Direct marketing is an essential tool for many organisations — whether through newsletters, promotional emails, customer magazines, or postal campaigns. But whenever you use personal data to communicate with individuals, you must ensure that your marketing practices comply with data protection law.
Under the UK GDPR and the Privacy and Electronic Communications Regulations (PECR), businesses, charities and other organisations must follow strict rules on consent, data use, and individuals’ rights. Failing to do so can result in regulatory penalties, reputational damage, and loss of customer trust.
This article outlines the key principles every organisation should understand when carrying out direct marketing.
Direct marketing and your responsibilities
If your business sends out regular e-newsletters, bulletins, customer magazines or other communications, you are engaging in direct marketing and are responsible for complying with the direct marketing rules under the UK GDPR.
If you’re sending direct marketing by post, you don’t need consent. However, if you’re putting someone's name on a letter or a flyer, you need a lawful basis for using their personal data and you should be clear from the outset about how you will use their data.
Regardless of the method, if an individual asks you to stop sending them direct marketing, you must honour that request.
If you intend to market via email, telephone or text, you must also consider the additional requirements under PECR.
Consent
Under the UK GDPR, consent must be freely given, specific, informed, properly documented and easy for people to withdraw.
For consent to be freely given, it is not acceptable to use pre-ticked boxes on webpages that state that the information provided by a customer when placing an order will also be used for marketing purposes. Customers and other business contacts must actively “opt-in” and explicitly agree to their data being used in a particular way.
Similarly, for consent to be specific and informed, organisations cannot rely on the idea that one consent fits all purposes. For example, if a customer in a clothes shop provides their email address and consents to receiving an electronic copy of a till receipt, the clothes shop cannot use this email address to send out newsletters or promotion offers unless the customer has also agreed to receive these types of marketing materials. Fundamentally, the customer must understand what the actions are to which they are giving consent.
Consent also needs to be documented and stored in a way that allows organisations to easily demonstrate compliance with the UK GDPR or that they can action a request from an individual to withdraw consent. Our article on rights of access provides some answers to frequently asked questions on this topic.
Example
A local children’s charity produces a regular newsletter showcasing its work and promoting fundraising events. The newsletter is only sent to people who have signed up for it via the charity’s website. Does the charity’s procedure for obtaining consent meet the requirements under the UK GDPR?
By asking the recipients to sign up for the newsletter, the charity is asking for their freely given and specific consent.
- However, it is important that the website requires the recipients to actively opt-in and that it is clear exactly what they are signing up for.
- The charity should also have a privacy policy in place detailing how the recipients’ information will be used and how consent can be withdrawn.
Databases and Processes
Most organisations engaged in marketing activities hold some form of database containing personal information such as names, postal or email addresses, and other details.
As well as the rules on how to obtain consent to gather personal data, the UK GDPR gives individuals increased rights to manage the information which a business holds about them.
To satisfy any such requests, businesses need to know where and how individuals’ data is stored, have the tools to recover any data that has been shared, and must be able to amend, delete, or share the data as required.
Example
An IT support company has built an informal spreadsheet containing customer names, contact details and email addresses.
Does this database comply with the company’s obligations under the UK GDPR?
- The company must have a lawful basis for holding the relevant information. This will be closely tied to the purposes for which the company has gathered the information. If the company does not have a lawful basis for gathering and holding the information, it should be deleted. This will involve a systematic process to determine whether a lawful basis exists and a check to ensure that, if not, the relevant information is fully deleted from the company’s IT systems, records and databases.
- If the company has a lawful basis, it still needs to audit the information it holds to check that it is accurate and to ensure it is not holding more information than is necessary.
- The company should also review the internal process it has in place around dealing with the information and ensure that it has the correct resources to manage and protect the information on a continuing basis.
- The company should also have a clear privacy policy which sets out how it deals with its customers’ information.
Consequences of non-compliance
Data protection is not a one-off exercise. Organisations must review and update their practices regularly to ensure ongoing management of data to ensure compliance and avoid penalties.
The Information Commissioner’s Office (ICO) can impose stringent penalties if businesses, charities, sole traders or other data controllers and data processors cannot demonstrate that they are complying with the rules on obtaining consent for direct marketing and are properly using, storing and securing personal data.
There is also the risk of negative publicity, reputational damage and loss of consumer trust, not to mention potential legal action from affected individuals or competitors.
If you would like guidance on navigating UK GDPR data protection rules and ensuring your marketing activities remain compliant, please contact a member of our team – we would be happy to help.
Published 31 October 2025
