is not a marketing one.
  2. As consent must be freely given, the ICO has stressed that "freely given" consent must be able to be demonstrated where any marketing consent is a condition of receiving a service.  You should not, therefore, assume that an individual wants to receive marketing just because they have ordered a product or service.  Consent should not be "buried" in documentation.
  3. The Information Commission also expressly states that consent is unlikely to be valid if an individual is given a long list of general categories of organisations who may market to that individual.  Consent must be "specific" and a general category of organisation will not be sufficient to obtain specific consent for such marketing purposes.  The ICO states that to be specific enough here, the categories of companies need to allow the individual to foresee the types of companies that will market to them, what this marketing will be and the mode of such marketing.
  4. The ICO clarifies that indirect consent is highly unlikely to be valid for marketing through emails, texts or calls.  Indirect consent in this context is where an individual gives their consent to one organisation to receive marketing from other organisations.  The ICO highlights it will be very difficult to use bought-in lists for text, email, or automatic call campaigns as specific consent is required.
  5. The ICO highlights that organisations must tell individuals if they are selling or sharing their data for marketing purposes. 
  6. New working examples have been provided including examples involving a charity.

Author: Noor Al Naeme

For further information on compliance with the CRA or any other matter, please contact Tom Torkar, Partner in the Technology & Innovation team at

Subscribe to our email update!