Records Management

Direct Marketing under data protection law

Guidance regarding marketing and data protection.

This guidance is intended for all University staff who maintain or use database of contacts for ‘marketing’ purposes, including publicising events and programmes, fundraising, alumni activities and offering goods for sale.

Background

Direct marketing only applies to targeting a named individual – for example, letters addressed to ‘the occupier’ would not qualify. It applies to communicating the advertising or marketing of commercial products or services, it also applies to fundraising, and includes all messages promoting an organisation or its values or beliefs. This could include information promoting University events or opportunities for students. Direct marketing covers all forms of communication, such as marketing by letter, telephone, email and other forms of electronic messages.

Requirements for all forms of marketing

Any personal details collected and held for direct marketing purposes must comply with the data protection principles. This means that you must always:

  • inform data subjects in your privacy notice that you will use their personal data for marketing purposes, also of the way they will be contacted (letter, telephone…),
  • have a legal basis for processing the data,
  • not keep the information for longer than necessary, and
  • hold the information securely.

If you have acquired contact details from a third party for marketing, you must check the following:

  • What information about the use of the data was provided at the time the data was collected?
  • Did the individuals indicate any preferences about their means of contact?
  • How have unsubscribe requests been handled?
  • How has the list been kept up-to-date?

The law distinguishes between direct marketing using electronic means and non-electronic means and has different requirements for both. Currently, ‘electronic means’ covers the use of email and text messaging.

Marketing by non-electronic means

Marketing by letter

If you intend to send marketing information to named individuals by letter, you can rely on ‘legitimate interest’ as your legal basis. All letters must include clear information on the identity and contact details of the data controller. Data subjects must also be made aware in every letter that they can object to the processing, i.e. that they can ‘opt out’ of receiving further letters by phoning a free number or sending an email.

Marketing by telephone

If you intend to contact individuals for marketing purposes by telephone, you can also rely on ‘legitimate interest’ as your legal basis. In all calls, staff must identify themselves and, if requested, provide an address or telephone number on which they can be reached. Data subjects must also be made aware during every telephone call that they can object to the processing by phoning a free number or sending an email, i.e. that they can ‘opt out’ of receiving further calls.

Before making a telephone call, you will always need to make sure that the individuals are not registered with the Telephone Preference Service. You can check here:

Telephone Preference Service

Marketing by electronic means

In addition to GDPR, the Privacy and Electronic Communications Regulations 2003 (PECR) regulate in detail the use of electronic communications for marketing such as by email or text messages (SMS). PECR is due to be replaced shortly by a new ePrivacy Regulation (ePR).

Electronic marketing to private individuals can only be done with consent as the legal basis. Consent must be ‘opt-in’ and any direct marketing messages should only be sent to those people who have in fact opted in to receiving such communications. All subsequent marketing communications must contain an option to opt-out of receiving further communications with details of how to do so, such as an ‘unsubscribe’ link at the bottom of an email. If you receive an opt-out request in relation to marketing, you must comply as soon as possible, there are no exceptions to this.

When requesting consent, it is good practice to request consent separately for different forms of communication i.e. whether individuals agree to be contacted via post, telephone or email. This is because the different forms of communication are covered by different legislation.

Soft opt-in

One exception to the need to obtain prior consent is the so-called ‘soft opt-in’, which is based on ‘legitimate interest’. Soft opt-in can be used in situations where you have a pre-existing commercial relationship with the individual: the individual has bought goods from you before, has used services you offer, has attended an event you have organised, or has been in negotiations with you about any of these with you. In these cases, you can market similar goods, services or events to the individual without consent. However, this will only ever apply to commercial activities, i.e. where payment has been involved, it will not apply to, for example, free lectures.

Business-to-business marketing

If the individual you wish to market to is a business contact, then you will not need to obtain prior consent, rather, for so-called ‘business-to-business (B2B)’ marketing, you can rely on legitimate interest as an appropriate legal basis. Business contacts are all individuals who can be considered as representatives of their company, organisation or institution, such as academics from another university or professionals from all sectors.

Marketing via tracking software through social media

If you wish to use tracking software, please consult the University’s Cookie Policy and guidance. 

University Cookie Policy

GDPR compliance guidance for websites (University login required)

About this guidance

Version control

Author/editor

Date

Edits made

2

Data Protection Officer

May 2018

 

3

Sara Cranston

November 2018   Corrected link to guidance about cookies