Direct marketing and regulatory communications

28 March 2023 - this guidance is published.

At a glance

• This guidance is for you, if you operate in a regulated private sector such as finance, communications or utilities.
• ‘Regulatory communications’ are when a statutory regulator asks or requires the industry it regulates to send specific messages to people.
• Data protection law (the UK GDPR and Data Protection Act 2018) and the Privacy and Electronic Communications Regulations 2003 (PECR) don’t stop you from sending regulatory communication messages. However, you must make sure that you comply with the law.
• Direct marketing covers all types of advertising, marketing or promotional material. It includes commercial marketing and the promotion of aims and ideals.
• In many cases, it is unlikely that regulatory communication messages count as direct marketing. But in some cases they do.
• The phrasing, tone and context of the regulatory communication message are likely to determine if it is direct marketing.
• If the message is neutral in tone and doesn’t contain any active promotion or encouragement for people to take a particular action, then it is unlikely to be direct marketing. However, if your message actively promotes an initiative, by highlighting the benefits and encouraging people to participate or take a particular course of action, it is likely to be direct marketing.
• Knowing whether a regulatory communication message is direct marketing means that you can take steps to comply with the relevant rules.
• If a regulatory communication message is direct marketing, the right to object to direct marketing applies. Depending on your method of communication, the marketing provisions of PECR may also apply.
• You still must comply with data protection requirements (eg fairness, lawfulness and transparency) when you use information about people. This is regardless of whether a regulatory communication message is direct marketing.

In brief

• Who is this guidance for?
• What are regulatory communications?
• What is direct marketing?
• Why is it important to know if our regulatory communication messages are direct marketing?
• How do we decide if a regulatory communication message is direct marketing?
• When are regulatory communication messages unlikely to be direct marketing?
• What do we need to do if a regulatory communication message is direct marketing?
• What else do we need to consider?
• Examples

Who is this guidance for?

This guidance is for you, if you are in the private sector and operate in a regulated sector. By regulated sector, we mean those sectors where a statutory regulator has oversight, for example:

• the finance sector (eg Financial Conduct Authority);
• the pensions sector (eg The Pensions Regulator);
• the communications sector (eg Ofcom); or
• the energy sector (eg Ofgem and the Utilities Regulator Northern Ireland).

The guidance will help you decide when a regulatory communication message might count as direct marketing. If the message is direct marketing, it also covers what you need to do to comply with data protection law (the Data Protection Act 2018 (DPA 2018) and the UK GDPR) and the Privacy and Electronic Communications Regulations 2003 (as amended) (PECR).

What is a legal requirement in this guidance and what is good practice?

In this guidance, where we use the word “must”, this means that the law requires you to do something (so it is a legal requirement). Where we use the word “should”, this isn’t a legal requirement but is what we expect you to do to comply effectively with the law. You should follow this unless you have a good reason not to (good practice). If you take a different approach you must be able to demonstrate that this complies with the law. Where we use the word “could”, this refers to an option(s) that you may want to consider to help you comply (good practice). We have highlighted these words throughout the guidance for ease of reference.

What are regulatory communications?

‘Regulatory communications’ describe situations when a statutory regulator asks or requires their industry to send out specific messages to people. For example, this might include information about new initiatives or to promote competition in the market.

In some cases, the statutory regulator might specify the message’s content or define the parameters. For example, the type of consumer to send the message to, how often to send it or even the message’s content. In other cases, the statutory regulator may take a less prescriptive approach and let you decide how to handle it.

Regulatory communications are sometimes information that a statutory regulator requires you to put into your routine correspondence with people. For example, including a sentence within an end of contract or renewal notice telling people that they may find a cheaper deal elsewhere.

What is direct marketing?

The DPA 2018 says direct marketing means:

“the communication (by whatever means) of advertising or marketing material which is directed to particular individuals”

This definition covers all types of advertising, marketing or promotional material. It includes commercial marketing (eg promotion of products and services) and also the promotion of aims and ideals (eg fundraising or campaigning). It covers any method of communication, such as:

• emails and text messages;
• phone calls;
• post;
• online behavioural advertising; and
• social media marketing.

To count as direct marketing, a communication must be “directed to” particular people. For example, personally addressed post, emails to a particular account or calls to a particular number.

This definition also applies to PECR, which cover sending electronic marketing messages (eg by phone, email or text message).

Further Reading

Relevant provisions in the DPA 2018 - see Section 122(5) and Schedule 19 paragraph 430 and paragraph 432(6)

Relevant provisions in PECR - see Regulation 2(2)

Further reading

For more guidance on what is direct marketing see our direct marketing guidance.

Why is it important to know if regulatory communication messages are direct marketing?

Knowing whether a regulatory communication is direct marketing means that you can take steps to comply with the appropriate rules.

This is important as there are additional things you need to consider if the message you want to send will count as direct marketing. You must:

• give people the absolute right to object to direct marketing; and
• ensure that electronic messages comply with the direct marketing provisions in PECR.

Statutory regulators have people’s interests in mind when asking their sectors to send regulatory communication messages. However, it is important to remember that data protection and PECR rules may still apply to messages that are sent to:

• meet a regulatory objective;
• comply with a licence condition; or
• meet a wider public policy initiative.

We recognise the importance of complying with your statutory regulator’s requirements. But while your statutory regulator may require you to convey a particular point to people, they don’t expect you to contravene other laws.

Further Reading

Relevant provisions in the UK GDPR see Article 5(1)(a), Article 6 and Article 13 (fairness, lawfulness and transparency) and Article 21 (right to object).

Relevant provisions in PECR - see Regulations 19, 21, 22, 23, and 24

Further reading

• Guide to UK GDPR
• Right to object guidance
• Lawfulness, fairness and transparency guidance
• Guide to PECR: Electronic and telephone marketing

How do we decide if a regulatory communication message is direct marketing?

You should consider the context and the content (ie phrasing and tone) of the regulatory communication, including how you intend to deliver the message to people. This is likely to determine if it is direct marketing.

The wider public policy objective of the regulatory communication, or the fact that it is your statutory regulator asking you to communicate something, doesn’t impact whether a message counts as direct marketing.

If your message actively promotes an initiative, it is likely to be direct marketing. For example by highlighting the benefits and encouraging people to participate or take a particular course of action.

However, if your message is in a neutral tone and doesn’t contain any active promotion or encouragement for people to take a particular action, it is unlikely to count as direct marketing. For example, factually presenting people with their options once a fixed term contract with you ends.

The context will also help you decide. For example, it is unlikely to be direct marketing if, as well as a neutral tone, the information you need to give people is:

• solely for their benefit; and
• against your interests and your only motivation is to comply with a regulatory requirement (eg the regulator is requiring you to tell people to consider using your competitors’ services, or tell them that the contract or service they have with you isn’t good value).

You should take into account the particular circumstances and consider the specifics of the message rather than taking a blanket approach. For example, it is important to remember that adding a regulatory communication message into the content of a routine service communication (eg billing information) doesn’t automatically avoid it being direct marketing. If your routine communication has marketing elements, then it is direct marketing. This is true even if that isn’t the main purpose of the communication.

We have produced some examples to help you decide if the way you intend to comply with a regulatory communication is likely to count as direct marketing.

Does our choice of lawful basis affect whether the message is direct marketing?

No. Your choice of lawful basis doesn’t determine whether your regulatory communication message is direct marketing.

In some instances, the requirements set by a statutory regulator might be classified as a legal obligation. If you can demonstrate it is necessary to use people’s information in a specific way to comply with that requirement, you may be able to use the legal obligation lawful basis.

However, relying on the legal obligation basis doesn’t exempt you from PECR’s marketing provisions, if these are applicable. PECR has very limited exemptions and, in any case, it is important to remember that the regimes are separate.

Likewise, people always have the absolute data protection right to object to you using their information for direct marketing purposes. You must comply with it, no matter the lawful basis.

Further Reading

Relevant provisions in the UK GDPR see Article 6(1)(c) (legal obligation), Article 21(2) (right to object to direct marketing)

Relevant provisions in PECR exemptions see Regulations 28 and 29

Further reading

• Lawful basis for processing
• Legal obligation lawful basis
• Guide to PECR: Exemptions

When are regulatory communication messages unlikely to be direct marketing?

Not all regulatory communication messages count as direct marketing.

In many cases, the context and content (ie the phrasing and tone) of a regulatory communication message may mean it is unlikely to count as direct marketing. For example, those that simply:

• give advance warning of changes to terms, conditions or tariffs;
• explain about statutory complaint or compensation schemes;
• warn about fraud and how to report it;
• remind people of how to get in touch if they are struggling with payments; or
• provide offers of support for those customers most at risk of harm.

These types of messages are similar to ‘service messages’. Service messages are messages you send to people for purely administrative or customer service purposes and don’t contain promotions or advertising. For example, messages about:

• billing and charges;
• safety issues and service interruptions; or
• updates on how their investment is performing or to make people aware of how you’re investing their money.

In some cases, the way you deliver the message may mean it is not direct marketing. This is because it doesn’t count as being “directed to” particular people. For example:

• Displaying the regulatory communication message on your website (eg showing the same message to everyone that visits your site or to everyone that logs into their online account).
• During inbound calls (eg everyone who calls your helpline hears a recorded message outlining the regulatory communication, or your operative tells the person about it during the conversation).
• Posting the regulatory communication message on your social media account (eg broadcasting it to all your followers or all users of the platform).
• Using television, radio or streaming services to get the regulatory communication message across (eg broadcasting the message to all viewers, listeners or subscribers to the service).
• Using features or adverts in magazines and newspapers to tell people about the regulatory communication.

Remember that data protection law still applies if you are using people’s information even if a regulatory communication message is not direct marketing, including:

• fairness;
• lawfulness;
• transparency; and
• the general right to object (if your lawful basis is legitimate interests).

For example, when you collect contact details from people, you must clearly tell them about the type of messages they can expect to receive from you.

What do we need to do if a regulatory communication message is direct marketing?

Data protection law and PECR don’t stop you from contacting people about the regulatory communication in a way that counts as direct marketing. But you must follow the rules.

The majority of the data protection rules apply when you use people’s information for any purpose, not just for direct marketing (eg fairness, lawfulness, transparency). The only difference here is that the right to object to direct marketing applies. Depending on your chosen direct marketing method, PECR may also apply.

For example, depending on the method of communication that you want to use, this means you must:

• check phone numbers against the Telephone Preference Service (TPS) and your own ‘do not call lists’ before making live direct marketing calls;
• have consent to make automated direct marketing calls;
• have consent or meet all the requirements of the ‘soft opt-in’ for electronic mail direct marketing (eg text messages or emails); and
• respect people’s wishes and don’t send direct marketing to anyone who objected, opted out or unsubscribed.

For more information on this, see the further reading box below.

It is unlikely that a ‘one size fits all’ approach to contacting people directly will be appropriate. You should consider what direct marketing permissions and preferences you have from people and tailor your contact by using appropriate methods of communication for each group.

Someone may have previously agreed to get your direct marketing (eg in situations where you were required to have consent for that particular method of sending messages). If so, a regulatory communication message that is direct marketing is likely to be compliant (assuming the original consent is valid and would cover that particular marketing).

Likewise, if someone has not opted-out of your direct marketing (eg as part of the electronic mail soft opt-in), you might be able to rely on this to send them regulatory communication messages that are direct marketing. You still need to check you are meeting any other PECR requirements.

Example

A company is told by its statutory regulator to encourage people to have a new optional product. The company considers how best to achieve this objective.

The company decides that sending messages directly to people to encourage them to have a new optional product is likely to be direct marketing, no matter how they phrase it. It notes that its customers’ marketing preferences vary.

The company takes into account PECR marketing rules and any objections to direct marketing that it has received. It tailors the methods of communicating the message to customers according to their preferences. For example, it checks against the TPS for live calls and ensures it either has consent or can meet the soft opt-in for emails.

Having checked it is compliant with PECR to do so, the company sends emails and makes calls to encourage people to have the optional product. It decides to initially send one message per person, where it is compliant to do so. It will then follow this up with a further communication two months later to remind customers of the offer.

It also decides to use methods that are not “directed to” particular people. For example, it places a recorded message about the optional product on its helpline and uses messages on its website that all visitors see.

Further reading

For more information on making direct marketing calls see our Guide to PECR: Telephone marketing.

For more information on sending electronic mail (eg emails and texts), including how to use the ‘soft opt-in’, see our Guide to PECR: Electronic mail marketing.