Back to Basics: Direct Marketing

Friday 20th January 2023

Welcome to the final instalment in our Data Protection: Back to Basics series. In this article, we will discuss how organisations can ensure they are complying with the maze of regulatory frameworks that govern direct marketing.

What is direct marketing?

Direct Marketing” is defined as the “communication (by whatever means) of advertising or marketing material which is directed to particular individuals”.

The most common channels used for direct marketing purposes are email, post, telephone calls, text messages, and social media. Advertisements on television, radio, indiscriminate flyers and billboards are examples of channels that are not considered direct marketing, since they are targeted at wide audiences rather than specific individuals.

As direct marketing activities involve the use of personal information, organisations must comply with data protection laws.

What is the law?

The key laws governing direct marketing include:

  • The UK GDPR;
  • The Data Protection Act 2018 (“DPA”); and
  • The Privacy and Electronic Communications Regulations 2003 (“PECR”).

Guidance and Codes of Practice from the Information Commissioner’s Office (ICO) and Advertising Standards Agency (ASA) are also noteworthy sources for best-practice approaches.


Consent is the ‘gold standard’ when it comes to direct marketing and is the option which comes with the least privacy complaints if administered correctly. Consent should be freely given and those who are signed up to any marketing lists must have the ability to withdraw that consent at any time. Organisations should have effective consent management mechanisms to give effect to individuals’ marketing preferences.

Soft opt-in

Soft opt in is sometimes known as the ‘existing customer’ exemption. It assumes that if a customer has made a sale or negotiation for a sale with an organisation, that they may be willing to hear from that business with offers for similar goods and services. There is a specific regulatory test which needs to be met to rely on soft opt-in including clear unsubscribe options when data is collected and in every subsequent communication.

What about phone calls or post?

There are different rules for telephone marketing. Generally, organisations can telephone market if an individual hasn’t objected to the calls, and if the number they are calling isn’t registered on the Telephone Preference Service.

Organisations that wish to carry out marketing by use of automated calls can only do so to individuals who have consented to receiving automated marketing calls. General consent for direct marketing is not enough – the consent must specifically relate to automated marketing calls.

Direct marketing by post is not covered by PECR, however, organisations must still comply with other data protection laws, such as needing a lawful basis to process personal data.

Please feel free to get in touch with Lauren Wills-Dixon and Harvey Blake, our Privacy and Data Protection Experts, with any questions on direct marketing.