You’ve got mail… New guidance on email direct marketing from the ICO

Direct marketing by email is a keystone for many businesses. It can be efficient and effective: but are you confident you are getting it right? Getting it wrong can cost customer goodwill and see the regulator knocking at the door.

On 17 October the UK data regulator, the Information Commissioner’s Office (ICO), issued new guidance on electronic mail for direct marketing purposes which should be helpful for companies trying to do the right thing. The guidance clarifies the rules contained in the Privacy and Electronic Communications Regulations (PECR).

Consent vs ‘soft-opt-in’

The general requirement is that an organisation can only send direct email marketing if it has consent or meets all the requirements for ‘soft opt-in’.

Consent must be valid, based on the approach taken by the UK GDPR. So, it must be freely given, informed, clear, and specific.

Rather than rely on consent, the ‘soft opt-in’ approach allows direct email marketing in certain circumstances. The new guidance provides a checklist of five requirements that must all apply for the soft opt-in approach to be used.

Soft opt-in requirements

In summary, in order to be able to come under the protocol, a sender

  1. must obtain the contact details itself
  2. in the course of a sale or negotiation of a sale of a product or service
  3. to market similar products or services
  4. if it provides an opportunity to refuse or opt-out when it collects the contact details
  5. and it gives an opportunity to refuse or opt-out in every subsequent communication.

The soft opt-in is only available to the same entity or single organisation that originally collected the contact details. This means that it won’t apply to other companies within the same group as the collecting organisation.

A person doesn’t need to buy anything to trigger the soft opt-in. It is enough if ‘negotiations for a sale’ took place. This means that they must actively express an interest in buying your products or services. Examples provided in the guidance are someone signing up to a free trial or requesting a quote.

The last requirement means that your list of ‘soft opt-inners’ is likely to change over time. So you have an on-going duty to screen your email list against a suppression list, each time you want to make a communication.

The soft opt-in approach only works for emails aimed at individuals - including sole traders and some partnerships. For business-to-business marketing such as companies, limited liability partnerships and Scottish partnerships, look at the specialist guidance here.

Buying and selling lists of contacts

If you are using a bought-in list from a third party (including a group company) you will need some data protection due diligence.

If the third-party claims that those on the list consented to direct email marketing, you must check that any consent is valid and actually covers you. This can be tricky to achieve but you should start by making the following due diligence checks:

  • what were people told?
  • what did they consent to?
  • were you named on the consent request?
  • when and how did they consent?
  • did they have a choice to consent?
  • is there a record of the consent?

Data subjects’ rights, such as the rights to be informed, to withdraw consent, and to erasure, must be regarded. It’s important to manage your lists accurately.

Viral Marketing

‘Viral marketing’ happens when you ask other people to send direct email marketing to friends and family. You remain the ‘instigator’, and you must comply with the PECR rules even if you don’t send the messages yourself.

Once again, the threshold of consent plays a central role here, as the ‘soft opt-in’ won’t be applicable. The guidance is clear that encouraging other people to send email marketing messages on your behalf without consent is not compliant with PECR, as ‘instigators’ won’t be able to demonstrate valid consent for these recipients.

Enforcement and fines

The ICO says that it will take a risk-based, effective and proportionate approach to enforcement. This approach is in line with their goal in not restraining organisations in the digital age through unnecessary red tape or disproportionate sanctions.

However, organisations must comply with the PECR rules. The ICO intends to, in their own words, ‘change the behaviour of anyone who breaches PECR’, which includes taking action with enforcement notices all the way to imposing fines up to £500,000 which they can issue against the organisation or its directors.

Softly, softly - to do list for compliant email marketing

  • If you are relying on consent, can you prove it was fairly and properly obtained within an appropriate time period?
  • If you are using the soft opt-in, can you show compliance with all five requirements?
  • Are you screening your lists effectively?
  • Do you have enough information about your bought-in contact lists?
  • Do you have consent for viral marketing?
  • Could you justify your position if the ICO investigated following a complaint?

If the answer to any of these is no, then informed legal advice from our experts can help.


This information is for general information purposes only and does not constitute legal advice. It is recommended that specific professional advice is sought before acting on any of the information given. Please contact us for specific advice on your circumstances. © Shoosmiths LLP 2024.



Read the latest articles and commentary from Shoosmiths or you can explore our full insights library.