Skip to navigation | Skip to main content | Skip to footer
Menu
Search the Staffnet siteSearch StaffNet

Information Governance Office

Guide to Direct Marketing

What is Direct Marketing?

Direct marketing is defined as the communication (by whatever means) of advertising or marketing material which is directed to particular individuals.

If you are sending information electronically (eg calls, texts, social media direct messages, emails) promoting an activity, product or service to individuals, specific rules apply, as set out in the Privacy and Electronic Communications Regulations (PECR). These rules operate over and above the UK GDPR. If the individuals being sent the marketing do not have an existing relationship with the University (ie prospects, customers, visitors, people you think may be interested in hearing about your work), ‘opt-in’ consent is required before the marketing can be sent. This means that individuals have to agree in advance to be sent marketing information electronically, this might be by ticking a box on our website for example, or by choosing to join a mailing list that is explicitly for the purpose of receiving marketing information.

Direct marketing by post is not subjected to PECR but it is subject to the Data Protection Act 2018, that requires you to have a legitimate interest (such as an ongoing, existing relationship with them) to hold their contact details.

Students and staff
At the University, we regularly send information to staff and students using a University email address. Where this relates to their job or course, it is generally considered to be acceptable as it is not marketing an activity, product or service. However, if the information does fall into this category you will need to provide a way for people to ‘opt-out’ and inform them about the marketing and their right to opt-out. If staff or students have signed up to receive some information that falls into the marketing category, but then change their mind, their preferences should be respected.

Third parties
Where we want to send marketing information electronically to third parties such as, visitors, customers or even people making enquiries about possible future study, we need to be particularly careful to ensure that we comply with the law. In most instances, these individuals must be asked for their consent, or ‘to opt-in’, as this is considered electronic marketing and consent is the only valid basis for sending marketing information in this context.

To be valid, the consent must be ‘unambiguous’. This means an ‘opt-in’ tick box or, in the case of a mailing list, the individual provided their contact details with the knowledge that they would receive ongoing information and this must be explained in a privacy notice or data protection/collection statement.

Once we have unambiguous consent, we still need to provide people with an opportunity to change their minds in each communication sent. If they have not engaged with us (for example, attending an event, or using the service) in a long time (usually three to five years) we need to ask them for their consent again. No response to a request of this kind is considered the same as an ‘opt-out’.

Marketing sent to organisations

At present the PECR does not apply to so called ‘business to business’ or ‘b2b’ marketing. If the email address does not contain a name at all then it is also excluded from the UK GDPR as it is not personal data, although it is still good practice to honour the wishes of businesses not to receive marketing if they requested this. If the email address contains a name e.g. firstname.lastname@orgaination it will be considered personal data and UK GDPR will apply. However, if the marketing is being sent to the individual as a representative of their organisation you may be able to rely on ‘legitimate interests’ as the legal basis and may not need ‘opt-in’ consent to comply with PECR. You will still need to provide an opt-out.  If the marketing is actually aimed at a particular individual at that organisation in a capacity relevant to them, rather than just their role at the organisation they work at, then it is likely that opt-in consent will be required before you can send the marketing electronically.

Mailing lists

If you have a mailing list of third party contact details you need to consider how you obtained these details.

  • Was the list put together from an external source or were addresses added to it as a consequence of people providing their details for another purpose?
  • What were those people told about the information they would be receiving and what were their expectations?
  • How long have you had the contact details? How long have they been receiving the information? Have they been offered an opt-out in each communication?

If after answering these questions you are happy that you have consent to send this type of information to your mailing list then you can carry on, ensuring that you continue to offer an opt-out in each future communication and refresh your consent or remove inactive individuals periodically.

When it comes to refreshing this consent after a reasonable period, generally considered to be between 3-5 years, remember, no response is the same as an opt-out so you will need to remove non-responders from your list. You should also be very clear about the information people will receive. If you want to start to send more than one thing such as email invitations to future events and newsletters about the work of your area/institute, you should usually ask them to opt in to each thing and respect their preferences.