How to legally use customer details for marketing

marketing legally

Most businesses collect and use customer and prospect details for marketing purposes. This guide will help you legally use customer details and comply with good practice. It will take you through step by step on some of the basic things you must have in place. Warning: this is not a quick lightweight read but will provide some pointers on how to be legal and give you peace of mind (if you put them in place!).

Enforcement by the Information Commissioners Office

It’s the Information Commissioners Office (ICO) who will take enforcement action wherever the law relating to direct marketing action has been broken. They can impose fines of up to £500,000 for a serious breach and here are some examples:

  • Parklife Manchester Ltd was fined £70,000 for sending marketing texts without consent;
  • Telegraph Media Group Ltd was fined £30,000 for sending marketing emails without consent;
  • Home Energy and Lifestyle Management Ltd was fined £200,000 for making automated marketing calls without consent.


The ICO is most likely to take action where an organisation persistently ignores people’s objections to marketing calls or texts, send mass texts without consent, or fails to screen its call list against the Telephone Preference Service (TPS). Now that you’ve been scared into action let’s briefly look at the legislation before moving on to some practical steps you can take.

The legislation

There are two pieces of legislation that come into play:

  • The Data Protection Act 1998 (DPA) which regulates the use of ‘personal’ data; and
  • The Privacy and Electronic Communications Regulations (PECR) which gives people specific privacy rights in relation to electronic communications including marketing calls, emails, texts and faxes.

Privacy notice: getting practical

A good place to start is to have a privacy notice. This should tell people:

  • who you are;
  • what you are going to do with their information; and
  • who it will be shared with.


You need to consider how you will gain and record an individuals’ consent to collecting and using information about them.  When relying on consent, your method of obtaining it should:

  • be displayed clearly and prominently;
  • ask individuals to positively opt-in (rather than opt-out);
  • give them sufficient information to make a choice. If your consent mechanism consists solely of an “I agree” box with no supporting information, then users are unlikely to be fully informed and the consent cannot be considered valid; and
  • if you are processing information for a range of purposes you should explain the different ways you will use their information.


The following constitutes good practice from the ICO when collecting customer’s information for marketing purposes. It should be adapted to suit your organisation’s needs.

Here at [organisation name] we take your privacy seriously and will only use your personal information to administer your account and to provide the products and services you have requested from us.

However, from time to time we would like to contact you with details of other [specify products]/ [offers]/[services]/[competitions] we provide. If you consent to us contacting you for this purpose please tick to say how you would like us to contact you:

Post ☐    Email ☐    Telephone ☐    

Text message ☐    Automated call ☐

We would also like to pass your details onto other [name of company/companies who you will pass information to]/[well defined category of companies], so that they can contact you by post with details of [specify products]/ [offers]/[services]/[competitions] that they provide. If you consent to us passing on your details for that purpose, please tick to confirm:

I agree ☐

Proof of consent

If someone claims that they did not consent to receive an organisation’s marketing messages, that organisation may be at risk of enforcement action unless it can demonstrate that the person did give valid consent. You should therefore make sure you keep clear records of exactly what someone has consented to. In particular, you should record the date of consent, the method of consent, who obtained consent, and exactly what information was provided to the person consenting.


You need to maintain a ‘suppression list’ of people who have opted out or otherwise told you directly that they do not want to receive marketing. Rather than deleting an individual’s details entirely, suppression involves retaining just enough information to ensure that their preferences are respected in the future. You must not contact people on a suppression list at a later date to ask them if they want to opt back in to receiving marketing. However, it is acceptable to send a message immediately after someone has opted out confirming they have unsubscribed and providing information about how to re-subscribe if they wish to do so at a later date.

Making marketing calls

You can make unsolicited live marketing calls, but must not call any number registered with the Telephone Preference Service (TPS). You can only call a customer listed on the TPS if they have notified you that they do not object to your calls.

Details on how to subscribe to the TPS list is available at

The same rules apply to marketing calls made to businesses. Sole traders and partnerships may register their numbers with the TPS in the same way as individual consumers, while companies and other corporate bodies register with Corporate Telephone Preference Service (CTPS). So, if you are making business-to-business marketing calls you will need to screen against both the TPS and CTPS registers.

The rules on automated calls – that is, calls made by an automated dialling system which play a recorded message – are stricter. You can only make automated marketing calls to people who have specifically consented to receiving automated calls from you.

Marketing text and emails

Organisations can generally only send marketing texts or emails to individuals (including sole traders and some partnerships) if that person has specifically consented to receiving them.

You must not disguise or conceal your identity in any marketing texts or emails, and must provide a valid contact address for individuals to opt out or unsubscribe (which would mean consent was withdrawn). It is good practice to allow individuals to reply directly to the message and opt out that way, or to provide a clear and operational unsubscribe link in emails or provide a freephone number.

These rules on consent and the right to opt out do not apply to electronic marketing messages sent to ‘corporate subscribers’ which means companies and other corporate bodies. The only requirement is that the sender must identify itself and provide contact details. Corporate subscribers do not include sole traders and some partnerships, who instead have the same protection as individual customers.

Marketing mail

DPA requires that an individual is aware that an organisation has their contact details, and intends to use them for marketing purposes. You must have obtained the address fairly and lawfully. You cannot send marketing mail if the address was originally collected for an entirely different purpose. And you must not send marketing mail to anyone who objects or opts out.

Individuals can register their address with the Mail Preference Service (MPS), which works in a similar way to the TPS. It is good practice to screen against the MPS.

This material has been sourced from the Information Commissioners Office website. Here are some more useful links.

A direct marketing checklist.

Direct marketing guidance: a detailed document to fully understand your obligations and promote good practice.