We guide your Data Protection compliance and reduce your technology costs
A handshake

Marketing with Consent

Are your unsolicited and direct marketing operations legal?

Do you have the proper consent from your customers and potential customers to directly market to them?

The EU's Privacy and Electronic Communications Regulations (PECR) are implemented in British law alongside the Data Protection Act. The Information Commissioner's Office (ICO) enforce the legislation and will take action, including issuing substantial fines, when organisations break the rules.

Unsolicited Telephone Calls

You cannot legally make unsolicited telephone calls for marketing purposes to:

  • Anyone who has told you that they don't want to receive these types of calls - this includes your existing customers!
  • Anyone who has registered their telephone number with the Telephone Preference Service (TPS) or the Corporate Telephone Preference Service (CTPS) - this also applies to your existing customers!

If one of your existing customers has registered their telephone number with the TPS or CTPS, the only way you can make an unsolicited marketing call to them without breaking the law is to obtain (and document!) their specific consent to receive marketing calls from you.

The law does not prohibit you making an unsolicited call to one of your existing customers, for example to advise them of a delay with shipping their order, but it is very prespective on unsolicited direct marketing activities.

Unsolicited Automated Telephone Calls

The rules are much more stringent here. You cannot legally automate (ie. using a machine, not a person) an unsolicited marketing call made to anyone unless they have expressly opted in to receive these types of calls. To avoid breaking the law, you must obtain (and document!) specific consent for automated marketing calls, this cannot be implied or assumed from consent given for other types of marketing calls.

Sending Unsolicited Faxes

If you still use fax as part of your direct marketing activities, these restrictions apply:

  • You cannot send unsolicited marketing faxes to a private individual (ie. not an organisation or corporate body).
  • Do not send unsolicited marketing faxes to any number listed by the Fax Preference Service (FPS).
  • If someone (an organisation or corporate body) has previously objected to you sending unsolicited marketing faxes, you must not send them any faxes of this type.

It is possible to obtain specific consent from a private individual to receive unsolicited marketing faxes from you, but this must be in place (and documented) before you market by fax to them.

Unsolicited Emails

As a general rule, you should not send unsolicited marketing emails unless you can demonstrate (supported by documentation!) one of the following:

  • The recipient has specifically consented to receive unsolicited marketing emails from you.
  • The recipient is an existing customer who has bought a similar product or service from you in the past; or the recipient is a prospective customer with whom you've had previous contact concerning the purchase of a similar product or service. You must have given the recipient a simple way to opt-out of your e-mails at the time you collected their e-mail address and in every message you have sent since.

Even when observing the regulations concerning unsolicited marketing e-mails to the letter of the law, your business must not conceal its identity and you must provide a way for people receiving your marketing e-mails to opt out or unsubscribe.

Unsolicited Text Messages, Social Media Messages etc

These types of electronic messages are covered by the same rules as outlined above for Unsolicited Emails, including the absolute necessity for an opt-out mechanism to always be provided in every message sent.

Marketing Lists

The regulations are very specific concerning the selling and buying of marketing lists:

  • Marketing lists can only be sold if consent has been obtained from all the individuals on the list for their details to be sold.
  • Any business buying a list can only use it for direct marketing activities if the people whose details appear on it have given their specific consent to be contacted by the company who has purchased the list and for the type of message to be sent.
  • If you business is a member of a group of companies, the consent requirements above apply to all companies in the group in the same way as if the list was being sold to a third party company.
  • You need a separate marketing list for each trading name that your business uses. You cannot use a single list unless you have consent from everyone on the list to be contacted by each trading style that your business uses; and for each type of message or call.


This part of the PECR has been popularised by the explosion of website Cookie Opt-In messages over the last few years. You must have consent from your website or online service users to receive any cookies sent to them by your electronic services. You should also advise your users the name and the purpose of each cookie you issue to them.

It is acceptable for you to obtain (and document!) implied consent for your users to receive your cookies. This means that you do not need an explicit opt-in mechanism for cookies, but can wrap this in a Privacy policy or elsewhere in the Terms and Conditions for use of your website.

There are certain cases where you do not need consent from users for them to receive the cookies you set. Nonetheless, there is less risk to your business if you name all cookies in your Privacy policy (or equivalent) as this protects your business if the exemption is withdrawn or otherwise becomes invalid.

Do you want your business to stay on the right side of the law when marketing?

Idvallo Solutions can help your business with making sure your marketing activities are legal and comply with the regulations. We can help you in the following ways:

What Are Your Next Steps?