IDC Names Securiti a Worldwide Leader in Data Privacy


UK Guide on Direct Marketing via Email

By Securiti Research Team
Published December 28, 2022 / Updated March 24, 2023

Listen to the content

The Privacy and Electronic Communications Regulations (PECR) deal with users’ specific privacy rights in relation to electronic communications, alongside the Data Protection Act and the UK GDPR within the United Kingdom.

The PECR primarily covers electronic marketing, including calls, texts, faxes, and emails. Moreover, the PECR also codifies the legal framework on the use of cookies and other similar tracking technologies, the security of public electronic communications services, as well as the privacy of consumers using communications networks or services as regards traffic and location data, itemized billing, line identification services (e.g., caller ID and call return), and directory listings.

Understanding the rules and requirements related to direct marketing can help organizations achieve compliance with the PECR and tailor their future marketing campaigns to engage users more effectively.

What Is Direct Marketing

As per the Data Protection Act of 2018, direct marketing means “the communication (by whatever means) of advertising or marketing material which is directed to particular individuals.”

Therefore, the definition of ‘direct marketing’ covers nearly all types of advertising, marketing, or promotional material that can be directed toward a user via electronic communication, such as through emails.

Direct marketing does not cover electronic mail sent for administrative or customer service purposes, such as alerts related to changes in a company’s terms & conditions or emails pertaining to a problem with the customer’s account. Such messages are referred to as “service messages.” They would not be considered a form of direct marketing if used strictly for administrative purposes only.

However, if a service message contains any form of promotional content, then it would be considered direct marketing.

Important Rules to Consider

The PECR rules apply to any and all organizations that send, encourage, incite, incentivize or ask someone to send unsolicited messages by electronic mail for direct marketing purposes.

Furthermore, if an organization hires a third party to conduct email marketing on its behalf, such an organization is responsible for undertaking appropriate checks, including signing a contract that sets out the third party’s responsibilities, to ensure that the third party’s email marketing practices comply with the PECR guidelines.

If an entity is using personal data, it is mandatory for them to enter into a contract with the third party sending marketing on their behalf. Moreover, if a third party uses an entity’s phone line or internet connection to send electronic mail marketing, such an entity must ensure that these communications comply with the PECR.

In accordance with the PECR, an entity may only send direct marketing by electronic mail to individual subscribers if it has the recipient's consent; or it meets all the requirements of a soft opt-in.

Per the PECR’s guidelines, all elicited consent must fulfill the following criteria:

  • Consent gained for sending individuals direct marketing messages must be freely given, specific, informed, and an unambiguous indication of an individual's wishes through a clear affirmative action.
  • Consent requests must be prominent, concise, easy to understand, and separate from things like general terms and conditions.
  • All entities must keep a clear record of the user’s consent to receiving marketing messages.
  • Users should be allowed to withdraw consent in an easy manner.
  • Consent should not be transferable. For example, a user’s consent to receive marketing emails on a particular email address would not cover any other email addresses they may use.

An entity may rely on soft opt-in as a basis for electronic mail marketing if all of the following conditions apply:

  • The entity wants to send direct marketing messages by email to individual subscribers.
  • Contact details were collected directly from the individuals by the entity which is sending marketing. A third-party marketing list would not be ‘soft opt-in compliant. Moreover, if an individual’s contact details are collected from publicly available sources, such details are unlikely to be used to send unsolicited electronic mail marketing.
  • Contact details were collected during a sale or negotiations for the sale of the entity’s products or services. Negotiations for sale means that the individual actively expressed an interest in buying the products or services, such as by requesting a quote or asking for more details of what the entity offers.
  • Contact details should be used to send marketing about the entity’s similar products and services. In this respect, the key question is whether people reasonably expect direct marketing about the entity’s particular product or service. This is likely to depend on the context, including the nature of the business and the category of the product.
  • The individuals were given a clear, simple way to opt-out or to say no to the marketing at the time when their details were being collected. An example of complying with this requirement would be entities including a prominent opt-out checkbox in their online forms or directing their staff to verbally offer an opt-out to individuals while taking their details for marketing purposes. It is not sufficient to place an opt-out within an entity’s privacy policy or provide an opt-out after collecting the individuals’ details.
  • The individuals are given a clear, simple way to opt-out or change their mind about marketing in each subsequent marketing message sent to them. It must be simple for customers to change their mind, and opt-out of or unsubscribe to marketing. This process must be free of charge (excluding the cost incurred to people in sending an unsubscription message). Consumers should not be required to take complicated steps to unsubscribe, such as creating a new account, or changing their preferences in their existing account.

An entity may not rely on soft opt-in in the following cases:

  • The entity wants to send direct marketing messages via methods other than electronic mail, such as by phone calls or post.
  • Contact details were not collected directly from the individuals the entity wants to send marketing to.
  • Contact details were not collected during a sale, or negotiations for a sale, of the entity’s products or services.
  • Contact details were collected as part of the entity’s fundraising or campaigning activity.
  • The entity wants to use the individuals’ contact details to send marketing on someone else’s behalf.
  • The entity wants to use the individuals’ contact details to send messages related to fundraising or campaigning.
  • The individuals were not given a clear, simple way to opt-out, or any other way to say no to marketing, when their details were collected.
  • The individuals are not given a clear, simple way to opt-out, or change their mind about marketing, in each subsequent marketing message sent to them.

Furthermore, when sending marketing by electronic email to any type of subscriber, an entity must:

  • Not hide or disguise its identity; and
  • Provide a valid contact address for people and businesses to opt-out or unsubscribe.

Direct Marketing and Data Protection Framework

It is essential for an entity to comply with the data protection legal framework when personal data, such as names or addresses, are used in sending electronic mail marketing. All personal data processing operations should be fair, lawful, and transparent.

Non-Compliance with the PECR

If an entity is found to be non-compliant with the PECR, the Information Commissioner's Office (ICO) may serve an enforcement notice that requires such an entity to stop sending direct marketing that is in breach of the PECR. The ICO may also serve a monetary penalty notice, imposing a fine of up to £500,000, against such entity or its directors. These powers may be used separately, or in combination, depending upon the circumstances.

Other Frequently Asked Questions

Here are some other commonly asked questions:

1. Can we use children's information for direct marketing purposes?

Direct marketing to children has significant potential for harm. ICO's recommendations on the subject require concerned entities to refer to several external sources. These include ICO's Children's Code, GDPR Recitals 38 and 58, and the Advertising Standards Authority's CAP code. These all collectively contain extensive information and rules on the responsibilities and obligations of entities when it comes to creating advertising campaigns that adequately protect children from any harm online.

2. What to do when someone opts out or withdraws their consent?

If a user opts out of, or withdraws their consent to receiving direct marketing, the relevant entity must stop processing their data for such direct marketing purposes that the opt-out or consent withdrawal covers.

3. What are marketing suppression lists?

Marketing suppression lists constitute details of individuals who have opted out or otherwise directly informed an entity that they do not want to receive marketing communications from them. People on a marketing suppression list should not be contacted at a later date to ask if they want to opt back into receiving marketing. The ICO requires that once an individual opts-out or withdraws consent from receiving marketing communications, the concerned entity must keep only such enough limited and minimum data that are necessary for it to respect the individual’s marketing preferences and stop sending them marketing messages.

4. What to do if someone asks us to delete their information?

If someone asks an entity to delete their information once they have opted-out, they have a specific data right to make that demand as per the data protection framework within the UK. An entity must delete the information it has on the user if such a request is made. However, the right to erasure would not extend to any data contained in a marketing suppression list, as such data is required by the relevant entity to comply with their legal obligation to not send marketing to individuals who have opted out of it.

How Securiti Can Help

With businesses continuously expanding their digital marketing efforts, it is no surprise that all avenues for marketing are being utilized to their maximum potential. Email marketing is no different, as it allows businesses to send their latest deals, special offers, as well as other forms of marketing messages to existing and potential customers, in a simplified manner.

Similar to the PECR, most other data regulations not only place a tremendous degree of importance on ensuring users’ consent before businesses can send them any form of marketing messages online but make it a legal obligation.

This is where Securiti can help.

Securiti is a market leader in providing enterprise solutions related to data governance and data compliance. Its plethora of solutions, ranging from consent management and DSR automation to data discovery and breach management, allow organizations to fully automate their compliance efforts with all major data regulations globally.

Request a demo today and learn more about how Securiti can help your compliance efforts with the PECR, as well as any other data-related regulations.

Join Our Newsletter

Get all the latest information, law updates and more delivered to your inbox


More Stories that May Interest You

At Securiti, our mission is to enable enterprises to safely harness the incredible power of data and the cloud by controlling the complex security, privacy and compliance risks.


Gartner Cool Vendor Award Forrester Badge IAPP Innovation award 2020 IDC Worldwide Leader RSAC Leader CBInsights Forbes Security Forbes Machine Learning G2 Users Most Likely To Recommend