The ICO exists to empower you through information.

Effective marketing is essential to the success of most small businesses. But if you’re going to use direct marketing to help grow your business, you must follow the rules. This simple guide sets out the steps you need to take.

Step one: Identify

Think about what you want to do. Does it count as direct marketing?

For example, do you want to:

  • promote your aims, products, services or campaigns, or encourage a person to do something; and
  • direct this to particular people?

If the answer to both of these is yes, your activity counts as direct marketing.

Direct marketing isn’t just about sending messages. It can also include background activities, such as profiling the people you want to send direct marketing messages to.

Direct marketing can involve any type of communication, such as:

  • emails;
  • text messages;
  • phone calls;
  • post;
  • social media marketing; or
  • targeted online adverts.

But it might not include every customer communication you send. For example, service messages such as appointment reminders don’t count as direct marketing.

Step two: Plan

So, you’ve identified that what you want to do is direct marketing. The next step is to plan your direct marketing activities. Planning your activity before you start makes good business sense – starting your direct marketing, then finding out it isn’t compliant might cost you time and money. It could harm your reputation and may result in us taking action against you.

Different types of direct marketing are subject to different rules, so you should consider the following points:

What type of information are you going to use?

Data protection law applies if you want to use information that identifies particular people. If you want to use electronic contact details such as phone numbers or email addresses to send your direct marketing, then the Privacy and Electronic Communications Regulations (PECR) also apply.

If you’re using special category data, such as health data, to decide who to send direct marketing messages to, you should make sure you’ve got the person’s explicit consent to use their information in that way.

And if you want to use children’s information for direct marketing you should be especially careful. This can be potentially harmful to children and there are specific rules about using their personal information.

How are you planning to contact people?

  • Before making live marketing phone calls, you must make sure you’ve checked your list against the Telephone Preference System (TPS) and your own ‘don’t contact’ list. When you call, you must:
    • say who you are;
    • display your number; and
    • provide your contact details if asked.
  • If you’re making automated marketing calls, you must have consent from people that they’re happy to receive these.
  • If you want to send marketing emails or texts, you must either have consent, or meet all the requirements of what’s known as the “soft opt-in” .
  • When sending direct marketing to people by email or text, you must give them a way to opt-out or unsubscribe.
  • If you want to use online advertising to target specific people using cookies or similar technologies, you must get consent and tell people what you’re doing. An example of this type of targeting could involve selecting people according to their browsing history.
  • If you’re sending direct marketing to people by post, PECR marketing rules don’t apply. But you still must comply with data protection law.

What’s your lawful basis for your direct marketing activity?

You must have a data protection reason for using people’s information (known as a “lawful basis”). For your direct marketing, the ones you’re likely to use are consent or legitimate interests.

Is the information you want to use accurate and up to date?

It’s important to use accurate information for your direct marketing, so think about how you’ll keep people’s information up to date. It also makes good business sense to only keep the information you need.

Securely delete any information you no longer need, such as old addresses. Direct marketing costs time and money, so there’s little point sending it to the wrong place. Be aware, if your information isn’t up to date and personal information is sent to the wrong place, this could be a personal data breach.

Step three: Collect

Now you have a plan for your direct marketing, think about where to get the information you want to use. For example, do you want to:

  • collect people’s information directly from them;
  • get people’s information from third parties (eg lists of new customers or new contact details for your existing customers); or
  • use publicly available sources to collect information on people (eg from websites or social media).

Whichever way you decide, you must make people aware that you’re holding their information and want to use it for direct marketing.

Tell people what you’re going to do with their information

Be open and honest with people about how you’re going to use their information when you first collect it. For example, include the information about your direct marketing in your privacy notice, making it clear and easy to understand. You can create a bespoke privacy notice using our privacy notice generator.

If you’re planning to collect people’s information from other sources to use for direct marketing, ask yourself whether they’d expect you to do this. You might find it helpful to know more about your customer, eg so you can tailor your direct marketing to them. However, you must make sure this profiling is fair to people and you must tell them about what you’re doing.

If you want to get information to use for direct marketing from a third party, think about how you’ll check that they’re complying with the law. You don’t want to buy information and then find you can’t use it.

Step four: Respect

The final step is to respect people’s choices about direct marketing. Doing so helps you maintain good relationships with them. Many people are happy for you to use their information for direct marketing, but others may not be. Likewise, people may want to change their mind. Make it easy for people to express their preferences.

People can:

  • opt-out or unsubscribe from your direct marketing (either completely or from a particular type of message);
  • object to you using their information for direct marketing; or
  • change their mind and withdraw their consent to your direct marketing.

If someone does any of these, you must stop using their information for direct marketing.

You should keep a suppression or ‘don’t contact’ list. If someone tells you they don’t want you to use their information for direct marketing, make a note of their details on your list. Doing this also means you can check against your list to make sure you don’t use their details for direct marketing in the future. Keeping an up-to-date ‘don’t contact’ list also saves you the time and expense of sending direct marketing to someone who doesn’t want it.