Data Privacy: When don’t you need an individual’s consent for direct marketing?

Direct marketing is the communication, by whatever means, of advertising or marketing material which is directed at particular individuals. In practice, all electronic messages, such as e-mails, phone calls and texts, are directed to someone and are therefore direct marketing.

There are strict rules governing direct marketing, particularly in relation to unsolicited marketing (i.e. a message that has not been specially requested). The processing of personal data in the UK is governed by the UK General Data Protection Regulation (GDPR) and the Data Protection Act. The Privacy and Electronic Communications Regulations sit alongside these rules and provide specific rights in relation to electronic communications. Failure to comply with these rules could lead to fines, compensation claims and damage to goodwill.

The rules

Organisations must not send marketing communications to individuals without their specific prior consent. However, there is a limited exception for previous or existing customers, known as the “soft opt-in”.

“Soft opt-in”

To ensure a compliant “soft opt-in”:

  1. You must have a pre-existing relationship with the individual targeted, from which you received their contact details, for example when they purchased a product or service from you previously, or showed a genuine interest in doing so;
  2. Your marketing communication must only concern products and services that are genuinely similar to those previously purchased;
  3. You must notify the individual in advance of your intention to send them marketing communications about similar products and services (e.g. in your privacy notice); and
  4. You must ensure the individual can easily opt out of receiving the communications, both when you first collect their details, and in every communication you send thereafter.

This sounds simple enough but there are a number of crucial factors to bear in mind before utilising this exception:

  • A “genuine interest” does not just mean for example that a customer visits a website to browse a company’s product range. But if the customer enquires after further information, requests a quote or enters into “negotiations for sale”, this should be sufficient.
  • The communication from the individual must relate to buying products or services, rather than a general query about the business.
  • Ask yourself whether the customer would reasonably expect messages about the product or service in question as a result of their prior interactions with you.
  • Individuals have a right to opt out of receiving marketing at any time. As soon as an individual says they don’t want to receive the communications, this will override any existing consent or soft opt-in and they must stop.
  • The contact details must have been obtained directly from the individual by the organisation who wishes to send the marketing communications. Therefore, organisations cannot rely on this exemption if they obtained a marketing list from a third party. In this case they will still require the individual’s consent.
  • The ‘soft opt-in’ exception only applies to commercial marketing of products or services. This means that charities, political parties and not-for-profit organisations will not be able to send campaigning texts or emails without specific consent, even to existing supporters.


Please note that, if you are instead relying on consent of the data subject, there are strict rules under the GDPR governing what constitutes valid consent. Consent is only valid where:

  1. It is knowingly and freely given;
  2. It is clear and specific;
  3. It covers both your organisation and the type of communication you wish to use;
  4. It involves a clear positive action (for example, ticking an unticked box);
  5. The individual understands that they are giving their consent; and
  6. The consent can be (easily) withdrawn at any time.

The clearest way to obtain consent is often to ask the customer to actively tick an unticked opt-in box confirming they are happy to receive marketing from you. A clear link to your privacy policy should be included at this point too. Note that pre-ticked boxes do not give valid consent.

Corporate Subscribers

The above rules do not apply to electronic marketing communications sent to corporate subscribers. In this case, the sender must identify itself and provide relevant contact details only. Note though that the rules become more blurred around personal corporate email addresses and often it is safest to follow the rules applicable to individuals in all circumstances.

Madeleine Rhodes    email: