GDPR Direct Marketing: What UK Businesses Need To Know

Direct marketing is one of the fastest ways to grow a small business - but it’s also an area where privacy law bites hard if you get it wrong.

The good news? With a clear plan and a few sensible processes, you can run compliant, high‑performing campaigns without drowning in red tape.

In this guide, we break down GDPR direct marketing rules (and the UK’s “PECR” rules) in plain English, from lawful bases and consent to cookies, records and opt‑outs. We’ll also walk through a practical checklist you can follow straight away.

What Counts As Direct Marketing Under GDPR And PECR?

Under UK GDPR and the Privacy and Electronic Communications Regulations 2003 (PECR), “direct marketing” means any communication that promotes your organisation’s aims or services. That includes classic sales emails and texts - but also newsletters, discount codes, event invites and even charity fundraising messages.

Key points to understand:

• It’s channel‑neutral: email, SMS, live/automated calls, direct messages, post and in‑app messages can all be direct marketing.
• It applies to B2C and B2B: PECR focuses on the channel and recipient type (individual vs corporate subscriber), while GDPR applies whenever you process personal data.
• You need both: for electronic marketing, you must satisfy PECR rules and have a GDPR lawful basis for processing.

In practice, your campaign planning should always ask two questions: “What channel are we using?” (PECR) and “What’s our lawful basis to process the person’s data?” (GDPR).

What Lawful Basis Can You Use For Direct Marketing?

GDPR requires a lawful basis for any personal data processing linked to your marketing activity. For most small businesses, this will be one of:

Consent

Consent works well when you can collect it clearly and voluntarily at the point of sign‑up. For consent to be valid, it must be:

• Freely given (no “forced” consent gates for non‑essential processing)
• Specific (to the channels and purposes you’ll use)
• Informed (transparent wording, no surprises)
• Unambiguous (positive action - no pre‑ticked boxes)

Make sure you keep evidence of who consented, when, how, and what you told them at the time.

Legitimate Interests

GDPR recognises that direct marketing can be a “legitimate interest.” However, you must do and document a balancing test: your business interest vs the individual’s privacy expectations and rights. Key tips:

• Be proportionate: use minimal data and non‑intrusive channels.
• Give a clear, easy opt‑out in every message.
• Avoid surprising people - align messages with the relationship and context.

Remember: even if legitimate interests works under GDPR, you still need to meet PECR rules for the channel (especially for emails and texts).

Contract And Other Bases

Sometimes you’ll send operational messages that aren’t “marketing” - e.g., a delivery update or service notice. These may be necessary for a contract and fall outside direct marketing. Be careful not to bundle promotional content into these messages, or they’ll be treated as marketing.

PECR Rules By Channel (Email, SMS, Calls, Cookies)

PECR sets stricter rules for electronic marketing. Here’s how it works by channel.

Email And SMS

For individuals (including sole traders and most partnerships), you generally need prior consent to send unsolicited marketing emails or texts - unless the “soft opt‑in” applies. The soft opt‑in lets you market similar products/services if:

• You obtained the contact details during a sale or a clear sales negotiation.
• You’re marketing your own similar products or services.
• You gave a clear opt‑out at the time of collection and in every message.

If you’re not sure how to apply the soft opt‑in in real life, it’s worth reading more on soft opt‑in and the UK’s email marketing laws.

For corporate subscribers (e.g., company inboxes like info@business.com), PECR is more permissive, but GDPR still applies. Don’t forget to include an opt‑out and honour it promptly.

Live And Automated Calls

For live sales calls, you must check the Telephone Preference Service (TPS/CTPS) and your own opt‑out lists. Automated calls require prior consent. If you record or screen calls, remember privacy duties around fair processing - see practical notes on GDPR and business calls.

Social Media Ads And Direct Messages

Targeted ads are usually based on cookies or device identifiers, which triggers PECR consent. Direct messages to individuals on platforms should be treated like email/SMS: make sure you have consent or a valid soft opt‑in equivalent and always provide an opt‑out route where possible.

Cookies, Pixels And Tracking Tech

Most non‑essential cookies (including analytics and advertising pixels) require prior consent under PECR - even if they don’t identify a named person. You’ll need:

• A clear, granular consent mechanism (no pre‑ticked boxes)
• Accurate descriptions of each category
• Easy “reject all” and “manage preferences” options

Your website should pair a compliant banner with a clear Cookie Policy and settings that actually block non‑essential scripts until consent is given. If you’re updating your site, it’s sensible to revisit your cookie banners against current ICO expectations.

What Notices, Policies And Records Do You Need?

Being able to show your working is half the battle. A few lightweight documents and logs will keep you protected and organised.

Privacy Notices (External)

Tell people what you do with their data in concise, plain English. Typically, this sits in your website/app Privacy Policy and any in‑journey notices (e.g., checkout sign‑ups, competition forms). Cover:

• What data you collect for marketing and why
• Lawful basis (consent or legitimate interests) for each channel
• Who you share data with (email platforms, ad networks, analytics)
• How to opt out or withdraw consent
• Retention periods and profiling information

Consent And Preferences Logs

Keep a record of consents given (who, when, source and wording) and opt‑outs. Many email platforms handle this, but make sure you can export proof if the ICO asks.

Legitimate Interests Assessment (LIA)

If you rely on legitimate interests, complete an LIA for each campaign type. It doesn’t have to be long, but it should show you considered necessity and proportionality, and put mitigations in place (e.g., frequency caps and clear opt‑outs).

Contracts With Your Providers

If you use a marketing platform, CRM, analytics or any vendor processing customer data on your behalf, you must have a Data Processing Agreement with required GDPR clauses. For any partner that decides on purposes/means with you (less common), you may need a data sharing arrangement.

Cookie Controls And Documentation

Pair accurate cookie categorisation with real blocking until consent. Your banner should link to a Cookie Policy that matches what you actually run on the website - audits catch mismatches quickly.

Handling Data Subject Rights And Complaints

Direct marketing is where customers most often exercise their rights. Having a simple process takes the stress out of it.

Opt‑Outs And Suppression Lists

Every marketing message should include an easy unsubscribe or opt‑out. When someone opts out, add them to a suppression list and apply it across all tools (email, SMS, CRM, ad audiences). Don’t delete these records entirely - you need to retain a minimal record to avoid contacting them again.

Access And Deletion Requests

People can ask for copies of their data or to have it deleted. Have a short playbook and templates ready to respond within the one‑month timeframe. If you’re setting this up, using a simple subject access request template can help the team stay consistent.

Accuracy And Profiling

If you profile users for targeting, tell them clearly and offer a way to challenge or update preferences. Keep your databases clean (e.g., bounce management, deduping) to reduce complaints and wasted spend.

Complaints And ICO Engagement

Most complaints can be resolved quickly with a polite, transparent reply and prompt action (e.g., unsubscribe confirmation). If someone raises an ICO complaint, be ready to show your policies, consent logs, LIA and suppression list process. A calm, documented approach goes a long way.

A Practical GDPR Direct Marketing Checklist

Here’s a simple, actionable list you can work through to get compliant and stay that way.

1. Map Your Channels: List every marketing channel you use (email, SMS, calls, post, social, cookies/pixels) and the tools behind them.
2. Choose Your Lawful Basis: Decide per channel whether you’re relying on consent or legitimate interests - document why.
3. Fix Your On‑Site Notices: Update sign‑up wording and your Privacy Policy so they match what you actually do.
4. Make Email And SMS Compliant: Build consent into forms or ensure your soft opt‑in flows meet PECR; include an unsubscribe link every time. When in doubt on the rules, revisit the UK’s email marketing laws.
5. Get Cookies Right: Deploy a consent banner that blocks non‑essential scripts by default and links to an accurate Cookie Policy; audit tags regularly.
6. Paper Your Vendors: Put a GDPR‑compliant Data Processing Agreement in place with email platforms, CRMs, analytics and marketing agencies that process data for you.
7. Centralise Opt‑Outs: Sync unsubscribes and do‑not‑contact flags across your tools. Use suppression lists rather than full deletion for opt‑outs.
8. Prepare For Requests: Set up a simple intake and response process for access, deletion and objection requests - templates make this faster and safer.
9. Train Your Team: Anyone who builds lists, sends campaigns or answers customer emails should understand PECR, consent, opt‑outs and your internal process.
10. Review And Refresh: Re‑run your legitimate interests assessments periodically, retest forms and banners, and tidy your data at least quarterly.

Common Pitfalls (And How To Avoid Them)

Most enforcement issues come from a few avoidable mistakes. Watch out for these:

• Buying Lists: Third‑party lists rarely meet GDPR/PECR standards. Even if someone “consented” elsewhere, that consent usually isn’t valid for your business. Build your own audience instead.
• Bundled Consents: Don’t tie consent to unrelated services or hide it in terms. Consent must be separate and optional.
• Mis‑Categorised Cookies: Analytics and ad tech are almost always “non‑essential.” Don’t load them before consent or mislabel them as “strictly necessary.”
• Ignoring B2B Rules: Corporate emails are not a free‑for‑all. You still need a GDPR lawful basis, transparency and an opt‑out.
• Inconsistent Unsubscribes: If your CRM doesn’t sync with your email/SMS tool, you risk contacting someone who opted out. Centralise suppression or use integrations.
• Vague Privacy Notices: If your notice doesn’t mention profiling, tracking or third‑party tools, you’re not being transparent.

How Enforcement And Penalties Work

The ICO can issue warnings, enforcement notices and fines for breaches of GDPR or PECR. The size of fines depends on factors like scale, harm and cooperation - but the reputational damage from non‑compliance can cost more than any penalty.

The ICO often focuses on practical failures: no clear consent, ignoring opt‑outs, non‑compliant cookie banners, poor record‑keeping or inadequate contracts with processors. Getting the basics right greatly reduces your risk.

Direct Marketing And Other UK Laws To Keep In Mind

Alongside GDPR and PECR, check your campaign against other rules that often overlap:

• Consumer Protection: Be truthful and clear in ads and promotions, and honour pricing and offer terms.
• Sector Rules: Financial services, health, alcohol and gambling have specific advertising restrictions.
• Intellectual Property: Avoid using third‑party content (images, music, logos) without permission in campaigns.

If you’re running phone outreach, it’s also worth reviewing your approach to data minimisation, recordings and fair processing for business calls.

When To Get Expert Help

If you’re building your first consent flows, implementing a new CRM or rolling out a fresh website with tracking, a short consult now can save a lot of retro‑fitting later. Many small businesses benefit from a lightweight privacy tune‑up (policy, notices, cookie controls and DPAs) to get protected from day one.

If you want an efficient way to get your core privacy documentation and processes in order, our team can help you pull together a practical set of documents and controls - from a tailored Privacy Policy and Cookie Policy to the right Data Processing Agreement with your vendors.

Key Takeaways

• Treat GDPR and PECR as a pair: you need a lawful basis for processing and you must follow channel‑specific rules for email, SMS, calls and cookies.
• Use consent where you can collect it cleanly, and legitimate interests where it’s proportionate - document your reasoning and include easy opt‑outs.
• For email/SMS, the soft opt‑in can work if you collected details during a sale or negotiation and you only market similar products with a clear opt‑out.
• Cookie consent is required for most analytics and ad tech - deploy compliant banners and an accurate Cookie Policy that actually controls scripts until consent.
• Have the basics in writing: an up‑to‑date Privacy Policy, consent and opt‑out logs, legitimate interests assessments and DPAs with your marketing providers.
• Build simple processes for unsubscribes, suppression lists and responding to rights requests - consistency prevents complaints and fines.
• A short privacy check‑up now (policies, banners, vendor contracts and team training) will protect your marketing engine as you scale.

If you’d like help setting up GDPR‑compliant direct marketing - from policies and consent wording to cookie controls and vendor contracts - you can reach us on 08081347754 or team@sprintlaw.co.uk for a free, no‑obligations chat.