Many businesses leverage digital networks to market their services in the modern world, sending targeted communications to customer bases. This process is known as ‘direct marketing’, defined in Section 122(5) of the DPA 2018 as ‘the communication (by whatever means) of advertising or marketing material which is directed to particular individuals’.
GDPR mandates that consent must be freely given, specific, informed, unambiguous and articulated by a ‘clear affirmative action’. As such, you can only directly market to individuals where you have clear evidence of permission to market to that person, by whichever means you’re contacting them.
The ICO hasn’t been shy about handing out fines for failure to comply with GDPR rules on unsolicited marketing communications.
In 2021, We Buy Any Car, Saga and Sports Direct were issued £495,000 in fines for sending more than 354 million unwanted messages to their customers. The ISO also imposed a £20,000 fine on Royal Mail Group Limited in March 2022 for violating Regulation 22 of the PECR following an investigation into a breach and failure to obtain valid consent for direct marketing emails.
In another case, American Express (Amex) was fined £90,000 in 2021 for sending more than four million unwanted marketing emails to its customers. Although Amex argued that the messages were ‘service emails’, permitted without prior consent under the PECR, the ICO upheld that the emails were promotional.
These incidents demonstrate how easy it is to blur the line — and how significant the consequences can be.
Obtaining permission: a marketing opportunity?
For professional services industries such as accountancy, finance and law that regularly deal with large volumes of sensitive data, it’s crucial to ensure direct marketing activity complies with data protection laws on electronic mail. Electronic mail is any text, voice, sound or image message sent over a public electronic communications network.
Of course, all businesses want the opportunity to communicate with customers and prospects. Still, GDPR requires organisations to obtain consent from individuals and ensure they understand what the company will use their data for.