Getting Consent to Send Marketing – Are You Compliant?

Consent is all about someone giving their permission for something to happen. Which all sounds very simple: someone either consents to something or they don’t. But did you know that the ICO’s guidance contains 3 full pages defining exactly what it means to give ‘consent’ to receive direct marketing communications?

ConsentLet’s be clear: The consent rules generally apply to most direct marketing, including SMS messages, fax, email, paper mail, and telephone calls to numbers that are registered with the TPS. And the chances are you’ll be using your data for one or more of these channels. So how do you know if valid consent has been obtained from each individual, and that you are operating within regulations?

Ask yourself (or your data provider) these questions to find out:

1. Was there a genuine choice to give or refuse consent?

Consent has to be freely given. Each individual must have been given an actual choice about whether their personal data can be processed in the way you specify. This means you can’t make consent a condition of another action like subscribing to a service or completing a transaction. The consent must be a stand alone option to be valid.

2. Was it made completely clear?

Consent must also be informed. If you have some kind of opt-in process in your organisation, ask yourself whether it’s really clear what is being agreed to. Burying a request somewhere inside your privacy policy won’t constitute the “informed” consent that is required by the regulations.

When reviewing your sign-up or subscription process, remember that the recipient of your communication must knowingly agree to receive the communication. That means they must know, in their mind, that they are agreeing to something when they do so. They should also have to take some kind of positive action to communicate the fact they they give their consent; this is usually done by clicking a button or ticking a box.

3. Did you mention how the marketing will be communicated?

To obtain consent, simply saying you will send ‘marketing messages’ is not enough. Organisations must be specific about which communications channels will be used to contact the individual. Here’s an example:

“Check this box if you would like to receive future discounts and other offers from Nexbridge via SMS to the number provided.”

4. Was the recipient made specifically aware of who might contact them?

Some detail about who the recipient can expect to be contacted by is required. Usually this is the organisation asking for consent, but if you’ve gained your lead data from a 3rd party organisation, you need to make sure that when they obtained consent, they specifically explained that companies like yours may contact them. In any case, the ICO states that the person must have intended for their consent to be passed on to the organisation doing the marketing.

The ICO does also state that consent can be implied, although because the previously stated rules still apply, implied consent is unlikely to offer an easier option for many organisations…

“Even implied consent must still be freely given, specific and informed, and must still involve a positive action indicating agreement (e.g. clicking on a button, or subscribing to a service). The person must have understood that they were consenting, and exactly what they were consenting to, and must have had a genuine choice – consent cannot be a condition of subscribing to a service.” – ICO.


If after reading this you have any doubts about your current process for gaining consent from consumers to send them direct marketing communications, Nexbridge recommends you read the full section on consent in the ICO’s Guidance for Direct Marketing. Remember that as the organisation carrying out the marketing, you are responsible for ensuring you have obtained consent, even if you gained your contact data from a third party.