Direct marketing activities are covered by several pieces of UK legislation in relation to personal data, technologies and means, supported by guidance from the Advertising Standards Authority. Direct marketing covers the promotion of aims and ideals as well as the sale of products and services.
Postal mail marketing is less strict than electronic marketing. The Privacy and Electronic Communications Regulations (PECR) provide rules about sending marketing and advertising by electronic means, including phone, fax, email, and messaging. PECR rules also include use and management of website cookies and telephone directories.
Use of personal data for direct marketing purposes falls within the general principles of the data protection legislation, including the General Data Protection Regulations (GDPR). In addition they place particular conditions on processing personal data for direct marketing purposes, whether electronic or otherwise. For example, within the GDPR use of personal data for direct marketing relates to the lawful basis under which the data was collected (so potentially whether consent is required), individual rights including the right to be informed as to the purposes for which their data will be processed, and the right to object to specific processing (so processing for one purpose may be acceptable but use for direct marketing may not). Furthermore the data subject may also bring particular requirements to bear, with children having special conditions.
Under PECR, organisations must not use electronic direct marketing to individuals without their prior consent. PECR includes an exception for previous customers, known as the soft opt-in. However, the GDPR has tightened rules relating to consent, which require that where different processing activities take place, consent options should be unbundled so that an individual has more choice over what their data is processed for. Opt-in needs to be more explicit and cannot be pre-selected, i.e. option boxes should be unchecked by default and require user action to demonstrate their consent and understanding of the data processing.
Where an individual objects or removes consent to direct marketing, those activities must stop within a reasonable time. However, rather than remove an individual from a contact list, it may be necessary to retain the contact's details and recorded opt-out in order to prevent them from re-appearing in the contact list at a later date.
Refer also to the ICO's published guidance on Direct Marketing under PECR.
If you send newsletters or communications to subscribers on a mailing list you should be satisfied that you have established a lawful basis to process this information. Document the reasoning for the selection of the lawful basis, for example within a record of the processing activities, covering areas such as processing purposes, data sharing and retention. This should be retained to demonstrate compliance with GDPR.
GDPR also increases the data controller's obligations with regard to bought-in lists. The data controller must verify that contacts on the list have consented to use of their personal data for such purposes.