The Data Protection Act (DPA) applies to the use of personal information for marketing purposes. To comply with the first data protection principle of the DPA you have to tell individuals:
- who you are
- what you will use their information for (e.g. for marketing purposes)
- anything else necessary to make sure you are using their information fairly, including whether you plan to pass your marketing lists to other organisations and how you will be contacting people, such as by post, phone or email
- you must not do anything that individuals would not reasonably expect or which would cause them unjustified harm
Data protection rights
Individuals have a number of legal rights regarding their personal information:
- the right to be informed
- the right to access
- the right to rectifications
- the right to erasure
- the right to restrict processing
- the right to data portability
- the right to object
- rights in relation to automated decision making and profiling
For further information on the data protection rights of individuals, see General Data Protection Regulations (GDPR).
Lawful basis for processing
You must have a valid lawful basis for processing personal information of any individual for marketing purposes. In relation to direct marketing the most appropriate lawful basis would be one of the following:
- Consent – you can rely upon the consent of the individual to market to them. This must be a clear affirmative and positive action to process the data in this way, you must explain to the individual the categories of personal you will use, how you will use them and that they can withdraw consent at any time.
- Legitimate interest – you may rely upon your businesses legitimate interest of obtaining new customers in order to direct market to individuals. However, this will not negate the consent requirements of PECR. For more information on legitimate interests please see Legitimate Interests.
An individual's right to object
You are using personal information for marketing purposes if you use an individual's details to send them mail advertising your products or services. Some email addresses will be personal information, eg an email address in the format email@example.com. An email address that does not name or identify an individual is not personal information.
The GDPR gives individuals the right to object to the processing of their personal data in certain circumstances. All individuals have the right to stop their personal information being used for direct marketing. This right to object is absolute and there are no exceptions. You must inform individuals of their right to object when you first contact them. You should act on objections without undue delay, and within a reasonable period. The ICO suggest within 28 days for calls, texts or other electronic communications and within two months for postal communications.
You normally cannot charge a fee for complying with objections. If the objection is unfounded or excessive, you may request a ‘reasonable fee’ to deal with it.
You don’t need to erase a person’s details from your records if they object to direct marketing. The right to object to direct marketing does not prevent a business from holding a suppression or ‘do not contact’ list. You can keep a ‘do not contact’ list of people who have opted out or otherwise told you directly that they do not want to receive marketing to ensure you comply with their objection.
You must provide individuals with certain information - see privacy notices under the GDPR. This privacy notice information should be provided to individuals at the point in time when they provide you with their personal information. It makes sense to do this when they give their consent to your marketing or when they order goods or services from you. If you do not obtain the personal information from the individual themselves, you should provide them with this notice, at the latest, when you first make contact with them.
Providing personal information to third parties
You may provide personal information about individuals to a third party if:
- they are authorised to obtain that personal information on behalf of the individual
- your business outsources the processing of personal information - for example, payroll processing
- the police need it as part of an investigation
Any third parties who will be relying on the consent must be named – precisely defined categories of third parties will not be acceptable under the GPDR definition. You must keep records to demonstrate what the individual has consented to, including what they were told, and when and how they consented.