Marketing and the data protection law

When a business carries out any marketing, it must make sure that it complies with the rules governing the protection of data and privacy.

This applies to the information that is held on individual customers as well as to the process of marketing itself.

Protecting data

Any business that handles personal information about an individual - such as a customer or a potential customer - must observe the terms of the Data Protection Act 1998.

Handling information involves obtaining, recording, keeping, using, disclosing or destroying data on a living person who may be identified from that information.

A business must comply with the Act if it processes personal data on a computer or, in some instances, if it keeps the information in written form.

Under the Act, a business needs to notify the Information Commissioner why it is handling personal data. Failure to do so is against the law.

However, there are some exemptions to notifying the Information Commissioner. A business is not required to notify if it only handles the information for certain business activities. These include advertising, marketing and public relations where they relate to the business, its services and its goods. The exemption covers any data that a business may purchase for marketing purposes.

The exemptions also include information about customers or potential customers and suppliers that is essential to maintaining accounts or to making financial decisions and forecasts. The exemption, though, does not extend to personal data supplied by a credit reference agency.

That said, certain types of business, such as accountancy practices, consultants and employment agencies, are not usually exempt from notifying the Information Commissioner.

Businesses that are not required to notify must still observe the regulations on data protection as set down by the Act.

Direct marketing

A firm may contact an individual or business by telephone for marketing purposes provided that individual or business has not registered with the Telephone Preference Service or the Corporate Telephone Preference Service. If they have, it is against the law to contact them by phone.

A firm may contact an individual by fax for marketing purposes provided that individual has opted in - that is, agreed to being contacted by fax for marketing purposes. A firm may contact another business by fax for marketing purposes provided that business has not opted out - that is, indicated it does not wish to be contacted by fax for marketing purposes.

A firm may not contact either an individual or a business by fax for marketing purposes if that individual or business has registered with the Fax Preference Service, except where they have specifically asked for information.

Email marketing

The Privacy and Electronic Communications Regulations 2003 came into force on 11 December 2003 and extended the rules on unsolicited direct marketing to include electronic communications. Specifically, the Privacy and Electronic Communications Regulations 2003 introduced two new rules for any business that markets its services or products by electronic mail.

Rule 1

The first rule covers all marketing messages that are sent by electronic mail, irrespective of who they are sent to. The rule says that the person or company sending the email must not conceal their identity; and that the person or company sending the email must provide a valid address where the recipient can go to indicate that they no longer wish to receive any further communications. This second part is known as opting-out.

Rule 2

The second rule only covers unsolicited electronic mail sent to individual subscribers. In this context, individual subscribers are defined as either residential subscribers or, in business terms, sole traders or unincorporated partnerships. The second rule says that you can only send marketing emails to individual subscribers if you have their prior consent to the arrangement. In other words, they must agree to receive emails from you in advance of actually receiving them. This is known as opting-in.

The opt-in rule applies in all cases except where three conditions exist. The three circumstances in which the opt-in rule can be relaxed are: if the recipient's email address was collected "in the course of a sale or a negotiation for a sale"; if the person or company sending the email only ever sends out material that relates to their "similar products and services"; and if, at the time their email address was collected, the recipient was given the chance to opt-out of receiving any marketing messages but chose not to exercise that choice.

Only when these three criteria are met can the sender of the message simply offer the recipient the opportunity to opt-out. In all other cases, the recipient must be invited to agree to receiving marketing material.

How the rules work

To conform to the regulations, a company must be aware of what the terms mean and how they apply to them.

Electronic mail

Under the rules, electronic mail includes all text and picture and video messages.

Unsolicited mail

Put simply, an unsolicited message is one that has not been invited. It does not necessarily mean that the message is unwanted. Somebody might be interested in hearing about the products or the services of a company that they know. Such a customer might not have invited a specific communication, but equally they have made it clear to the company that they agree to be sent relevant news and information.


Consent is not the same as the absence of an objection. In other words, the recipient of an unsolicited email must have indicated that they actually agree to receiving marketing messages from a company before they can be emailed. This could take the form of being given a box to tick, when submitting or registering their email address, that indicates a positive willingness on their part to receive marketing material. Another option for the company that is collecting the address is to explain clearly that the act of registering an email address amounts to consent unless the person indicates their objection to receiving any marketing by ticking the box provided.

It is important to remember that if someone is given the chance to object to receiving marketing and then fails to do so they cannot be considered to have given their consent. It just means they haven't objected.

Opting-in and opting-out

The basic difference between the two is that to 'opt-in' means to indicate agreement while to 'opt-out' means to indicate an objection. For a person to 'opt-in' they must tick a box to say that they wish to receive marketing messages. For a person to opt-out, they must tick a box to say that they do not wish to receive marketing messages.

Anyone registering their email address with a company, and who does not fall within all three exemption criteria outlined below, can only be sent marketing messages if they sign up for them. That is, they must be given the opportunity to opt-in.

A company, however, can collect email addresses just by offering people the chance to opt-out, but only if the three exemption criteria apply.

The three exemption criteria

The first of these affects how an email address is collected. If the opt-in rule is to be relaxed, then the email must have been collected in the course of a sale or sales negotiation. The sale does not need to have been completed for the exemption to apply.

The second criterion deals with the type of message to be sent. Messages must only concern products and services that someone would reasonably expect to hear about from your company. A business selling garden products can email someone with information about a special seasonal wheelbarrow promotion because that is what any reasonable person would expect a garden product company to sell.

The third criterion is that you offered the recipient the chance to opt-out when collecting their email address. And that you do so on every subsequent marketing message.

Existing emailing lists

Many companies will have old databases that contain email addresses that were collected from people who had not opted-in. Companies can carry on using those lists, with four provisos. The list must have been put together in compliance with the law at the time (at the very least, you told people you were going to market to them); the company must have contacted those on the list within the past 12 months; the company has not already been told to stop the marketing emails; and the company provides recipients of any future email with the chance to opt-out, free of charge.

More detailed information on the legislation can be found at the Information Commissioner's website at

Advertising and Public Relations

Some advertising carries reply coupons which request information about the person who is responding. Any coupon must allow the respondent the chance - usually by ticking a box - to opt out from being sent mailings or marketing material as a result of supplying personal details. Customers must be informed how any personal information about them will be used.

Any publicity material that contains information about a customer may only be published with the consent of the customer.


Many websites ask visitors who wish to register to provide details about themselves. If this is the case, the site must provide the name and address of the business concerned, and must set out how any personal information will be used and why it has been requested. The explanation can be contained in a privacy policy which should be linked to every page on the website.

Anyone who submits personal details when registering with a site must be given the chance to opt out if they do not wish to receive any marketing e-mailings and the chance to opt in if they do wish to receive marketing e-mailings.

Any website that uses cookies must offer a clear explanation of the use to which the cookies will be put and how the information will be accessed. Visitors must also be told how they can refuse any cookies.

A business must not post personal details of a customer on their website without the permission of the customer.

A website that processes personal information must have secure encryption.

Requests for information

Under the terms of the Data Protection Act, a business, if asked, must disclose certain personal information or data that it keeps on individuals so that they can check its accuracy. If it is inaccurate, the information must be corrected. An individual can also request that a business stop using any information if they believe its use is causing them substantial damage or distress.

A business must respond within 40 days of receiving a request for information, a fee or any additional information needed to identify the person or the data they are seeking.

However, there are parameters that define and limit exactly what that information is, when it must be disclosed and to whom.

The Data Protection Act covers individuals only. A business, therefore, cannot contact another business and request information of it.

The sort of information that can be requested by an individual must relate to their privacy, be it in their personal or their professional lives. That means a business is obliged only to disclose data that covers private matters like bank details, addresses and information about their health.

Requests by individuals for information must be specific; they cannot be broad and general. Requests must be submitted in written form and must be precise enough for the employer to be able to identify exactly the data that is being sought.

A further restriction of the disclosure of data lies with sort of system on which it is stored. Information must be disclosed only if it is held on a relevant filing system; that is, if it is stored on a computer (electronically) or on a manual system that is organised according to certain clear categories.

Manual filing systems that are disorganised or lack a structure are deemed not 'relevant' because of the amount of time it would need to check them for personal details.

To determine whether a filing system qualifies under the Act, employers can apply what is known as the 'temp test'. It works like this. The employer must ask whether a temporary employee would be able to find the requested personal data on the filing system without having to go through all the documents looking for it. If they would be able to, then the system is relevant and the information on it must be disclosed; if they wouldn't be able to, then the system is not relevant and the information need not be disclosed under the Act.


A business that collects personal information in the course of a marketing campaign should take a number of general precautions in order to comply with the regulations on privacy and data protection.

It should only request information it needs for its purpose. It should always tell customers or potential customers why it needs the information and what will be done with it.

Individuals must always be informed if a business intends to sell or pass on the data to another organisation.

Individuals must always have a clear opportunity to opt out of receiving mailings or of having their details used, passed or sold on for other marketing purposes.

Any information that is no longer required should be deleted.

Businesses that need more detailed advice should consult a professional advisor. They can also visit the Information Commissioner's website at and the Direct Marketing Association website at