GDPR: Direct marketing and the consent conundrum

GDPR: Direct marketing and the consent conundrum

As we close in on D-Day, we can see from our web stats that marketers are still not clear on GDPR. Who can blame them? We’ve written nearly a dozen blogs on marketing compliance this year and our own thoughts have changed quite a lot in that time.

Suffice to say, if you’re reading a GDPR blog from 12 months ago – the advice and information is almost certainly going to be different to one written today.

That includes ours by the way. No wonder people are still struggling with it all.

As we sit here today on a rare sunny day in April, there’s already legislation covering your marketing activities. The UK Data Protection Act has been around since 1998. It’s getting a makeover at some point soon, or so says The Queen. Basically it’s going to be overhauled in line with GDPR, because of something called ‘Brexit’ – whatever that is.

Privacy and Electronic Communications (PECR) – derived from European law – applies now too. It’s been in place since 2003 and has had a couple of revisions over the past 15 years or so.

Like my rusty old Vauxhall Astra though, it’s had its day. At some point, when Brussels gets it act together, PECR will be replaced by the ePrivacy Regulation. To be honest, I’ve stopped checking when that will be: it’s taking an age.

So for all intents and purposes, we need to comply with GDPR and PECR for the immediate future. I’ll give you a nudge when it’s time to start frantically Googling ePrivacy Regulation (you can opt-in to messages like this in the footer).


Direct Marketing: It’s well liked

Direct marketing is the Old Faithful of the marketing comms mix. If a business ‘does’ marketing, it’s likely to do direct marketing of some description. That’s usually because if done right, it works.

Hence for most businesses, GDPR, direct marketing and consent represent a trifecta of pain to wrestle with. Never one to shy away from ‘rolling’, let’s get our budgie smugglers on and and get stuck in!


Consent: GDPR and PECR

One of the main areas of confusion is around GDPR, direct marketing and PECR. That is – what the hell does direct marketing actually have to comply with?

Even blogs written by actual lawyers can’t seem to put it in simple terms. I’ll have a stab then. I think I could have been a lawyer if I was more intelligent, had better schooling and applied myself more throughout my life.

Direct marketing in the form of email – so email marketing then nowadays to the young whipper snappers – is covered by PECR. Indeed, the ICO’s digital marketing guidance is based on the PECR regulations (shows you that they’re kind of a big deal around here).

Most of GDPR talks in the language of ‘processing’ and is quite vague. This makes it either broad reaching or unenforceable depending on who you speak to and whose payroll they’re on.

It does make mention of direct marketing in a few areas, most of which are really referencing the need to give easy ways for people to opt out or object to their data being processed in that way.

The fuss around GDPR and the future of direct marketing centres around consent. Article 5, Clause 1 of GDPR is clear that organisations can only process the data of individuals if they have a lawful basis for doing so. A fundamental test for this lawfulness comes down to consent.

But – and it’s a big but – consent isn’t the only lawful basis for processing (*gasp*).


It’s legit

The ICO GDPR guidance is clear that consent may not be the most suitable lawful basis for processing. It also acknowledges how difficult getting consent can be in some instances.

So what is? Legitimate interest. It’s hot on the lips of every GDPR direct marketing ninja out there at the moment. And frankly, it’s a hack around having to get consent at all for some types of direct marketing.

WHAT? I thought you said GDPR meant no more tricks. Ahem.

Recital 47 of the mammoth GDPR text says: “The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.”

You may be concerned about the wooliness of ‘may be’. But telemarketing agencies, data list brokers and frankly any other business whose whole survival has rested on getting around GDPR consent is shouting this at every Tom, Dick and Harriet they queue behind in Greggs for one of those mediocre tasting, great value coffees.

You’re not off the hook though. Even if you’re grabbing it and running with it, you’ve still got PECR compliance to contend with. It’s pan-european legislation and it’s in place now. So you better start complying if you’re not already.


Direct marketing GDPR & PECR compliance

So let’s get into the nitty gritty.


Direct mail (postal marketing)

This is outside the scope of the PECR. So unless you already run a consent basis for postal marketing, then the your best bet is probably legitimate interests. Ensure that you give people a simple way to opt-out and that you screen against the Mail Preference Service (MPS). It’s just good manners.


Email/SMS marketing

Under the remit of PECR here.

If it’s Business to Consumer (B2C), or to a sole trader or limited liability partnership – you’re going to need opt-in consent. That is unless you’ve sold something to them before, then you can email them about a similar product or service and give them the option to opt out (most email marketing systems handle this as a matter of course these days).

Business to Business (B2B) on the other hand is opt out from the get go. Again, you have to give people the opportunity to opt out (e.g. an unsubscribe link).



We covered this in another blog. Under PECR you can call people until they tell you not to. Then you must stop. You must validate calling lists against the Telephone Preference Service (TPS) and Corporate Telephone Preference Service (CTPS).


ePrivacy Regulation

As we mentioned before, it’s very much in the air. It was set to replace the PECR on the same date as GDPR. It’s going to miss that deadline, possibly by a long stretch.

When it does come though, it’ll be a bitch. And the latest round of the draft legislation renders a blog we wrote on the previous draft regulations pretty much redundant.

If it goes ahead with the current sentiment, all email communications will go opt-in. There will be no distinction between B2C and B2C. There’s loads on the use of cookies too.

So there is a fundamental question here. If you don’t currently get consent for your direct marketing practices under GDPR, and you’re going to have to with ePrivacy Regulation, why not make the change today? You could, you know, actually give yourself enough time to build a marketing list under GDPR? Food for thought.



  • Assess whether consent is the most appropriate basis to process data for marketing under GDPR. Consider this against the legitimate interest argument.
  • Validate this legal standpoint against what’s right. As Charli pointed out in a recent blog, opt-in marketing gets better engagement and no one ever hated on a brand for sending them things they’ve asked for. On the contrary, we can all name companies that send us garbage we never asked for. We would never buy from some of them in a million years now.
  • Update your privacy policy. It’s probably out of date anyway. And get your cookies list updated too as that bombshell is coming with the ePrivacy Regulation.
  • Screen your call data againsts TPS and CTPS. Give your mailing data the MPS treatment.
  • If you decide consent is the best foot forward, review your current consent practices. Assess the data you already have against the standard. Re-consent as required in line with this handy blog we wrote (*smugface*).

GDPR Checklist