A practical guide to what counts as direct marketing, how GDPR applies to promotional activity, and what businesses should understand about lawful basis, transparency, objections, and day to day compliance before sending campaigns.
Direct marketing is broader than many businesses assume. It includes communications sent to promote products, services, aims, or ideas, and GDPR applies whenever personal data is used to plan, target, send, measure, or manage that marketing activity. In many cases, organisations also need to consider PECR alongside GDPR, especially for email, SMS, cookies, and similar technologies.
Direct marketing is not limited to obvious sales emails. In practice, it can include messages, campaigns, and targeted activity designed to promote a commercial offering, encourage engagement, or influence future buying behaviour. If personal data is involved, GDPR is already part of the picture.
Promotional emails, text messages, re-engagement campaigns, newsletters with marketing content, and similar outbound communications will often count as direct marketing.
Building segments, profiling audiences, using engagement history, and deciding who should receive which campaign can all fall within GDPR marketing compliance.
Direct marketing is not just about products. Communications promoting services, events, organisational aims, or brand activity may also fall within the same rules.
The practical point is simple: if you are using personal data to promote something directly to people, you should assume GDPR is relevant and then check whether PECR also applies.
GDPR does not ask only whether a campaign is useful or commercially sensible. It asks whether personal data is being used lawfully, fairly, and transparently. That means businesses need to think about lawful basis, what people were told, whether they can object, and whether the data use is proportionate.
A common mistake is assuming that marketing compliance begins and ends with consent. In reality, GDPR questions usually start earlier: what data are you using, why are you using it, what lawful basis are you relying on, and would the individual reasonably expect that use?
Businesses need a valid lawful basis for processing personal data in connection with marketing activity. Depending on the context, this may involve consent or another basis such as legitimate interests.
Organisations must explain how personal data is used for marketing, where it came from, who receives it, and what rights the individual has, including the right to object.
GDPR does not replace PECR. The two sit alongside each other. In many direct marketing scenarios, GDPR governs how personal data is processed, while PECR adds more specific rules for electronic communications and certain tracking activity.
If a campaign involves email, SMS, or similar electronic channels, PECR may determine whether prior consent is required or whether a limited exception such as the soft opt-in is available.
If a marketing strategy uses cookies, pixels, or similar technologies to measure performance or target users, PECR may also apply to how those tools are deployed.
For many marketing teams, the real compliance question is not whether GDPR or PECR applies. It is how to comply with both at the same time without leaving gaps in process, records, or messaging.
For a fuller explanation of that overlap, see What is PECR? A practical guide to the Privacy and Electronic Communications Regulations.
Different activities may raise different compliance questions. Businesses often oversimplify this and apply one blanket rule to every list, message, and campaign.
If privacy information is unclear about marketing use, data sources, or objection rights, transparency problems can arise even before a campaign is sent.
Marketing compliance is not just about sending messages correctly. It is also about making sure objections, unsubscribes, and suppression decisions are acted on properly.
Teams often inherit lists, workflows, or campaign habits without reviewing whether the data source, permissions, and current process still support compliant use.
The strongest marketing compliance usually comes from operational discipline, not last minute legal fixes. A business should be able to explain what data it uses for marketing, why it uses it, what rules apply, and how objections and preferences are managed in practice.
This article is grounded in the UK GDPR rules on lawful, fair, and transparent processing, together with rights that directly affect marketing activity such as objection handling and ongoing control over personal data use. It also sits alongside the PECR rules that often shape email, SMS, and related electronic marketing in practice. For a fuller explanation of that overlap, see What is PECR? A practical guide to the Privacy and Electronic Communications Regulations. For recent regulatory context, see March 2026: PECR And Direct Marketing Compliance Under Increased Scrutiny and February 2026: DUAA data protection changes commence and ICO guidance updates.
Use the glossary for key terms, or keep exploring the wider blog series on consent, transparency, accountability, SARs, transfers, and DPIAs as you build out your marketing compliance framework.
