Spreading the word of what your business offers to potential customers is incredibly important—especially when many businesses opt to market their business directly to their customers.

But businesses must be mindful of customers’ privacy and make sure that their digital marketing efforts are not considered spam.

So, we’ve provided you with a handy guide to ensure your business is directly marketing to your customers and clients within legal boundaries, and keeping their personal information  protected!

Key Legal Requirements Of Direct Marketing 

Different types of direct marketing have different legal requirements. The following requirements ensure you’re protecting your customer and clients’ privacy. 

Complying With The Data Protection Act 

First off, make sure that your business is complying with the Data Protection Act 2018 and the Data Protection Principles. The Data Protection Act is the UK’s adaptation of the General Data Protection Regulation (GDPR), established by the European Union to achieve greater data privacy. 

All businesses that collect data must follow the obligations set up by the law. 

We will now take a look at your obligations in keeping your customers’ personal information safe.

The Difference Between ‘Personal Information’ and ‘Sensitive Information’

Confused about what ‘personal information’ means? Well, to break it down, personal information is any information that identifies the person to whom it relates. First off, you should get to know the differences between personal information and sensitive information. 

‘Personal information’ is any information that identifies the person it relates to. Examples include names, credit card details and addresses. Opinions made by that person can also fall under personal information, if those opinions contain identifiable information. 

On the other hand, ‘sensitive information’ can include racial or ethnic origin, political opinions, religion, trade union or other professional associations or memberships, philosophical beliefs, sexual orientation or practices, criminal records, health records and biometric information.

Now that you have an idea of the difference, you should make sure your business only collects ‘sensitive information’ with the customers’ consent and if the information is reasonably necessary for the purpose of directly marketing to your customers.

Having A Privacy Policy

It’s a good idea to make sure your business has a privacy policy in place. 

This is important as a privacy policy tells your customers what privacy rights they have. 

To address customers’ concerns about what their personal information is being used for, privacy policies should outline: 

  • How your business is handling, securing and protecting your customers’ information
  • What your business is doing with information you no longer need
  • How your customers can contact you or make a complaint

A privacy policy can be a bit lengthy for your customers, so make sure your business’ privacy policy is easily readable and accessible. Our lawyers can help you with this if you need one drafted.

Handling Personal Information For Marketing Purposes

Your business may be able to use personal information to directly market to individuals, but only if it is handled correctly, under Principle 5 of the Data Protection Principles. Conduct must be lawful, fair and transparent. 

One exception to the restrictions is when the personal information has been collected directly from the individual by the business, and the individual expects their personal information to be used for direct marketing via email, SMS or MMS. 

Another exception is when the personal information has been collected from a third party, or from the individual directly but they don’t expect that their personal information will be used for direct marketing. 

If your business is a contracted service provider, you could also be exempt from the restrictions. 

Also, if your business has personal information that has been collected to meet its obligations under a Commonwealth contract and it is necessary for you to use and disclose the information to meet these contractual obligations, then your business can use the personal information for direct marketing. 

If any of these exceptions apply, your business must give your customers an easy way out of receiving any direct marketing.

Ensuring Customers Can Opt Out Of Marketing Messages 

As a business, you should make it easy for your customers and individuals to opt out of receiving marketing messages. 

This can be done by providing a link to unsubscribe from promotional emails, or by adding a prompt to message back ‘STOP’ in SMS/MMS marketing.

If your business has collected personal information from someone other than the individual themselves, or if the individual does not expect that their information will be used for direct marketing, you must give them information on how to opt out of each direct marketing communication. 

If a customer asks you to stop, your business must stop sending marketing messages. You must stop this within a reasonable period of time—within 30 days of request is best, if not immediately. 

Usually, customers won’t want their personal information to be used for direct marketing purposes by other businesses, so make sure this request is carried out free of charge!

If the person wants to know how you got their details, you may have to tell the recipient of the messages where you got their personal information. But you’re under no obligation to do this if it’s unreasonable or impractical to do so. It’s best to consult a legal professional to ensure you are within your rights at all times. 

If you have no qualms in letting the customer know where your business got their personal information, this again must be done within a reasonable period of time.

Complying With The Electronic Communications Privacy Act 

If your business is going to directly market to your customers via email, SMS or MMS, you must make sure you’re also following your obligations under The Privacy and Electronic Communications (EC Directive) Regulations 2003.  

We’ll go through these obligations below. 

Having The Customer’s Consent

First off, the Act requires that electronic direct mail (or EDMs) be sent to customers with their expressed consent—or when consent can be inferred from their conduct or the relationship the customer has with your business. 

Express consent in EDMs includes:

  • People ticking the box next to a statement which gives permission for the business to send emails directly
  • People directly entering their email address into a form which confirms they want to receive regular email updates from the business

Express consent for SMS and MMS marketing can be given when customers enter their mobile number on a website to opt-in to the business’ updates.

On the other hand, examples of inferred consent include the person subscribing to magazines or newspapers, as it indicates that there is an existing relationship between you and the customer.

Identifying Your Business To Customers

The Electronic Communications Privacy Act requires that the email contains accurate information about your business to the person that consented to receiving EDMs. 

In addition to including your business’s website and contact details in the email, your business’ name should be clearly visible in the ‘from’ field or subject line, and in the body of the message text of your emails.

For SMS and MMS marketing, your business’s identity must be clear and accurate to the customer when they look at the sender information when receiving marketing messages. Not complying with these requirements may lead to your business’s messages being reported to the Information Commissioner’s Office (ICO), where heavy fines can apply. 

Additionally, if your business has incurred a breach, then it is also your duty to notify the ICO as soon as possible. 

Messaging services themselves have been in trouble for not complying with data protection regulations. In 2021, messaging app WhatsApp was fined €225 for breaching the GDPR. 

An investigation was launched which found the messaging giant had failed to comply with data protection laws across various nations. 

As a consequence for breaching the GDPR, WhatsApp was compelled to pay the fine. The case is a demonstration in the serious nature of data protection. 

Unsubscribe Facilities For Customers To Opt Out

Under the Act, you must give clear instructions to your customers on how to opt out of receiving EDMs, SMS or MMS marketing messages using unsubscribe facilities. 

Examples of unsubscribe facilities include:

  • A sentence at the bottom of EDMs saying ‘to unsubscribe, click here’
  • Notifications in SMS or MMS marketing messages prompting customers to reply ‘STOP’ to opt out

If a person has decided to unsubscribe from your business’s marketing messages, you have five working days to act on these requests.

Make sure you include unsubscribe facilities in your marketing messages as, again, if you don’t, you can be reported to the ICO. 

What Happens If My Business Breaches These Laws?

ICO has the ability to crack down on certain businesses for sending marketing messages to their customers that are not in compliance with the Electronic Communications Privacy Act.  

ICO has the power to enforce direct marketing laws if the marketing messages have been classified as spam and include UK links, particularly EDMs.

ICO can issue formal warnings, infringement notices and fines. 

A hefty fine can be issued when it’s been found that the business has sent two or more marketing messages within a day without peoples’ consent. 

Plus, ICO can also accept undertakings from the business sending the messages, take matters to the Federal Court and seek remedies from the Federal Court. 

Examples Of What Could Happen If You Don’t Comply With The Spam Act

Recent examples of non-compliance show how costly it can be for businesses to not secure their data. Let’s go through a few particularly prominent cases. 

LinkedIn 

Global social network LinkedIn has been at the centre of numerous potential breaches of data. 

In 2021, Linkedin admitted to a data breach which resulted in stolen passwords of their users. 6.5 million passwords were stolen and later published to a Russian forum. 

According to their Chief Financial Officer, the aftermath and internal clean up of the incident costs them around $1 million. 

Therefore, data breaches are not only costly hefty fines can be imposed but they are also expensive internally, to fix a problem that could have been prevented earlier.  

Brighton And Sussex University Hospital 

The hospital faced heavy consequences when 232 drives containing patient data were taken. 

The perpetrator then attempted to sell the information on Ebay, which contained sensitive details regarding patients. The hospital should have taken more care to secure and destroy the drives.  

As a result of this breach, the Brighton and Sussex University hospital was fined £325, 000. 

Key Takeaways…

If your business is subject to the Electronic Communications Privacy Act, you must have a Privacy Policy in place that outlines to customers and clientele how and why their personal information is being collected, stored and used by the business.

Personal information can be used for direct marketing purposes if the customers and clients have provided their personal information under the guidelines provided in the Data Protection Principles. 

Sensitive information can also be used for direct marketing purposes if your customers and clientele have consented to its use.

After collecting this information, you must make sure your business is eligible to use the information for direct marketing purposes. 

You should allow anyone receiving direct marketing messages to easily opt out of them, and to act on their request within a reasonable time and free of charge.

Lastly, if there is a breach of the Electronic Communications Privacy Act in relation to the consent, identity and unsubscribe facilities requirements, you could face hefty penalties.

If you want more advice on how to directly market to your customers and clients legally, give us a call on 08081347754 or email us at [email protected]. Our experienced team is available for a free, no-obligations consultation.

Christoffer Aguilar
Christoffer is a Legal Intern at Sprintlaw. Having worked in digital marketing before studying law at University of New South Wales, he aims to use his experience at Sprintlaw to launch a career practicing across intellectual property, media law and employment law.
About Sprintlaw

Sprintlaw's expert lawyers make legal services affordable and accessible for business owners. We're an award-winning, online law firm for small businesses in the UK.

5.0
(based on Google Reviews)
Do you need legal help?
Get in touch now!

We'll get back to you within 1 business day.

  • This field is for validation purposes and should be left unchanged.

Related Services

Affiliate Marketing Agreement

Considering affiliate marketing? Our lawyers can help.
Learn More

Marketing Service Agreement

Running a marketing business?
Learn More
Related Articles
How To Start An Advertising Company
Posted 29th March, 2024
How To Start A Communications Consulting Business
Posted 29th March, 2024
How To Start A Marketing Consulting Business 
Posted 29th March, 2024
How To Start An SEO Consulting Business 
Posted 14th November, 2023
Non-Disclosure Agreements In The Entertainment Industry
Posted 21st August, 2023
How Do I Protect Customer Data?
Posted 19th April, 2023