The ICO exists to empower you through information.

At a glance

  • Business-to-business marketing is when you send direct marketing to another business or a business contact.
  • PECR contains rules on direct marketing by electronic message (eg phone call, email, text message and fax). These rules may differ depending on your chosen method of direct marketing and the type of business that you intend to contact. Sometimes you may need consent.
  • Businesses are classed as “corporate subscribers” under PECR if they are a corporate body with separate legal status (eg companies, limited liability partnerships, Scottish partnerships, and some government bodies). However sole traders and other types of partnerships are classed as “individual subscribers” and PECR treats them the same as individuals.
  • In general the marketing rules in PECR apply equally to corporate subscribers and individual subscribers. The main difference is that the rule on marketing by electronic mail (eg email or text message) doesn’t apply to corporate subscribers.
  • If you are processing personal data for direct marketing purposes, even in a business context, the UK GDPR applies.
  • If you collect an individual’s contact details in their business capacity and you intend to send them direct marketing messages, you must tell them about this and have a lawful basis under the UK GDPR for the processing.
  • If you want to use publicly available personal data to send marketing to an individual, even in a business context, you need to comply with the UK GDPR.
  • Businesses and business contacts can object to your direct marketing. They can also change their mind and withdraw their consent to your marketing at any time.

In brief

What is business-to-business marketing?

Business-to-business (B2B) marketing is when you send direct marketing to another business or a business contact.

Direct marketing is broad and covers all types of advertising, marketing or promotional material. It covers any means of communication such as emails, text messages, phone calls, and post. It includes commercial marketing (eg promotion of products and services) and the promotion of aims and ideals (eg fundraising, campaigning).

Why is it important to know the rules for business-to-business marketing?

It is important because how the law applies to you may differ depending on your chosen method of direct marketing and the type of business that you intend to contact. For example, are they a corporate subscriber or are they treated the same as individuals?

The UK GDPR still applies to B2B marketing if you are processing personal data. For example, if you hold the name of the individual who represents the business. It is the Privacy and Electronic Communications Regulations 2003 (as amended) (PECR) rules that may be different for B2B when compared to contacting individuals in their personal capacity.

When does PECR apply to business-to-business marketing?

PECR applies to the sending of direct marketing messages by:

  • live or automated phone call;
  • electronic mail (eg emails and text messages); and
  • faxes.

The marketing rules in PECR refer to “subscribers”. For example, this means the customer named on the bill for a telephone line or internet connection. There are two type of subscribers in PECR - corporate and individual.

Corporate subscriber covers subscribers that are a corporate body with separate legal status. This includes:

  • companies;
  • corporation soles;
  • limited liability partnerships;
  • Scottish partnerships;
  • some government bodies; and
  • any other body corporate or entity that is a legal person distinct from its members.

So, for example, the email address or telephone number of an employee at a corporate body would constitute a corporate subscriber for the purposes of PECR because the ‘subscriber’ is their employer.

However not all types of businesses are classed as corporate subscribers under PECR. Some are actually classed as individual subscribers. This includes:

  • sole traders;
  • certain types of partnerships (eg non-limited liability partnerships or other types of English, Welsh and Northern Irish partnerships); and
  • other unincorporated bodies of individuals.

This means they are treated the same as individuals and have greater protections under PECR.

PECR applies to direct marketing sent to businesses in the following circumstances:

Marketing method Does PECR apply?
‘Live’ phone calls to corporate subscribers
‘Live’ phone calls to sole traders and some types of partnerships
Automated phone calls to corporate subscribers
Automated phone calls to sole traders and some types of partnerships
Faxes sent to corporate subscribers
Faxes sent to sole traders and some types of partnerships
Electronic mail (eg emails or text messages) to corporate subscribers
Electronic mail (eg emails or text messages) to sole traders and some types of partnership

See the sections below for the rules on making B2B marketing calls and sending marketing by electronic mail and faxes.

What are the rules for business-to-business marketing calls?

PECR covers making direct marketing calls by live or automated call. These rules apply to B2B marketing calls.

Live direct marketing calls

In most circumstances if you want to make a live direct marketing B2B call (where a live person is speaking) the PECR rules are that you:

  • cannot call numbers registered with the Corporate Telephone Preference Service (CTPS) or the Telephone Preference Service (TPS) unless the business has consented to your marketing calls;
  • cannot call the number of a business who has previously objected to your calls;
  • must say who is calling (eg the name of your organisation);
  • must allow your number (or an alternative contact number) to be displayed to the business receiving the call; and
  • must provide your contact details or a Freephone number if asked.

It is important to remember that some businesses (eg sole traders and some partnerships) register with the TPS, and others register with the CTPS. Therefore before you make live B2B calls, you need to screen against both the CTPS and TPS registers, as well as your own ‘do not call’ list.

Example

An office equipment company wants to advertise its services by telephone. It has a list of businesses and their phone numbers.

Before making any calls, the company screens the numbers against both the CTPS and TPS, as well as its own list of phone numbers of businesses that have previously asked it not to call them.

The company makes marketing calls to the remaining numbers on its list, ensuring that its own telephone number is displayed when making the calls.

The rules on making some types of live direct marketing calls are stricter. For claims management services you must have consent to make live marketing calls. For live marketing calls about pension schemes you must:                       

  • be a trustee or manager of a pension scheme or a firm authorised by the Financial Conduct Authority; and
  • the person you are calling must have specifically consented to your calls or your relationship with the individual meets strict criteria.

Automated direct marketing calls

This type of call is made by an automated dialling system that plays a recorded message.

If you want to make an automated marketing B2B call, you must:

  • have consent from the business you intend to call (this consent must specially cover automated calls from you);
  • say who is calling (eg the name of your organisation);
  • allow your number (or an alternative contact number) to be displayed to those receiving the call; and
  • provide your contact details or a Freephone number.

PECR takes its standard of consent from the UK GDPR which means it must be freely given, specific, informed and unambiguous. See our separate guidance on what counts as consent for more information.

If you are processing personal data when making a marketing call to another business, you need to comply with the UK GDPR. For example, because you know the name of the person who you are calling. See the section When does the UK GDPR apply to business to-business marketing for further information.

What are the rules for sending business-to-business marketing by electronic mail?

The term electronic mail is intentionally broad and is defined in PECR as:

“any text, voice, sound or image message sent over a public electronic communications network which can be stored in the network or in the recipient’s terminal equipment until it is collected by the recipient and includes messages sent using a short message service”

It covers any electronically stored messages. For example emails, text messages, picture or video messages, voicemails, direct messages via social media or any similar message that is stored electronically.

The PECR rule on direct marketing by electronic mail does not apply to corporate subscribers. For example, this means you can send B2B direct marketing emails or texts to any corporate body. You do not need their consent under PECR to send such messages.

However you must:

  • not disguise or conceal your identity; and
  • give a valid address for business to opt-out or unsubscribe from your messages.

It makes good business sense for you to keep a ‘do not email or text’ list of any corporate subscribers that object or opt-out of your direct marketing by electronic mail. You should screen any new B2B direct marketing lists against it.

PECR does not say that you must comply with a corporate subscriber’s opt-out in the context of electronic mail. However, given the fact that it does require you to provide a valid address for opt-outs, the intention clearly was there to allow corporate subscribers to unsubscribe. In addition, it serves little purpose to continue to send such marketing to a corporate subscriber who has asked you not to. Therefore, you should comply with a corporate subscriber’s opt-out request. It is important to remember, however, that in some circumstances you may be required to comply with an opt-out or objection. For example, if personal data is involved. See the section Can businesses object to our direct marketing for further information.

Because sole traders and some partnerships are treated by PECR as individual subscribers you can only market them by electronic mail if they have specifically consented, or the ‘soft opt-in’ applies.

The soft opt-in is a term commonly used to describe the exception to the consent requirement. If you want to use the soft opt-in for sole traders or partnerships instead of consent you must meet all of the following requirements:

  • you must have obtained the contact details in the course of a sale or negotiation of a sale of your product or service;
  • it is your similar products and services that are being marketed;
  • you gave the sole trader or partnership a clear opportunity to refuse or opt-out of your marketing when you collected their details; and
  • you give them an opportunity to refuse or opt-out in every communication you send to them.

If you are unsure whether the contact details belong to an individual subscriber or a corporate subscriber this puts you at risk of breaching PECR. To mitigate that risk you should treat the details as belonging to an individual subscriber and ensure that you comply with rules on electronic mail.

Example

An online building supplies company collects email addresses of customers when they place orders with it. The company wants to advertise its special offers by email to these customers. The products it sells on its website are aimed at those in the building trade but it is aware that many of its customers are likely to be sole traders.

The company decides that for all future purchases it will use the soft opt-in for all of its customers. As part of the online buying process it clearly explains that it would like to send emails to the customer about its special offers and gives a tick box for customers to use should they wish to opt-out.

It sends marketing emails about its own products and services to those customers who did not opt-out and it includes an unsubscribe option within each email that it sends.

If you are processing personal data when sending marketing by electronic mail to another business, you need to comply with the UK GDPR (including complying with the right to object to direct marketing). See the section When does the UK GDPR apply to business-to-business marketing for further information.

The PECR rules on cookies and similar technologies apply if:

  • you use ‘tracking pixels’ within your direct marketing emails; and
  • the pixel involves storing information, or accessing stored information, on the device used to read the email (such as its location, operating system etc).

The rules on cookies and similar technologies apply to all types of subscriber. See our separate guidance on cookies and similar technologies for information on how to comply.

What are the rules for sending business-to-business marketing by fax?

Faxing is no longer often used as a method of sending direct marketing. However, if you are considering using this method, you can send direct marketing faxes to corporate subscribers without their consent. But you cannot fax any number listed on the Fax Preference Service unless they have specifically given their permission for you to send them marketing faxes.

You also cannot fax anyone who has told you not to. If you want to send marketing faxes to a sole trader or certain types of partnership you must have consent.

In practice, for B2B marketing by fax you need to:

  • check if the business is an individual subscriber;
  • get consent from any individual subscribers (eg sole traders);
  • screen against the Fax Preference Service;
  • screen against your own ‘do not fax’ lists; and
  • include your name (eg the name of your organisation) and contact address or Freephone number on all B2B direct marketing faxes.

You need to comply with the UK GDPR, if you are processing personal data when sending marketing faxes to another business. For example, because you know the name of the person who you are faxing. See the section When does the UK GDPR apply to business-to-business marketing for further information.

When does the UK GDPR apply to business-to-business marketing?

The UK GDPR applies to the processing of personal data. If you can identify an individual either directly or indirectly it will constitute personal data even if they are acting in their business capacity.

For example you will be processing personal data if:

  • you have the name and number of a business contact on file; or
  • the email address you are using to communicate with the business identifies an individual (eg [email protected]).

If you are processing personal data of your business contacts you must comply with the UK GDPR. This includes ensuring that your use of their data is lawful, fair and transparent. You must also comply with their data protection rights, including their absolute right to stop their data being used for direct marketing purposes.

It can be more straightforward to comply with the UK GDPR if you are dealing with personal data in an individual’s business capacity rather than their personal or private capacity. This is because an individual acting in their business capacity is likely to have different expectations of privacy.

If you do not know the name of the person you are sending direct marketing to at a business, then you are not processing personal data and the UK GDPR does not apply to your marketing. For example, if you are sending your direct marketing by post addressed simply to ‘the IT department’ or by email to ‘[email protected]’.

Collecting business cards

The UK GDPR does not necessarily apply to your collection of other people’s hard copy business cards, but this depends on what you intend to do with this information. If you add their contact details to a database then the UK GDPR applies.

Example

At an industry networking event some of the attendees share their business cards with each other.

One of the attendees takes the business cards back to their organisation and places them loose into their desk drawer. At this point the UK GDPR does not apply to these business cards even though they have people’s names on them. This is because in this context the UK GDPR only applies to paper records such as business cards if you intend to file them or input the details into a computer system.

Another attendee takes the business cards back to their organisation and adds them to their business contacts database. The UK GDPR applies to the personal data they have added to their marketing database, and therefore the organisation needs to comply with its provisions.

What lawful basis might be appropriate for processing personal data of our business contacts?

In order for processing of personal data to be lawful you need a lawful basis from the UK GDPR. There are six lawful bases for processing. The most appropriate is likely to depend on the particular circumstances.

The two lawful bases most relevant in the B2B marketing context are consent and legitimate interests.

In some cases PECR requires you to have consent to send direct marketing to your business contacts. If you have got consent in compliance with PECR (which must be to the UK GDPR standard), then in practice consent is also the appropriate lawful basis under the UK GDPR.

The table below lists some different methods of sending direct marketing to businesses and whether PECR requires consent:

Marketing method Does PECR require consent?
‘Live’ phone calls to CTPS / TPS registered numbers
‘Live’ phone calls where there is no CTPS / TPS registration or objection
Automated phone calls
Electronic mail to sole traders or some types of partnership obtained using the soft opt-in
Electronic mail to sole traders or some types of partnership without soft opt-in
Electronic mail to corporate subscribers
Post ✘ (post is not covered by PECR)

If you are using consent, it must be freely given, specific, informed and unambiguous. It must also be as easy to withdraw consent as it was to give it. See our separate guidance on consent for further information about how to ensure that consent is valid.

If PECR does not require consent, in many cases it is likely that legitimate interests will be the appropriate lawful basis. But there is no absolute rule and you need to apply the legitimate interests three-part test in order to determine if you can use this basis.

For the three-part test for legitimate interests, you need to:

  • identify a legitimate interest;
  • show that the processing is necessary to achieve it; and
  • balance it against the individual’s interests, rights and freedoms.

See our separate guidance on legitimate interests for further information about applying this basis. We also have a section in our detailed legitimate interests guidance on using legitimate interests for business-to-business contacts.

What do we need to tell our business contacts if we are processing their personal data?

If you collect an individual’s contact details in their business capacity and you intend to send them direct marketing, you must make them aware of this. Individuals have the right to be informed about your collection and use of their personal data for direct marketing purposes.

You must provide privacy information at the time you collect the individual’s details from them.

If you collect personal data from sources other than the individual (eg public sources or from third parties), you must provide privacy information within a reasonable period of obtaining the data and no later than one month from the date of collection. Unless an exception to this requirement applies – further information can be found in our separate guidance on the right to be informed.

In all cases your privacy information must be in clear and plain language, easy to understand and easily accessible to individuals.

Example

A business conference organiser collects the email addresses of delegates as part of the sign up process.

After the event the organiser decides it wants to use the list to send emails to delegates about its future events. However, it did not initially tell the delegates in its privacy information that it wanted to use their personal data for this purpose. (In terms of PECR, on this occasion it is very confident that all the email addresses are corporate subscribers).

Although the organiser did not tell delegates about this purpose, it decides that it is reasonable for delegates to expect that they may receive such emails and it is compatible with the original reason it collected the data.

It also decides that the privacy impact is likely to be low as the messages are going to business contacts about its own conferences. It intends to make clear why they are receiving the email (in addition to linking them to its updated privacy information). It will also give a clear unsubscribe option on the email which it will action if a delegate chooses to opt-out. The organiser also checks that it has not received any previous objections.

For future conferences the organiser will clearly explain upfront in the sign-up process that it wants to keep delegates informed about its other events. It also decides that as part of this process it will give delegates a box to tick if they do not want to hear about its future events.

The situation would be different if any of the email addresses of the delegates had constituted individual subscribers under PECR. For example, because they belong to sole traders or because the delegate chose to use their personal email address instead of their work one. The organiser would breach PECR if it sent email marketing to these types of subscribers because it did not seek consent and the requirements of the soft opt-in were not met. However, by using an opt-out box as part of its new process, the organiser may in future be able to meet the soft-opt in for individual subscribers (assuming the other requirements for the soft opt-in are met).

If you intend to buy or sell a list of business contacts for direct marketing purposes, your use of any personal data on the list must comply with the UK GDPR (including if relevant the sale of that personal data). This includes having a lawful basis for selling or buying the personal data. You must also tell people that you have obtained their data or that you intend to share or sell it with other organisations for marketing purposes

Example

A business conference organiser collects the contact information of delegates as part of its sign-up process.

After the event the organiser decides that it wants to sell the delegates’ contact details to other organisations to use for marketing purposes.

It did not tell delegates that the personal data they provided would be sold on and no options were given about this.

The organiser considers the reasonable expectations of delegates. It decides that even in a business context, individuals are unlikely to expect that data provided for the purposes of attending the conference would be passed or sold to other organisations. Therefore, this is likely to be unfair. It decides not to sell the data on.

In terms of PECR, the organisations buying the data would breach the law if they sent marketing by email to addresses belonging to individual subscribers (eg sole traders or certain types of partnership). This is because they need consent given to them as sender of the marketing to do this.

Can we use publicly available data to send business-to-business marketing?

The term “publicly available” can refer to information sourced from various places, including:

  • a business’s website;
  • Companies House;
  • social media; and
  • press articles.

You still need to comply with PECR rules if you intend to use details obtained from publicly available sources to:

  • make marketing calls;
  • send marketing by electronic mail (including direct messages on social media); or
  • send marketing by fax to businesses.

If you are intending to send marketing by post then PECR does not apply.

If the publicly available data that you want to use for direct marketing constitutes an individual’s personal data, even in their business capacity, then the UK GDPR applies. For example, if you obtain the name of a company’s head of finance from their website or the email address you have found identifies a particular individual at a business.

If you use publicly available personal data for your own purposes, you are a controller and take on full responsibility for compliance with data protection legislation for that personal data.

The UK GDPR doesn’t prevent you from using personal data from publicly available sources. However, you cannot assume that simply because an individual’s personal data is in the public domain they are agreeing to it being used for direct marketing purposes. You must ensure that your processing of personal data is fair, taking into account the source of the data. You must consider whether individuals are likely to expect what you intend to do with the data.

The expectations of individuals about how personal data is used in their business capacity are likely to be different to their expectations about how data is used in their personal capacity. For example, an individual whose business contact details are publicly available on their employer’s website may well expect to receive contact from other businesses.

However, you still need to comply with the UK GDPR. This means having a lawful basis for the processing and providing the individual with privacy information, as well as complying with any objections to your direct marketing.

In terms of professional networking sites, in many cases individuals use these sites as a promotional tool and to further their careers. They are unlikely to be on the sites exclusively in their business capacity (ie they are not on the site simply as a representative of the organisation that they work for). If an individual is using such a platform in their personal, albeit professional, capacity then sending them direct marketing messages is not considered B2B marketing.

Individuals on professional networking sites may have different expectations about how their personal data is used compared to their personal use of other networking and social media sites. However, this depends on the particular circumstances and context.

In any event, you must comply with the UK GDPR, if you intend to collect and use the personal data of individuals from professional networking sites. You must also comply with PECR, if you are intending to send marketing to these individuals by electronic means.

Can businesses object to our marketing?

Yes, businesses can object to you sending them direct marketing. In short you:

  • cannot make live marketing calls or send marketing faxes to any business that has objected to this type of contact from you;
  • cannot make live marketing calls to any business that has objected by registering their number with either the CTPS or TPS (unless you have their consent);
  • cannot send marketing faxes to any business that has objected by registering their number with the Fax Preference Service;
  • must stop sending direct marketing based on consent where that consent has been withdrawn;
  • cannot send marketing by electronic mail to sole traders or some types of partnerships if they have opted-out; and
  • cannot process an individual’s personal data for direct marketing purposes, even in a business context, if they have objected.

Under PECR, businesses can object to your live marketing calls and your marketing faxes. If they object, you must stop marketing them by these methods.

The CTPS and TPS act as a general objection to receiving live direct marketing calls. Likewise, the Fax Preference Service is a general objection to direct marketing faxes. You must respect the objection of the business and not make marketing calls or faxes to the numbers of businesses that appear on these lists.

If a business has given their consent to receive direct marketing from you (eg because PECR requires consent) it is important to remember that they are free to change their mind. They can choose to withdraw their consent to receiving your direct marketing messages at any time. If they withdraw consent, you need to stop any direct marketing to the business that was based on that consent.

You must give sole traders and certain types of partnerships the chance to opt-out, if you are seeking to rely on the soft opt-in to send electronic mail. You must give them this option when you collect their details and in every subsequent direct marketing message. If that business chooses to opt-out or unsubscribe, you cannot start or continue to send direct marketing to them by electronic mail.

If you are processing the personal data of a business contact then the UK GDPR gives them the right to object to you processing it for direct marketing purposes. This right is absolute and there are no grounds for you to refuse. They also have the right to withdraw their consent to your processing (if you are relying on consent). If an individual withdraws their consent or objects, you must stop processing their personal data for B2B marketing purposes.

If there is an objection, opt-out or withdrawal of consent you should add the business or business contact’s details onto your ‘do not contact’ or suppression list instead of simply deleting all record of them. Doing this means that you can screen any new direct marketing lists against it.

Example

A recruitment company sends an email to the HR director at a limited company advertising their services.

Because the HR director’s email address constitutes a corporate subscriber for the purposes of PECR the rules on consent and the soft opt-in do not apply. However the HR director’s email address identifies them by name – [email protected].

The HR director replies to the recruitment company and asks it to stop sending them marketing emails. The recruitment company stops sending marketing emails to the HR director and adds their email address to its ‘do not contact list’ so that it will not contact them again in future.

The UK GDPR only applies to the processing of personal data. This means that businesses do not have the same rights as individuals. So if a business tells you that they object to your direct marketing, you are not required under the UK GDPR to comply with their objection (although you may be required to do so under PECR). However, it serves little purpose to continue to send direct marketing messages to a business that has asked you not to. And you are not able to send the marketing to any contact details using personal data (eg an email address that identifies an individual).

Checklist

We only make automated direct marketing calls to businesses if we have their consent.

We screen against the CTPS and TPS before making live direct marketing calls to businesses.

We display our telephone number when making direct marketing calls to businesses.

We screen against the fax preference service before sending direct marketing faxes to businesses.

We only send direct marketing faxes to sole traders and certain types of partnership if we have their consent.

If we are not sure whether a business is a corporate subscriber, we ensure that we have their consent to receive our electronic mail (unless contacting previous customers about our own similar products, and we offered them an opt-out when they gave us their details).

If we are processing personal data of our business contacts, we ensure that we have a lawful basis to do so.

We tell our business contacts if we want to use their personal data for direct marketing purposes.

We screen against our suppression lists and ‘do not contact’ lists before sending any direct marketing to businesses.

We act on withdrawals of consent from businesses and business contacts.

We don’t send direct marketing to any business or business contact that has asked us not to.