Direct marketing playbook

Did you know by 2023, data privacy regulations will cover 65% of the world’s population? Our direct marketing guide has all the tips you need to turn your data privacy policy into a competitive advantage.


As technology has evolved, it has ushered in new ways of identifying, reaching, and connecting with potential and current customers, both down the street and around the world.

However, as the technology and various media platforms have evolved, so, too, have people’s expectations around privacy, data ownership, and consent—especially when it comes to their personal data and contact information.

We can all agree that the data privacy regulations that have been implemented in the European Union, the United Kingdom, and various states throughout the United States—combined with updates to new consent policies introduced into new devices and social media platforms—have done a lot to swing control back to the consumer. However, they have also made it a bit more complex for businesses to navigate direct marketing.

Jump to:

Chapter 1

What is direct marketing?

As recently as 2005, you could equate marketing with large-scale radio, TV, billboard, and print advertising.

But with the introduction of email, social media, and advanced internet-based technology, businesses now know more about their potential customers and how to reach them than ever before.

The way businesses identify, precisely message, and contact leads—and then deliver their advertising right to them—is what is known as direct marketing. In other words, direct marketing cuts out the old-school middle man—the magazine publisher, the radio, or the billboard—and allows your brand to target your leads directly.

With this new form of targeted messaging, organizations can reap many different rewards, such as:

Chapter 2

Solicited v unsolicited marketing

When Is a Message “Solicited” vs. “Unsolicited”?

Some of the above examples of what is and what isn’t direct marketing are straightforward, but other cases can be a bit harder to decipher. Some of that complexity can be cleared up if you step back and think about which action made by which party—the business or the customer—initiated the contact. This gets to the idea of solicited versus unsolicited messaging.

A solicited message is one that is actively requested by a customer or potential customer. For example, a customer fills out an online form, provides their name on a mailing list, or checks a box on a contact form.

An unsolicited message is any message that has not been specifically requested. Even if the customer has “opted in” to receiving marketing from you in a previous contact, it can still count as unsolicited marketing. An opt-in means the customer agrees to receive future messages, but this is not the same as someone specifically contacting you to ask for particular information.

It’s worth noting that if you have an ongoing or recent relationship with a person, then the contact might not be deemed unsolicited because some form of consent may be present. In addition, if a customer has volunteered contact details in the course of completing a survey or entering a promotion, such details may have consent attached to their future use, and any direct messaging may not be considered unsolicited. So although there can be some gray areas, most direct marketing messages are unsolicited.

Chapter 3

Direct marketing obligations

Behind these concepts of solicited versus unsolicited messages—and, in turn, whether an instance of direct marketing is allowed—is the principle of consent. Organizations have an obligation to perform what the United Kingdom’s guidance refers to as consent management. This is the process of understanding, based on the relevant laws, who can be marketed to and how. Organizations must then take the necessary steps to ensure that their mailing list for direct marketing is compiled fairly and accurately reflects peoples’ wishes, such as respecting a request to be unsubscribed or to opt out of future messages.

The Onus of Proving Consent

In most countries, when consent is required, the onus is on the company itself to prove that it has valid consent for direct marketing. When that proof of consent is requested, organizations need to be able to provide clear records of:

When you can direct market to users without explicit consent

In general, companies that are based in or marketing to customers in the EU and the UK must have consent to process personal data for use in future direct marketing. This is because e-privacy laws take precedence over the restrictions outlined in the GDPR. However, in addition to collecting explicit consent, organizations can also use one of the following other forms of what are known as “lawful bases for processing”:

Legitimate Interest: If your organization can use data in a way that people would reasonably expect and with limited privacy impact. This form requires:

  • An identified legitimate interest from the person
  • An identified need to process the data to achieve the interest
  • Confirmation that the person’s interests, rights, and freedoms are balanced

Contract: If your organization has a contract with the individual or asks for something prior to entering a contract, such as requesting a quote.

Legal Obligation: If personal data needs to be processed to comply with a law or statutory obligation.

Vital Interests: If your organization needs to process personal data in order to protect someone’s life or well-being.

Public Task: In a situation in which your organization is using data as part of an official public function set out in law. Special

Category Data: If data needs to be processed in order to properly secure it due to its nature, based on a lawful basis.

Although obtaining explicit consent is the most direct method, sometimes it is not the easiest form of justification for processing data. In this case, one of the other forms above can be used as justification for processing data.

However, if companies have obtained consent for follow-up communications in compliance with e-privacy laws, then they could have appropriate basis under the GDPR for pursuing direct marketing.

Failure to have the right mechanisms in place to prompt for, collect, and store customer consent can ultimately lead to administrative and financial headaches down the road. For example, organizations will have to find a method to retrospectively prove legal basis for their direct marketing attempts, if challenged, which can lead to a significant investment of time and effort or even the potential for fines if justification cannot be proven.

Chapter 4

Country compliance comparison

We’ve covered a lot of ground so far: discussing the evolution of marketing in a digital age, the idea of direct marketing, and the concepts and forms of consent. You’ve also likely experienced in your own business and personal life—as well as in this guide—the variability in how each jurisdiction approaches, defines, and limits direct marketing.

Although this is certainly not a comprehensive listing of all countries and a legal dissection of each country’s relevant laws, the Dataships team has created a country-by-country comparison when it comes to the basic boundaries of direct marketing. In this case, countries from the European Union were compared with those in North America and other parts of the world.

A note about the European Union (EU)

The GDPR applies to most electronic marketing activities because they involve the use of personal data, such as email addresses. Justification for electronic, direct marketing is often based on knowledge of consent or legitimate interest of the business behind the marketing efforts.

However, there are member countryspecific rules within the EU that must be adhered to in addition to those outlined in the GDPR. For example, this can mean that there are country-specific exceptions for when legitimate interest can be relied upon if no consent is in place.

Fortunately, industry-leading modern marketing tools can help with the process of sorting, recording, and filtering mailing lists based on consent, location, and type. These platforms are able to then help organizations eliminate any gray areas regarding whether a contact can be marketed to and simplify the process of keeping an updated system of record for consent.

Jump to:


Unsolicited Marketing Permitted: No

Consent Requirements

The general rule for electronic direct marketing is that it requires the clear, affirmative consent of the recipient..

Other Legal Bases/Considerations/Grey Areas

Nevertheless, consent is not specifically required in respect of every instance of electronic direct marketing, and there is an exception to the general requirement for consent, but only in cases involving existing customers, where certain other conditions are also met:

  1. The product or service being marketed is your own product or service;
  2. The product or service you are marketing is of a kind similar to that which you sold to the customer at the time you obtained their contact details;
  3. At the time you collected the details, you gave the customer the opportunity to object, in an easy manner and without charge, to their use for marketing purposes;
  4. Each time you send a marketing message, you give the customer the right to object to receipt of further messages; and
  5. The sale of the product or service occurred not more than 12 months prior to the sending of the electronic marketing communication or, where applicable, the contact details were used for the sending of an electronic marketing communication in that 12-month period.

United Kingdom

Unsolicited Marketing Permitted: No

Consent Requirements

General rule: You need a person’s consent before you can send them a marketing message. The most plausible legal bases for electronic marketing will be consent or the legitimate interests of the controller.

Other Legal Bases/Considerations/Grey Areas

There is an exception to the general rule for existing customers, known as the “soft opt-in.” This means organizations can send marketing texts or emails if:  They have obtained the contact details in the course of a sale (or negotiations for a sale) of a product or service to that person;

  • They are only marketing their own similar products or services; and
  • They gave the person a simple opportunity to refuse or opt out of the marketing, both when first collecting the details and in every message after that.

The customer does not actually have to have bought anything to trigger the soft opt-in. It is enough if “negotiations for a sale” took place (e.g., customer sends an online enquiry to ask if the company can order a particular product. This could constitute negotiations for a sale. But an inquiry asking if the company is going to open more branches in a particular location would not.).

The UK GDPR specifically mentions use of client or employee data, marketing, fraud prevention, intra-group transfers, or IT security as potential legitimate interests, but this is not an exhaustive list. It also says that you have a legitimate interest in disclosing information about possible criminal acts or security threats to the authorities.


Unsolicited Marketing Permitted: No

Consent Requirements

In general, unsolicited electronic marketing requires prior opt-in consent. The standard is slightly higher in that there is also a double opt-in process. Data subjects must always give consent for a specific processing purpose. This means that the person to be contacted needs to know 1. from whom (meaning which specific entity or entities) and 2. for which specific products and services they will receive marketing offers.

Other Legal Bases/Considerations/Grey Areas

The opt-in requirement is waived under the “same service/product” exemption. The exemption concerns marketing emails related to the same products/ services as previously purchased from the sender by the user provided that:

  1. The user has been informed of the right to opt-out prior to the first marketing email;
  2. The user did not opt-out; and
  3. The user is informed of the right to opt-out of any marketing email received. The exemption applies to electronic communication such as electronic text messages and email but does not apply with respect to communications sent by fax.


Unsolicited Marketing Permitted: No

Consent Requirements

Similar to other EU states. The most plausible legal basis for electronic marketing will be consent or the legitimate interests of the controller. However, the CNIL distinguishes between B2B and B2C relationships. In any event, all electronic marketing messages must specify the name of the advertiser and allow the recipient to object to the receipt of similar messages in the future.

Other Legal Bases/Considerations/Grey Areas

Electronic marketing to consumers (B2C) In the absence of consent, legitimate interests can be relied upon when: 

  • The concerned individual is already a customer of the company and if the marketing messages sent pertain to products or services similar to those already provided by the company; or 
  • The marketing messages are not commercial in nature.

In any event the concerned individual, at the time of collection of their email address, must be informed that it will be used for electronic marketing activities, and be able to easily and freely object to such use.

Electronic marketing to professionals (B2B)

Electronic marketing activities are authorized provided that the recipient has been, at the time of collection of their email address: •

  • Informed that it will be used for electronic marketing activities; and
  • Able to easily and freely object to such use.

The message sent must relate to the concerned individual’s professional activity.

Please note that email addresses such as are not subject to the requirements of prior consent and the right to object.


Unsolicited Marketing Permitted: No

Consent Requirements

Similar to other EU states. The most plausible legal basis for electronic marketing will be consent or the legitimate interests of the controller. The LSSI further states: The general principle is that deliveries of electronic marketing materials are lawful only if they have been explicitly authorized in advance by the recipients (authorization that is required not just for individuals but also where the recipient is a legal entity).

Other Legal Bases/Considerations/Grey Areas

An exception to this general principle applies to deliveries to clients when the materials refer to products/services that are equal or similar to the ones sold to them in the past by the company sponsoring the advertisement. Electronic publicity shall: •

  • Be clearly marked as such by means of the terms “PUBLI” or “PUBLICIDAD” placed inside the subject line;
  • Allow the recipient to opt-out at all times, even at the time of registration; and
  • Clearly identify the sponsor of the delivery. It is the sponsor of the delivery, not the electronic publicity company, that shall be held liable in case of enforcement. Opt-out shall include an email address when the publicity was delivered by email too. Opt-out procedure shall be simple and free for the recipient of the publicity


Unsolicited Marketing Permitted: No

Consent Requirements

Similar to other EU states. The most plausible legal basis for electronic marketing will be consent or the legitimate interests of the controller. However, a mass advertising email exception is in place.

Other Legal Bases/Considerations/Grey Areas

Similar exception for existing customers applies:

Where a data controller uses, for direct marketing of their own products or services, electronic contact details for electronic mail supplied by a data subject in the context of the sale of a product or service, said data controller may fail to request the data subject’s consent, on condition that the services are similar to those that have been the subject of the sale and the data subject, after being adequately informed, does not object to said use either initially or in connection with subsequent communications.

The data subject shall be informed of the possibility to object to the processing at any time, using simple means and free of charge, both at the time of collecting the data and when sending any communications for the purposes here referred.


Unsolicited Marketing Permitted: No

Consent Requirements

Similar to other EU states. The most plausible legal basis for electronic marketing will be consent or the legitimate interests of the controller. However, a mass advertising email exception is in place

Other Legal Bases/Considerations/Grey Areas

  • As an exception, mass advertisements may be sent without the consent of the recipient: Federal Act against Unfair Competition (UCA). 
  • If the sender received the contact information in the course of a sale of their products or services; 
  • If the recipient was given the opportunity to refuse the use of their contact information upon collection (opt-out); and • If the mass advertising relates to similar products or services of the sender.

In addition, mass advertising emails must contain the sender’s correct name, address, and email contact and must provide for an easy-access and free-of-charge “opt-out” from receiving future advertisements.


Unsolicited Marketing Permitted: No

Consent Requirements

Similar to other EU states. The most plausible legal basis for electronic marketing will be consent or the legitimate interests of the controller.

Other Legal Bases/Considerations/Grey Areas

Pursuant to the TKG, the sending of electronic messages without prior consent of the recipient is unlawful insofar as the message is sent for direct marketing purposes or to more than 50 recipients. Explicit consent is not required where: Electronic marketing is also regulated by the Austrian Telecommunications Act (Telekommunikationsgesetz 2003, “TKG”).

  1. The data have been obtained in the context of the sale of goods or provision of services;
  2. The electronic marketing concerns same or similar goods or services of the sender;
  3. The recipient is able to decline easily and with no costs for the use of his or her personal data for electronic marketing.

United States

Unsolicited Marketing Permitted: Yes

Consent Requirements

The laws for emails, text messages, telemarketing, and calls to wireless phone numbers differ. In relation to email, the CAN-SPAM Act is the federal law. CANSPAM generally allows a company to send commercial emails to any recipient, provided the recipient has not opted out of receiving such emails from the sender, the email identifies the sender and the sender’s contact information, and the email contains instructions on how the recipient can easily and without cost opt out of future commercial emails from the sender.

Other Legal Bases/Considerations/Grey Areas

Rules are stricter for text messages, calls to wireless phone numbers, and fax marketing.

Text Messages

Federal and state regulations apply to the sending of marketing text messages to individuals. Express consent is required to send text messages to individuals, and, for marketing text messages, express written consent is required.

Calls to Wireless Phone Numbers

Similar to text messages, federal and state regulations apply to marketing calls to wireless phone numbers. Prior express consent is required to place phone calls to wireless numbers using any autodialing equipment, and, for marketing calls, express written consent is required (electronic written consent is sufficient, but verbal consent is not).

Fax Marketing

Federal law and regulations generally prohibit the sending of unsolicited advertising by fax without prior express consent.


Unsolicited Marketing Permitted: No

Consent Requirements

Under CASL, it is prohibited to send a commercial electronic message unless the recipient has provided express or implied consent and the message complies with the prescribed content and unsubscribe requirements.

Other Legal Bases/Considerations/Grey Areas

What constitutes both permissible express and implied consent is defined in the CAN-SPAM Act and regulations. An organization may be able to rely on implied consent when there is an existing business relationship with the recipient of the message, based on: Electronic marketing is governed by both Canadian privacy statutes and Canada’s Anti-Spam Legislation (CASL). CASL contains potentially stiff penalties, including administrative penalties of up to CA$1 million per violation for individuals and CA$10 million for corporations. CASL also sets forth a private right of action permitting individuals to bring a civil action for alleged violations of CASL (CA$200 for each contravention up to a maximum of CA$1 million each day for a violation of the provisions addressing unsolicited electronic messages). However, the private right of action is not yet in force.

  • A purchase by the recipient within the past two years; or
  • A contract between the organization and the recipient currently in existence or which expired within the past two years.

CASL also introduced amendments to PIPEDA that restrict “address harvesting,” or the unauthorized collection of email addresses through automated means (e.g., using a computer program designed to generate or search for, and collect, email addresses) without consent. The use of an individual’s email address collected through address harvesting also is restricted.