Do you use data for email or mobile marketing?

Collecting personal information via a website often goes hand in hand with electronic marketing. Care needs to be taken to comply with the laws on direct marketing when using email as a method of marketing your goods and services. Other than the Data Protection Act, the Privacy of Electronic Communications Regulations 2003 (PECRs) regulates this type of activity.

The PECRs cover how personal information can be used for direct marketing purposes and outlines the obligation of companies to seek consent for carrying out direct marketing activities. If you’re planning a marketing campaign, you’ll have to comply with a number of regulations, some of which apply to unsolicited electronic messages (marketing which has not specifically been asked for sent by telephone, fax, email or text). Direct marketing includes messages trying to sell goods or services, as well as those promoting the values or beliefs of a particular organisation. It also governs ‘cookies’. Click here to access all three articles on Cookies and the Law.

Can a company send unsolicited marketing messages to a subscriber/ recipient?

Yes and no! The most important thing to remember is that you can only carry out unsolicited direct marketing by electronic mail if the individual you are sending the message to has given you their permission. In the online world this usually takes the form of a tick box. This is the ‘prior consent’ rule.

However, there is an exception to this rule known as the ‘soft opt-in’, which applies where:

  • you have obtained the individual’s details in the course of a sale or the negotiations for a sale of a product or service to that person;
  • the messages are only marketing your similar products or services; and
  • the individual is given a simple opportunity to refuse the marketing when their details are collected and, if they do not opt out, you give them a simple way to do so in every future message.

Individuals should be able to opt out of receiving marketing at any time and you must comply with any opt-out requests promptly.

Corporate subscribers: The rules on email do not apply to emails sent to organisations except that you must still identify yourself and provide an address. However, it serves little purpose to continue to send unsolicited marketing messages to those who have gone to the trouble of telling you they do not want to receive them. Therefore, the ICO strongly recommends that you respect requests from organisations not to email them. Further, many employees have personal corporate email addresses and individual employees have a right under the Data Protection Act 1998/EU data protection regulation 2016/679 to require you to stop using that address for marketing.

Good practice recommendations

  • Try to go for permission-based marketing as much as possible. This way you are only contacting customers who want you to contact them.
  • Provide a statement of use when you collect details. Put this in an obvious place or make sure it has to be read before individuals submit their details.
  • Make sure you clearly explain what individuals’ details will be used for. For example, explain to individuals why you might use their email address in the future.
  • Do not have consent boxes already ticked.
  • Provide a simple and quick method for customers to opt out of marketing messages at no cost other than that of sending the message.
  • Promptly comply with opt-out requests from everyone, not just those from individuals.
  • Have a system in place to deal with complaints about unwanted marketing.
  • When you receive an opt-out request, suppress the individual or company details  rather than deleting them. This way you will retain a record of who not to contact.

Note that if you use several forms of electronic marketing, you will need separate and distinct opt outs for each marketing method. For example, if you market by text and email and a subscriber opts out via e.g. an unsubscribe link in your privacy policy, if it is not specific, it will opt the user out of both methods when perhaps they only wanted or intended to opt out of text. ‘My Account’ functions can offer a solution to this.


Let us know if we can help you!

Author: Yvonne Morris



twitter: @CloudLegals



CloudLegal is a tech-enabled legal support consultancy which promises practical commercial and jargon-free advice. We support all company matters, commercial contracts/ Ts & Cs (including software and IT), employment & HR as well as data protection matters. We have various services including: