Free guides & tools

We like to share the resources we have available to us which keep us constantly up to date with the changes in the law.

Explore the documents and tools available using the menu on the left

Wells Associates

Marketing and data protection: compliance

Almost one out of five firms have at some point unknowingly breached the Data Protection Act, according to new research.

The study, carried out by BSI, the standards organisation, found that of those businesses a half have broken the rules on several occasions.

Some 18 per cent said that they were uncertain whether they had overstepped the law or not. A breach could involve, among other things, illegally transferring information to a third party or failing to hold details securely.

Of the 500 SMEs that responded to the poll, 65 per cent admitted they do not train staff in data protection, and almost a half do not have an employee charged with making sure that law is complied with even though the regulations require that all organisations handling personal information must have an assigned data controller.

Marketing can be a sensitive area when it comes to handling and using data.

When a business carries out any marketing, it must make sure that it complies with the rules governing the protection of data and privacy.

Protecting data

Any business that handles personal information about an individual - such as a customer or a potential customer - must observe the terms of the Data Protection Act 1998.

This means you must tell people when you contact them who you are, what you will use their information for and whether you plan to pass your marketing lists to other organisations and how you will be contacting people, such as by post, phone or email.

The Act gives individuals the right to ask a business to stop using their personal information for direct marketing purposes. A request must be made in writing, and businesses are expected to act on this within 28 days.

Individuals have the right to see the information you hold on them and to ask you to correct anything that is wrong or misleading.

Handling information involves obtaining, recording, keeping, using, disclosing or destroying data on a living person who may be identified from that information. A business must comply with the Act if it processes personal data on a computer or, in some instances, if it keeps the information in written form.

Under the Act, a business needs to notify the Information Commissioner why it is handling personal data.

However, there are some exemptions to notifying the Information Commissioner. A business is not required to notify if it only handles the information for certain business activities. These include advertising, marketing and public relations where they relate to the business, its services and its goods. The exemption covers any data that a business may purchase for marketing purposes.

The exemptions also include information about customers or potential customers and suppliers that is essential to maintaining accounts or to making financial decisions and forecasts. The exemption, though, does not extend to personal data supplied by a credit reference agency.

Direct marketing

Telephone marketing

A firm may contact an individual or business by telephone for marketing purposes provided that individual or business has not registered with the Telephone Preference Service or the Corporate Telephone Preference Service.

Electronic marketing

The Privacy and Electronic Communications Regulations 2003 introduced rules for any business that markets its services or products by electronic means such as email or telephone, text and picture and video messages.

Under the regulations, a business must identify itself when it markets to someone or another business and provide details of how you can be contacted (postal address, email address, telephone number).

Unsolicited mail

Put simply, an unsolicited message is one that has not been invited. It does not necessarily mean that the message is unwanted. Somebody might be interested in hearing about the products or the services of a company that they know. Such a customer might not have invited a specific communication, but equally they must have given you their permission to be sent relevant information.

In other words, the recipient of an unsolicited email must have indicated that they actually agree to receiving marketing messages from a company before they can be emailed. This could take the form of being given a box to tick, when submitting or registering their email address, that indicates a positive willingness on their part to receive marketing material.

Another option for the company that is collecting the address is to explain clearly that the act of registering an email address amounts to consent unless the person indicates their objection to receiving any marketing by ticking the box provided.

Opting-in and opting-out of receiving electronic marketing

The basic difference between the two is that to 'opt-in' means to indicate agreement while to 'opt-out' means to indicate an objection. For a person to opt in they must indicate they wish to receive marketing messages. For a person to opt out, they must indicate that they do not wish to receive marketing messages.

Anyone registering their email address with a business can only be sent marketing messages if they sign up for them. That is, they must be given the opportunity to opt-in.

There is, however, an exception to this known as the 'soft opt-in'. This applies in three cases.

The first of these affects how an email address is collected. If the opt-in rule is to be relaxed, then the email must have been collected in the course of a sale or sales negotiation. The sale does not need to have been completed for the exemption to apply.

The second deals with the type of message to be sent. Messages must only concern products and services that someone would reasonably expect to hear about from your firm. A business selling garden products can email someone with information about a special seasonal wheelbarrow promotion because that is what any reasonable person would expect a garden product company to sell.

The third is that you offered the recipient the chance to opt-out when collecting their email address but they didn't, and that you give them the chance to do so on every subsequent marketing message.

Electronic marketing to other businesses and organisations

If you are sending marketing to organisations, you don't need their consent. That said, you must always include the name of your business in the email and provide an address where the business can indicate it wants to opt out of receiving any more marketing.

Contacting an email address which names an individual at the business you are marketing to gives that person the right to stop their address from being used for marketing.

Advertising and public relations

Some advertising carries reply coupons which request information about the person who is responding. Any coupon must allow the respondent the chance - usually by ticking a box - to opt out from being sent mailings or marketing material as a result of supplying personal details. Customers must be informed how any personal information about them will be used.


Many websites ask visitors who wish to register to provide details about themselves. If this is the case, the site must provide the name and address of the business concerned, and must set out how any personal information will be used and why it has been requested. The explanation can be contained in a privacy policy which should be linked to every page on the website.

Anyone who submits personal details when registering with a site must be given the chance to opt out if they do not wish to receive any marketing e-mailings and the chance to opt in if they do wish to receive marketing e-mailings.

Any website that uses cookies must offer a clear explanation of the use to which the cookies will be put and how the information will be accessed. Visitors must also be told how they can refuse any cookies.


A business that collects personal information in the course of a marketing campaign should take a number of general precautions in order to comply with the regulations on privacy and data protection.

It should only request information it needs for its purpose. It should always tell customers or potential customers why it needs the information and what will be done with it.

Individuals must always be informed if a business intends to sell or pass on the data to another organisation.

Individuals must always have a clear opportunity to opt out of receiving mailings or of having their details used, passed or sold on for other marketing purposes.

Any information that is no longer required should be deleted.

This is only an outline guide to the rules on marketing and data. Businesses that need more detailed advice should consult a professional advisor. They can also visit the Information Commissioner's website and the Direct Marketing Association website.