Marketing consent: what you can and can’t do

direct marketing

Share This Post

When GDPR came into force (in 2018) it introduced a new set of rules around what constitutes consent as the lawful basis for processing. Specifically, when seeking consent you must ensure that an individual takes a positive action to confirm consent based on a clear understanding about what they’re consenting to – this essentially rules out pre-ticked boxes, ambiguous wording or tricking someone into giving consent for processing of their data.

Whilst consent can be considered as the lawful basis for any type of data (it just depends the nature of the processing as to whether it’s the appropriate lawful basis or not), most people think about it within the confines of direct marketing – the idea we need consent to send marketing material and the absolute right someone has to withdraw that consent. So, in this article I’m going to look at direct marketing and where GDPR consent fits in. But first, PECR…

Privacy & Electronic Communications Regulations (PECR)

When it comes to direct marketing (email, phone, SMS text, messaging, etc.) another set of rules set out when you can and can’t direct market to someone. These rules, the Privacy & Electronic Communications Regulations 2003 (or PECR) implement an EU directive into UK law and sit alongside our data protection legislation. So, GDPR and PECR sit alongside each other and complement each other when it comes to processing direct marketing data – when GDPR came in, it replaced the UK’s data protection legislation (the Data Protection Act 1998) but it did not replace the  PECR rules; so, anyone who says they thought GDPR would stop “spam” (or unsolicited marketing) didn’t account for the fact that it’s actually PECR that sets out what you can and can’t do with direct marketing.

In essence, when PECR says you need “consent” to market, it means “data protection” consent, i.e. now, if PECR says you need consent, you now need GDPR level of consent. And, it’s these PECR rules you need to pay attention to, if you’re thinking about your direct marketing activity, particularly if you’re thinking of email, SMS, messaging or phone marketing.

For the purposes of this article, we’re just going to refer to email marketing, but the same rules apply to SMS text messages and direct messaging (e.g. through messaging apps or social media). There are also some additional rules for telephone marketing which we I’m not covering here, but are covered in the infographic at the bottom of this article.

Marketing compliance

So, when thinking about marketing compliance, you need to both consider the PECR rules (in terms of how you can and can’t market) plus you need to consider the GDPR rules as well, but not just in terms of consent messaging – don’t forget data protection applies to your marketing data just like any other personal data, so you need to think about lawful basis, subject access, the right to be informed, data breaches and security, etc.

The PECR email marketing rules

PECR sets out a number of different rules which depend on you whether you’re emailing consumers, businesses or customers:

  • You need consent to market to consumers. If you haven’t been provided with that consent then you cannot send marketing messages to them; you can’t ask them to give you that consent, as that would constitute marketing and therefore would be unlawful. This essentially means you need to rely on “inbound” marketing techniques – e.g. get consumers to sign up to your marketing via your website, your social media, etc.
  • You need consent to market to sole traders (and some types of (small) partnerships). Sole traders, despite being businesses, are treated the same as consumers, so differently from incorporated businesses
  • You don’t need consent to market to businesses (unless they’re sole traders). If you’re marketing to business contacts within a limited, plc, LLP, etc. type business then you don’t need consent to do so, but note, a lot of people don’t realise this is the case, so if you do “scrape” email addresses off LinkedIn or websites and send unsolicited messages, expect some kick back about the fact you’re not supposed to be doing this
  • You don’t need consent to market to generic business addresses. If you’re sending marketing messages to generic email addresses at a business (e.g. info@ hello@ sales@ accounts@ etc.) then you don’t need to seek consent before doing so, but regardless of who replies, the “business” has the right to opt-out of future marketing
  • You don’t strictly need GDPR-level consent to market to your customers. Strictly speaking, provided you give your customers the option to opt-out of your marketing during the sales journey, you can market to them. This is referred to as “soft opt-in” which is still valid and means that you don’t actually need GDPR-level consent, you can use pre-ticked boxes, but again, you should note, that a lot of people expect to see opting-in for marketing, so may question if you’re using a pre-ticked box (even though you’re allowed to)

Honour all opt-outs

However, regardless of whether you’re dealing with consenting consumers, your customers or unsolicited marketing businesses, everyone has the absolute right to opt-out of marketing. So, even if you are contacting people within a business without consent, that individual has the right to ask you to stop and you must and there is nothing you can do about it: you can’t think, but it’s for their own interest if I keep marketing to them or that you don’t need consent. Everyone, even a business as a whole can opt-out of marketing and you have to honour that.

In summary

So, when it comes to marketing consent, it’s not as black and white as you may think. Unfortunately, this is a key area that lots of organisations don’t fully understand, so it’s important that you get it right and therefore understand what you can and can’t do, and most importantly, if you have a marketing team, make sure they understand what they can and can’t do. And don’t forget that GDPR applies to your marketing data, just as any other personal data.

For reference of the rules, we have produced a quick guide infographic which is free to download from this site.

GDPR and PECR marketing consent rules

More To Explore


The key message from the ICO regarding the use of AI is not to forget if AI is processing personal data, then you need to

Read More »

Eat. Sleep. GDPR. Repeat.

We live and breathe GDPR and ePrivacy compliance, so you don’t have too. Our GDPR UNLIMITED helpline is all about offering you help and support, whenever you need it most. As well as the unlimited helpline, you get up to 4 hours “hands-on” help each month, which we can configure to help you in anyway you need such as a GDPR review, or acting as your DPO.

As well as the unlimited helpline and hands-on help you get GDPR and privacy updates, access to our GDPR knowledge centre and webinars.

Unlimited email & phone support

Unlimited email and phone support. Email or organise a voice call as often as you need each month.​

Up to 4 hours "hands-on" help per month

We use these "hands-on" hours to do the GDPR work for you, such as reviews, acting as your DPO, checking DPIA, dealing with breaches, training your staff, etc. (Additional hours: £100+VAT per hour)

Online resources

Our Knowledge Centre gives you access to information, guidance, topic related guides and other tools to support your GDPR and PECR compliance

Updates, alerts & briefings

We provide updates and alerts and a monthly compliance briefing. You can either sign into the Knowledge Centre or sign up via email to receive an email every time we add a new update or alert

DPO services

Whether mandated or not we can act as your Data Protection Officer (DPO) and manage your day to day compliance

Webinars, workshops & training

Whether updates on the latest issue, workshops or team training, it's all included in your monthly retainer.

LIKE WHAT YOU'RE READING? join our email list

Sign up for monthly briefings and the occasional emails about our webinars and services

Want to know more about how we use your data? Check out our privacy policy