As with all processing of personal data, in order to market your goods and services, the GDPR requires that your organisation has a lawful basis for such processing. Consent must be unambiguous and given either through a statement or clear affirmative action. It cannot be inferred from silence, pre-ticked boxes or inactivity.
The GDPR requires organisations to be transparent with individuals about what they are using their data for, how it might be shared, the legal basis for processing their data, and how long it will be kept.
If your organisation is sending unsolicited direct marketing by electronic means then you must comply with PECR (as well as the GDPR).
PECR
As set out above, electronic means include telephone calls (both live and automated), faxes, emails, text messages and other forms of electronic message. In addition to the sale of products and services “direct marketing” also covers the promotion of aims and ideals. Different rules apply to different types of communication, and also depend on whether your organisation is marketing to an individual or a business.
Business to individual customers marketing
Telephone
If you are marketing by telephone and on the condition that the individual is not listed on the Telephone Preference Service (TPS) you can call without consent as long as that person hasn’t objected to your calls in the past. On the contrary, in relation to automated calls, you must first obtain specific consent before undertaking any marketing using this method.
Texts and emails
PECR makes it clear that organisations must not send marketing texts or emails to individuals without their specific prior consent. However, there is a limited (but useful) exception for previous customers which is known as the “soft opt-in”. The soft opt-in applies where an individual bought something from your organisation recently and during that process gave you their details and did not opt out of marketing messages. In that regard it can be concluded that they are probably happy to receive marketing from your organisation about similar products or services even if they haven’t specifically consented. However, it is important to give them a clear chance to opt out (both when you first collected their details, and in every message you send).
Accordingly, whilst the soft opt-in rule means you may be able to email or text your own customers it does not apply to new customers or contacts.
Faxes
In the event that your business wants to market via fax then the consumer must have given specific consent.
Business to business marketing
It is important to remember that when marketing to sole traders or partnerships, the rules governing Business to individual customers apply (as set out above).
Telephone
As with individuals, organisations can market using live calls as long as the target is not a member of the Corporate Telephone Preference Service. In relation to recorded calls, the individual within the business must have given their specific consent.
Emails or texts
Whilst PECR allows you to market to an organisation by email or text it is good practice to provide an opt out option. Further, individual employees can explicitly opt out.
Faxes
Organisations can send marketing faxes to companies (or other corporate bodies) without consent, unless the fax number is listed on the Fax Preference Service (FPS).