GDPR | Latest ICO draft guidance – condensed.

Written by Christoan Smit

6 Feb, 2020

The Latest ICO draft guidance | February 2020

Written by Christoan Smit, Data Protection Office.

Historically, the ICO has only written fines for two things: Actual data leaks and non-compliant marketing, with the latter attracting fines in the tens or even hundreds of thousands, even for small companies.

The ICO has recently released its new draft guidance on marketing. So, firstly, this is still a draft, which means things could change, but I wouldn’t expect any major changes – mostly just some additional explanations or addenda. Secondly, we’ve all been invited to comment on the new draft – which is why things could change.

You can read more and also download the full document here:

Below is my condensed version of what’s changed, and what’s important. Please bear in mind that I’m coming from an angle of assuming you already now at least something about GDPR-complaint marketing, so I’m skipping many of the basics. I tried to keep it brief – the GDPR itself is only 99 pages long, whereas the ICO’s marketing guidance is already standing at 124 pages, which I’ve tried to cram into less than 3, so obviously there are a few omissions…


Direct marketing is defined as “the promotion of aims and ideals as well as advertising goods or services”. It further states that “any method of communication which is directed to particular individuals could constitute direct marketing.

Direct marketing purposes include all processing activities that “lead up to, enable or support the sending of direct marketing” and is technology-neutral, extending to online marketing, social networking or any other emerging channels of communication or approach, as well as any background processing. Behavioural advertising (personalising adverts on the basis of things like an individual’s browsing history, purchase history or login information) constitutes direct marketing. However, indiscriminate blanket marketing does not fall within the definition of direct marketing

The right to object to direct marketing is absolute. This means if someone objects you must stop processing for direct marketing purposes and add their details to your suppression list. You should provide mechanisms for individuals to easily object to your direct marketing at the time you collect their details, rather than relying on them exercising their right to opt-out at a later stage.

Lawful Basis

The two lawful bases most likely to be applicable to your direct marketing purposes are consent and legitimate interests; the latter requires a Legitimate Interest Assessment (LIA). You must decide and document your lawful basis before you start.

Legitimate Interest

Legitimate Interest may be used if:

  • PECR rules don’t require consent
  • You’re not using sensitive/special category data
  • You can show the way you use people’s data is proportionate, has a minimal privacy impact and is not a surprise to people or they are not likely to object to what you are doing.
  • LIA is a 3-part test: Purpose, Necessity, Balancing
  • Purpose test – is there a legitimate interest behind the processing?
  • Necessity test – is the processing necessary for that purpose?
  • Balancing test – is the legitimate interest overridden by the individual’s interests, rights or freedoms?

Consent & Soft Opt-in

Consent lasts as long as the circumstances remain the same. Consent is non-transferable – it is specific to receipt of calls or texts to a particular telephone number, or messages to a particular email address. it those details change, Consent automatically falls away. Consent also needs to be specific to the type of electronic mail, e.g. specific consent for emails or specific consent for text messages

Consent obtained via 3rd party lists should not be older than 6 months.

‘Explicit consent’ is required for all direct marketing involving special categories of data. In addition to standard GDPR consent, it:

Must be confirmed in a clear statement (whether oral or written), rather than by any other type of affirmative action;

  • must specify the nature of the special category data; and
  • should be separate from any other consents you are seeking.
  • Remarketing to client lists from whose purchases certain details could be inferred (e.g. buying walking sticks infers age & health) does not necessarily trigger Article 9
  • ‘Solicited’ vs. ‘unsolicited’ marketing – if unsolicited, then PECR rules apply.
  • “Pre-ticked opt-in boxes are banned”

In general, under PECR, direct marketing by electronic mail requires that you have the individual subscriber’s consent. However, there is an exception to this known as the ‘soft opt-in’. Electronic mail is any text, voice, sound or image sent electronically.

Soft opt-in applies only if:

  • You obtained the contact details directly
  • In the course of a sale or negotiation
  • Similar products and services are being marketed, originating from a similar context
  • An opt-out opportunity was given when you collected the details
  • An opt-out opportunity is given in every communication
  • The electronic mail ‘soft opt-in’ only applies to the commercial marketing of products and services, it does not apply to the promotion of aims and ideals.

It must be simple to opt out. When first collecting a customer’s details, this should be part of the same process. In subsequent messages the individual should be able to reply directly to the message, or click a clear ‘unsubscribe’ link.

Remember that not all types of businesses are classed as corporate subscribers under PECR. Sole traders and some types of partnerships constitute individual subscribers which means they have greater protections under PECR.

PECR applies to all electronic forms of direct marketing to individuals, as well as to corporations, with the exception of emails & texts sent to corporate subscribers. Sole Traders and certain partnerships are classed as individuals though, so PECR applies no matter what.

You can’t switch out consent for Legitimate Interest once consent has been withdrawn.

Direct Marketing vs. Service Messages vs. Market Research

Often it is very obvious that a message contains advertising or marketing material but sometimes it is not as clear cut. In these circumstances the tone, content and the context of the message is likely to be important. The question is whether the communication is:

promotional in nature – does it advertise goods or services or otherwise promote the organisation itself or its interests?


more neutral and informative in nature – does it seek simply to provide information the individual needs in the context of the existing relationship?

Market research will not constitute direct marketing, but you still need to comply with other provisions of the GDPR, and ‘sugging’ is not allowed/automatically classes the ‘research’ as direct marketing. (‘Sugging’ is the practice of Selling Under Guise of doing market research)

You may not use your goods/services as incentive to participate in market research or promote your products during the market research.

Service Messages are not classed as direct marketing, but care must be taken over the content and tone – if the message has a neutral tone and simply informs the individual for example of a benefit on their account then these are more likely to be viewed as a service message, e.g. reminding them how to contact you in case of a problem, checking that their details are correct, appointment reminders, or updating them on your terms and conditions.

If there is a call to action attached to the service message, it becomes direct marketing

Conduct a DPIA

You should not coerce or unduly incentivise people to consent to Direct Marketing, and you must be careful not to cross the line and unfairly penalise those who refuse consent to your direct marketing, or if you make consent for marketing a condition of accessing a service or benefit.

You need to accurately record:

  • The data that you have been provided with e.g. contact details;
  • The source of that data;
  • Which methods of direct marketing the individual has consented to;
  • Objections, opt-outs, withdrawals of consent; and
  • People’s details on suppression lists.
  • Marketing to Children
  • Whilst you are not prevented from profiling children for the purposes of direct marketing, organisations should, in general, refrain from profiling them for marketing purposes as a matter of best practice.
  • You have to perform a DPIA if you want to market to children

Marketing Lists

List Maintenance

You should keep a suppression list rather than simply deleting people’s details when they opt out, otherwise you might accidentally market to people who have already opted out.

Suppression involves retaining just enough information about people to ensure that in future you respect their preference. Adding people who’ve objected to receiving direct marketing to your suppression list, means that you can screen any new direct marketing lists against it, thus ensuring that you do not send direct marketing to anyone who has asked you not to. The lawful basis for suppression lists is Article 6(1)c “necessary for compliance with a legal obligation” as well as Article 17(3)b because the processing of the suppression list is to ensure that their wishes and rights are complied with is necessary for compliance with a legal obligation (respecting their right to object).

Data cleansing that removes deceased records from your database and removing out-of-date contact details helps you comply with the accuracy and data minimisation principles.

It is highly likely that ‘tracing’ (i.e. tracking down someone who has moved) will be unfair and unlawful in a direct marketing context.

Purchased & Public Lists

Publicly available data (e.g. electoral register, Companies House, social media, press articles etc.) are not fair game – GDPR and PECR still apply.

Simply accepting a third party’s assurances that the data they are supplying is GDPR-compliant is not enough. Be very careful about using these lists and undertake your own proportionate due diligence. Screen the lists that you obtain against your own suppression lists.

In most instances, buying additional contact details for your existing customers or supporters is likely to be unfair. If an individual has consented via a third party for you to have their additional contact details to use for direct marketing then you are able to match this to what you already hold about them. However you need to make sure that the consent is valid.

You may sell or share data for direct marketing purposes, but only if you are the Controller or have the Controller’s permission, and you must make it clear to the data subjects that you want to sell to/share with third parties for direct marketing purposes, and you must either have specific consent for that, or proper Legitimate Interest. For LI, ask:

  • Do you have an existing relationship with the individual? If so, what is the nature of that relationship?
  • Did you collect data directly from the individual?
  • What did you tell individuals at the time?
  • If you obtained the data from a third party, what did they tell individuals about reuse of the data by third parties for other purposes?
  • How long ago was the data collected?
  • Is your intended purpose and method obvious or widely understood?
  • Will individuals have a loss of control over their data if you sell it?
  • Did they have a clear opt-out opportunity?
  • Can I give buyers proper assurances about the data that you are selling and demonstrate to them that it is compliant with the GDPR and PECR?
  • Postal campaigns are not considered direct marketing if addressed to e.g. “The Occupier” but you can’t target specific people then use this as a workaround by simply substituting their names. You should screen against the MPS just like you’d screen phone calls against the TPS or CTPS, although this is not a statutory obligation (unlike phone calls, which are).

You may use the services of a third party to send your direct marketing on your behalf, but you are still responsible for compliance. PECR applies to the ‘sender’, ‘caller’, or ‘instigator’ of the direct marketing message. PECR applies to both companies, and both companies require consent from the individual

Direct marketing rules also apply to asking individuals to send your direct marketing to their family and friends via viral marketing or ‘tell a friend’ campaigns. Because you most likely do not have the friend’s consent, that would be a breach of PECR. If people tell their friends out of their own volition, however, there is no obligation for you to comply with PECR because that individual is the instigator.

Practically speaking then, you can’t really ask existing customers to give you contact details of their friends and family because proving consent would be very difficult, and soft opt-in doesn’t apply.


If consent is valid, it overrides the need to perform TPS/CTPS checks or screen against suppression lists, as long as there’s sufficient proof of consent.

In short you can call numbers that are not registered on the TPS or CTPS without the subscriber’s consent, as long as there was no previous objection. If someone you have called in the past subsequently registers their number with TPS or CPTS, you cannot make any more direct marketing calls to them from that point. Even if they have not specifically objected to your calls before, registering with TPS acts as a general objection which you must respect.

You cannot make a direct marketing call to a number that you originally collected for an entirely different purpose

Automated calls require specific consent; general consent for direct marketing is not enough. No need to check TPS/CTPS though because consent trumps that.

For any direct marketing phone calls, you must:

  • Say who is calling & the name of your organisation
  • Allow your number (or an alternative contact number) to be displayed to the person receiving the call
  • Provide your contact details or a Freephone number
  • Email addresses in the format are considered personal data (i.e. GDPR applies), whereas generic addresses e.g. are not (unless it’s a sole trader or partnership)

Similar rules apply to B2B direct marketing faxes as B2B direct marketing phone calls

GDPR only applies to business cards if you intend to file them or input the details into a computer system.

Adtech and other Emerging Technologies

You should conduct a DPIA for any new technologies/ methods of marketing

Targeting & Audiences

If your online advertising does not involve the processing of personal data (not based on any interests, behaviours or other information about Individuals) – then the GDPR will not apply, e.g. non-targeted or contextual (i.e. targeted to the content of the page rather than user info) advertising. PECR may still apply where e.g. cookies, tracking pixels or other adtech are used or data such as IP addresses are stored

Online ads that use targeting still requires GDPR compliance and most likely consent because PECR requires you to obtain consent when using cookies or similar technologies.

Targeted advertising on social media does not fall within the definition of electronic mail in PECR, but direct messaging does.

‘Audiences’ and other list-based targeting e.g. Facebook Custom Audiences or LinkedIn Contact Targeting would most likely require consent, unless the 3-part Legitimate Interest test can prove otherwise. You must clearly inform individuals that you will use their email addresses to match them on social media for the purpose of showing them direct marketing.

With ‘Lookalike’ audiences you need to be satisfied that the social media platform has taken all necessary steps to provide the appropriate transparency information to individuals, and inform individuals who have provided information to you that you intend to process their data to create these other audiences and ensure that you have a valid lawful basis.

The data protection issues for Direct marketing on subscription TV, on-demand and ‘over the top’ (OTT) services are the same as using social media to target marketing, so you need to be transparent, fair and lawful.

Facial Detection & Recognition

Facial recognition seeks to identify or verify a specific individual, whilst facial detection seeks to distinguish between different categories of individuals, and both involve processing biometric data, which is Special Categories day, which means it will be highly unlikely that you will be able to use facial recognition technology to display direct marketing to specific individuals.

Facial detection is not necessarily seeking to identify an individual but rather is segmenting the audience into categories and therefore does not automatically trigger Article 9. However, care should be taken with function creep, as facial detection could easily become facial recognition depending on the way the system works, e.g. tracking an individual throughout the shopping centre or storing their data, rather than simply comparing the facial data to a ‘mask’ or template.

In-app and In-game Adverts

Not all in-game or in-app advertising is covered by the direct marketing rules e.g. where all users see the same advert and that advert is not based on any characteristics of the users. However, any targeted in-app advertising falls under GDPR, as well as sharing user details with third parties, and therefore the same rules would apply as for any other targeted digital ads, and PECR would apply where storing information (e.g. cookies) or accessing information (e.g. location) on user devices takes place. Consent must be separate and not bundled in with your app terms and conditions.

Geo-targeting using GPS/ Wi-Fi from the user’s device requires consent.

Where personal data is processed by any connected devices or IoT, the GDPR applies, and Regulation 6 of PECR generally applies to connected devices as in most cases they meet the definition of ‘terminal equipment’.

Due diligence

  • Are you clear about the capabilities and functionality of the technology?
  • Are you confident that what the product developer or provider is telling you is correct?
  • Has the product developer or provider taken a data protection by design approach when developing the technology or service?
  • Has the product developer or provider conducted a DPIA? (Although this may not be an obligation placed on them, it is good practice to undertake a DPIA, and this can also assist you in meeting your own requirements in this area. If the developer or provider is also your processor, they can assist you with your own DPIA.)
  • Is any of the data special category data, and if so, how are the GDPR’s requirements met?

You also need to do your own DPIA where required