16 July 2024

5 Top Tips for Your Direct Marketing Activities

Sofia Carroll, Information Governance Manager, busts popular myths about data protection laws and email marketing, and explains how to ensure your marketing campaigns are lawful.

Businesses have the right to promote their products and services and people receiving them have the right to only receive information they have opted in to read.

Myth 1: We comply with the UK GDPR, so we can send email to people freely.

As an organisation using people’s personal data, you will have a list of responsibilities for handling it lawfully under UK data protection laws. There is, however, a broader and separate legislation about sending unsolicited direct marketing messages to targeted individuals – Privacy and Electronic Communications Regulations (PECR). You must comply with PECR if you send promotional communications to individuals via email, text, fax or use cookies or similar technologies on your website. If you don’t think about PECR compliance as part of your framework, you are likely to fall foul of rules on consent.

Myth 2: The UK GDPR doesn’t apply if we send emails to work email addresses.

If information identifies and relates to a living individual, the UK GDPR is applicable, therefore it also applies to work email addresses if they include a staff member’s name. As a result, the same controller duties fall on you as with any other personal data use. However, sending unsolicited marketing messages to most corporate email addresses does follow different rules to individuals personal email addresses.

Myth 3: We can rely on our legitimate interests to promote our business by sending direct marketing emails.

This is one of the most common misconceptions about direct marketing it and it causes organisations the most difficulties. PECR states that people must have consented to your marketing prior to you contacting them, except when they have already enquired about or bought similar products or services from you; you have their details from a sale or related negotiations; and you give them means to refuse contact at the beginning and every subsequent occasion. For business-to-business marketing (when you are not using private email addresses), you can use your legitimate interests and need a legitimate interest assessment.

Recommendations for improving your PECR compliance

Organisations often realise something is wrong when they receive customer complaints. This means that if one person is unhappy with the communications, there are potentially hundreds or thousands of others on your marketing lists that can be dissatisfied. While there are few data protection fines, the ICO regularly fines controllers for unlawful email marketing.

1. Ensure you have valid consent recorded. The standard of consent in PECR is the same as that in the UK GDPR: freely given, specific, informed and unambiguous. In practice, you can achieve this with, for example, good design to show marketing opt-in fields, clear description of your data uses and a separate boxes for each data use requiring consent.
2. Understand the ‘soft opt-in’ exception. Soft opt-in is useful for organisations but it is often used too loosely. To use the soft opt-in exemption, it is essential that the person has given their details directly to you in relation to your products or services, and that afterward you can contact them only for the same things. The onus is on you to describe your full offering well, so recipients aren’t surprised you are contacting them. Soft opt-in also applies only in commercial contexts (therefore charities cannot use it).
3. Differentiate clearly between a service and direct marketing message. You can send functional and administrative messages without having consent for marketing, this might be a message to confirm the delivery date of an order. But be careful these emails don’t contain promotional wording as you will need consent for sending any kind of marketing. Work with the marketing team and review campaigns to ensure everyone is clear on the differences.
4. Retain unsubscribed emails in a suppressed list. When someone unsubscribes from your marketing, don’t delete their records completely. It’s important to keep track of who has objected to direct marketing, so you don’t email them again by accident. You also cannot email people to “check” whether they would like to receive marketing as this is still classed as contacting them for direct marketing purposes.
5. Don’t forget about website cookies. PECR also regulates the use of cookies, and the same UK GDPR consent is required for you to place them on people’s devices. You are not allowed to do so unless they have consent prior to this. This makes long, verbose and confusing cookie banners with only a button to accept all cookies non-compliant. The ICO has shown an increase in appetite to enforce cookie rules in the last few months.

At Naomi Korn Associates we can help with managing data protection risks. We offer a range of data protection services to help organisations with their responsibilities so that they are managed legally, safely, and strategically.  

We also have a fantastic range of CPD UK accredited courses covering a wide variety of topics to help build in-house skills and knowledge.

If you’re looking to build on your Data Protection knowledge, our upcoming intermediate course is a perfect opportunity: Lawful Digital Marketing and Consent, which explains the regulatory framework for conducting lawful marketing via electronic means. Participants will not only gain knowledge of key laws operating in this sphere – the Privacy and Electronic Communications Regulations and the UK General Data Protection Regulations – but will also understand their relationship in a marketing context. The course addresses a knowledge gap when consent is needed to lawfully send marketing messages to individuals and how to demonstrate compliance when obtaining valid consent (including for cookies). This is achieved with accessible explanations of the rules, real-life examples and case studies. (3 CPD Points, running 31 July, 9:30am-1pm and 23 October, 9:30am-1pm).

Each of our intermediate courses can be taken as an individual course or as part of our Intermediate Certificate (available in Copyright and in Data Protection). For further information, please see our ‘Certification and Accreditation’ page. For a full description of all courses, please see ‘Our Courses’ page. For a full online timetable, please go to our ‘Online Courses’ page. If you have any queries or would like to get in touch, please reach out to our Training Manager at info@naomikorn.com.