The ICO issues guidance on direct marketing and regulatory communications

Reading Time: 3 minutes


Valeria Quadranti | Data Protection Advisor

Date: 28 April 2023

The Information Commissioner’s Office (hereafter “ICO”) recently released new guidance to assist organisations to comply with data protection law when a regulatory communication message they need to send out is direct marketing.

In undertaking activities that may count as direct marketing, entities have to ensure compliance with data protection requirements by balancing their interests to grow their businesses with the individual’s rights to object as well as to withdraw their consent to such messages.

This article outlines the key points arising from the guidance and the steps organisations can undertake to promote themselves and further their aims while also complying with data protection rules.

Who is the ICO’s guidance for?

The ICO’s guidance refers to organisations operating in the “regulated private sector” (i.e., communications sector; energy sector). Specifically, these entities are overseen by a statutory regulator that may require them to send out messages to people, included information about new programmes, initiatives, etc.

How to identify regulatory communications as direct marketing

Regulatory communications refer to “situations when a statutory regulator asks or requires their industry to send out specific messages to people, such as information about new initiatives or to promote competition in the market”. Such requests may also include the type of consumer to send the message to, how often to send it, and the content.

In light of the above, organisations have to assess when a regulatory communication may count as direct marketing as, in this case, the ICO’s guidance recommends you consider the following in order to comply with data protection rules:

  • The content of the communication, such as the phrasing and the tone of the messages.
    • Example: Ofcom (UK’s Communications Regulator) requests that its organisations inform people about its involvement in an initiative offering advice to parents on how to manage their children’s gaming experience. This initiative includes paid online courses with professionals, such as child psychologist. The regulator explains the topics the message should cover and how to present it.
      • Direct marketing: the organisation is asked to use the communication to encourage people to attend the online courses, by describing the advantages (i.e., improving the Parent-Child relationship).
      • Not direct marketing: the organisation is asked to tell customers about the initiative in an informative way that lets the individual decide whether subscribe to the said courses or not.
  • The context of the communication. In case the information is sent out: i) solely for the benefit of the individuals; or ii) against the organisation’s interests and only in order to comply with a regulatory requirement, the message will not count as direct marketing.
    • Example: Ofgem (UK’s Energy regulator) asks its organisations to inform people about the Citizen Advice services aimed at helping in cases where individuals do not agree to a payment plan. That message does not count as direct marketing as it is sent for the solely benefit of the individuals.

How to comply with the data protection requirements if a regulatory communication message is direct marketing

Being aware of the organisations’ business needs to promote their activity, the ICO aims to provide rules for conveying direct marketing communications in compliance with the data protection needs

  • Data subjects come first: prior to conveying any message that may count as direct marketing, the organisation must:
    • check the Telephone Preference Service (TPS) and the “do not call lists” before making a call that implies a potential direct marketing activity;
    • take into account the right to object that may be recently exercised by the individual;
    • not send direct marketing to individuals who opted out or unsubscribed from such communications or from receiving future emails;
    • have the individual’s consent to make automated direct marketing calls;
    • have the individual’s consent or meet all the requirements of the soft opt-in for electronic email direct marketing.
  • Fundamental principles to rely on: necessity and proportionality are core principles to be followed by the organisations, especially while a regulatory communication that requests the use of personal information may count as direct marketing. In this regard, entities should also consider:
    • if the purpose of the communication may be reasonably achieved by further less intrusive means, e.g., by displaying the regulatory communication message on their website or on their social media profile;
    • if the method of delivery is appropriate and respects the said principles, e.g., the principle of proportionality may not be respected when a regulatory communication sent out via email is followed by phone calls with the same content.


The ICO’s guidance sets out useful rules that help to clarify the challenging topic of direct marketing. Although this guidance refers solely to organisations operating in the regulated private sector, we recommend that all entities out consider its application as a good practice (for example, the principles might be relevant for a not-for-profit organisation that asks its donors for financial support).

Trilateral’s Data Protection and Cyber-risk team have data protection specialists with extensive expertise and experience helping our clients achieve compliance with the latest Data Protection regulations as well as the Authorities’ newest guidance, including around direct marketing. Please get in touch with our advisors to discuss your organisation’s requirements.

Related posts

Get the latest insights from Trilateral in our new monthly article, featuring the latest developments from across our innovation and researc…

Let's discuss your career