Click to toggle details Latest updates
28 March 2023 - this guidance is published.
This guidance is for you, if you are in the private sector and operate in a regulated sector. By regulated sector, we mean those sectors where a statutory regulator has oversight, for example:
The guidance will help you decide when a regulatory communication message might count as direct marketing. If the message is direct marketing, it also covers what you need to do to comply with data protection law (the Data Protection Act 2018 (DPA 2018) and the UK GDPR) and the Privacy and Electronic Communications Regulations 2003 (as amended) (PECR).
In this guidance, where we use the word must, this means that the law requires you to do something (so it is a legal requirement). Where we use the word should, this isnt a legal requirement but is what we expect you to do to comply effectively with the law. You should follow this unless you have a good reason not to (good practice). If you take a different approach you must be able to demonstrate that this complies with the law. Where we use the word could, this refers to an option(s) that you may want to consider to help you comply (good practice). We have highlighted these words throughout the guidance for ease of reference.
Regulatory communications describe situations when a statutory regulator asks or requires their industry to send out specific messages to people. For example, this might include information about new initiatives or to promote competition in the market.
In some cases, the statutory regulator might specify the messages content or define the parameters. For example, the type of consumer to send the message to, how often to send it or even the messages content. In other cases, the statutory regulator may take a less prescriptive approach and let you decide how to handle it.
Regulatory communications are sometimes information that a statutory regulator requires you to put into your routine correspondence with people. For example, including a sentence within an end of contract or renewal notice telling people that they may find a cheaper deal elsewhere.
The DPA 2018 says direct marketing means:
the communication (by whatever means) of advertising or marketing material which is directed to particular individuals
This definition covers all types of advertising, marketing or promotional material. It includes commercial marketing (eg promotion of products and services) and also the promotion of aims and ideals (eg fundraising or campaigning). It covers any method of communication, such as:
To count as direct marketing, a communication must be directed to particular people. For example, personally addressed post, emails to a particular account or calls to a particular number.
This definition also applies to PECR, which cover sending electronic marketing messages (eg by phone, email or text message).
Knowing whether a regulatory communication is direct marketing means that you can take steps to comply with the appropriate rules.
This is important as there are additional things you need to consider if the message you want to send will count as direct marketing. You must:
See the section What do we need to do if a regulatory communication is direct marketing? for more information.
Statutory regulators have peoples interests in mind when asking their sectors to send regulatory communication messages. However, it is important to remember that data protection and PECR rules may still apply to messages that are sent to:
We recognise the importance of complying with your statutory regulators requirements. But while your statutory regulator may require you to convey a particular point to people, they dont expect you to contravene other laws.
You should consider the context and the content (ie phrasing and tone) of the regulatory communication, including how you intend to deliver the message to people. This is likely to determine if it is direct marketing.
The wider public policy objective of the regulatory communication, or the fact that it is your statutory regulator asking you to communicate something, doesnt impact whether a message counts as direct marketing.
If your message actively promotes an initiative, it is likely to be direct marketing. For example by highlighting the benefits and encouraging people to participate or take a particular course of action.
However, if your message is in a neutral tone and doesnt contain any active promotion or encouragement for people to take a particular action, it is unlikely to count as direct marketing. For example, factually presenting people with their options once a fixed term contract with you ends.
The context will also help you decide. For example, it is unlikely to be direct marketing if, as well as a neutral tone, the information you need to give people is:
You should take into account the particular circumstances and consider the specifics of the message rather than taking a blanket approach. For example, it is important to remember that adding a regulatory communication message into the content of a routine service communication (eg billing information) doesnt automatically avoid it being direct marketing. If your routine communication has marketing elements, then it is direct marketing. This is true even if that isnt the main purpose of the communication.
We have produced some examples to help you decide if the way you intend to comply with a regulatory communication is likely to count as direct marketing.
No. Your choice of lawful basis doesnt determine whether your regulatory communication message is direct marketing.
In some instances, the requirements set by a statutory regulator might be classified as a legal obligation. If you can demonstrate it is necessary to use peoples information in a specific way to comply with that requirement, you may be able to use the legal obligation lawful basis.
However, relying on the legal obligation basis doesnt exempt you from PECRs marketing provisions, if these are applicable. PECR has very limited exemptions and, in any case, it is important to remember that the regimes are separate.
Likewise, people always have the absolute data protection right to object to you using their information for direct marketing purposes. You must comply with it, no matter the lawful basis.
Not all regulatory communication messages count as direct marketing.
In many cases, the context and content (ie the phrasing and tone) of a regulatory communication message may mean it is unlikely to count as direct marketing. For example, those that simply:
These types of messages are similar to service messages. Service messages are messages you send to people for purely administrative or customer service purposes and dont contain promotions or advertising. For example, messages about:
In some cases, the way you deliver the message may mean it is not direct marketing. This is because it doesnt count as being directed to particular people. For example:
Remember that data protection law still applies if you are using peoples information even if a regulatory communication message is not direct marketing, including:
For example, when you collect contact details from people, you must clearly tell them about the type of messages they can expect to receive from you.
Data protection law and PECR dont stop you from contacting people about the regulatory communication in a way that counts as direct marketing. But you must follow the rules.
The majority of the data protection rules apply when you use peoples information for any purpose, not just for direct marketing (eg fairness, lawfulness, transparency). The only difference here is that the right to object to direct marketing applies. Depending on your chosen direct marketing method, PECR may also apply.
For example, depending on the method of communication that you want to use, this means you must:
For more information on this, see the further reading box below.
It is unlikely that a one size fits all approach to contacting people directly will be appropriate. You should consider what direct marketing permissions and preferences you have from people and tailor your contact by using appropriate methods of communication for each group.
Someone may have previously agreed to get your direct marketing (eg in situations where you were required to have consent for that particular method of sending messages). If so, a regulatory communication message that is direct marketing is likely to be compliant (assuming the original consent is valid and would cover that particular marketing).
Likewise, if someone has not opted-out of your direct marketing (eg as part of the electronic mail soft opt-in), you might be able to rely on this to send them regulatory communication messages that are direct marketing. You still need to check you are meeting any other PECR requirements.
Example
A company is told by its statutory regulator to encourage people to have a new optional product. The company considers how best to achieve this objective.
The company decides that sending messages directly to people to encourage them to have a new optional product is likely to be direct marketing, no matter how they phrase it. It notes that its customers marketing preferences vary.
The company takes into account PECR marketing rules and any objections to direct marketing that it has received. It tailors the methods of communicating the message to customers according to their preferences. For example, it checks against the TPS for live calls and ensures it either has consent or can meet the soft opt-in for emails.
Having checked it is compliant with PECR to do so, the company sends emails and makes calls to encourage people to have the optional product. It decides to initially send one message per person, where it is compliant to do so. It will then follow this up with a further communication two months later to remind customers of the offer.
It also decides to use methods that are not directed to particular people. For example, it places a recorded message about the optional product on its helpline and uses messages on its website that all visitors see.
You must consider necessity and proportionality when assessing how to deliver a regulatory communication message. This applies whether or not the message counts as direct marketing.
Your use of peoples information should be a targeted and proportionate way of achieving a specific purpose. If you can reasonably achieve the purpose by some other less intrusive means, or by using less information about people, then you are unlikely to show necessity.
You should also consider if your chosen method of delivering the message and its frequency is necessary and proportionate. For example, although it may be necessary to send one email to someone outlining the regulatory communication, it may not be necessary or proportionate to send them multiple emails containing the same message. Likewise, it may not be proportionate to follow these emails with phone calls and text messages.
Frequency of a message can sometimes cause people stress and worry (especially for those most at risk of harm). Likewise, certain methods and timings can cause people concern. For example, making phone calls at anti-social hours or frequent redials of unanswered numbers. To be fair to people, you should take care when deciding which ways to use and how often you contact people about a particular regulatory communication.
The following hypothetical examples show two contrasting step-by-step approaches to a regulatory communication message. They will help you decide if the way you intend to comply with a regulatory communication is likely to count as direct marketing.
Please note that these examples are for illustration purposes only and may not be the only way to comply. You may find that you can phrase or tailor a regulatory communication message in a different way which doesnt count as direct marketing and satisfies your statutory regulators requirements. Likewise, the content of these examples is not intended to override wording that your statutory regulator may require you to use in a regulatory communication message.
A statutory regulator tells its sector to increase peoples awareness about what happens when they reach the end of their fixed contract and what their options are. This includes telling people what deals a new customer can access. The statutory regulator explains the type of things the message should cover but not exactly how to present it.
Organisation A decides to approach the regulatory communication by sending the following message to its customers:
Your contract with us will end on 31 March. Your payments will continue at your current rate of 40 per month.
You have a number of options available to you. You could:
To help you decide please see the following information:
Your current service
You currently pay 40 per month for your service.
Please note that you will continue to pay this price after 31 March unless you take out a new contract or cancel.
Your new contract
If you want to stay with us, we can offer you a new contract for the same level of service at 38 per month.
If you were a new customer you would be charged 35 per month for the same level of service (please note, this is not available to you as an existing customer).
If you want to take out a new contract with us or cancel your service, please go to our website or call 0123456789.
Remember: you may find a cheaper service by shopping around and using another provider.
Organisation B decides to approach the regulatory communication by sending the following message to its customers:
Your contract with us will end on 31 March. Your payments will continue at your current rate of 40 per month.
**But there is great news that as a valued customer you qualify for our special contract deal**
Your current service
You have been enjoying our great service for 40 per month. You will continue to pay this price after 31 March unless you take out a new contract or cancel.
Your SPECIAL OFFER price
As a valued customer we can offer you a new contact at 38 per month for the same coverage. Thats right - you can SAVE money whilst still keeping the same award-winning service.
If you were a new customer you would be charged 35 per month for the same level of service (please note, this is not available to you as an existing customer).
**Dont delay and call now on 0123456789 or go to our website to secure your special offer price**
Remember: you may find a cheaper service by shopping around and using another provider.
Why?
Organisation A chose to factually present the regulatory communication in a neutral and informative way, without encouragement or promotion. This means the message doesnt count as direct marketing.
Organisation B chose to use the communication to promote and encourage people to take out a new contract. Therefore this message is direct marketing.
A statutory regulator tells its sector to inform people in advance if there will be a rate change and what their options are. The statutory regulator doesnt say how to communicate this to people.
Organisation C decides to approach the regulatory communication by sending the following message to its customers:
We are reducing the rate paid on your account. This takes effect from 1 January.
Your new rates are shown below:
Your options
You should think about what youd like to do. Your options are:
Organisation D decides to approach the regulatory communication by sending the following message to its customers:
We are reducing the rate paid on your account. This takes effect from 1 January.
Your new rates are shown below:
Your options
You should think about what youd like to do. Your options are:
Why?
Organisation C chose to factually present the options to customers in a neutral and informative way, without encouragement or promotion. This means the message doesnt count as direct marketing.
Organisation D chose to use the communication to encourage customers to stay with it and promote its accounts. Therefore this message is direct marketing.
A statutory regulator asks their sector to remind people that their contributions affect the size of their investment at the end of the term.
Organisation G decides to comply with the regulatory communication by sending the following message to customers (tailored to each persons specific circumstances):
Your contributions affect the amount of money you will get at the end of your investment.
The amount you pay into your investment is a factor in the amount of return you receive. Your investment is currently xx a month.
See the rest here:
Direct marketing and regulatory communications - ICO