How Does UK Privacy Law Impact Marketing Content in Newsletters

Published on Apr 19, 2021

Marketing content in Newsletters & UK Privacy law

There are plenty of articles written about how to send marketing emails and stay within the bounds of UK privacy law. Some are accurate and well researched, while others are less so. It doesn't help that the advice and guidance offered by regulators relate to numerous different pieces of legislation and are therefore confusing. Marketers and business owners simply want to know what they can and can't do in terms of the processing of personal data.

One area that has recently received much-needed clarification relates to sending marketing messages contained within other emails. In this case, newsletters.

Newsletters are an essential part of the marketing toolbox. They're a way to keep in touch with existing clients, prospective customers, and other subscribers. Done well, they provide the recipient with information that they have an interest in, in return for a welcome reminder of the senders brand. There are obvious advantages for businesses to include marketing messages within newsletter emails. In some instances, this is permissible. In others, it may not be.

Tribunal Clarifies Law On Including Marketing Material In Non-Marketing Emails

A recent decision from the Upper Tribunal Administrative Appeals Chamber (Upper Tribunal) has confirmed that organisations sending direct marketing content in a non-marketing communication such as a newsletter, will be committing a regulatory breach unless the recipient has given their consent or other limited exceptions apply.

In Leave. EU Group and Eldon Insurance Services Ltd v ICO, Leave.EU and Eldon Insurance appealed against the First-Tier Tribunal’s upholding of the ICO’s regulatory action against them.

The issue before the Upper Tribunal concerned the contents of 21 newsletters which were emailed to around 51,000 Leave.EU subscribers. The newsletters contained marketing promotions for Eldon Insurance. The subscribers have consented to receive the newsletters but not to marketing material concerning Eldon Insurance.

On the basis that both Leave.EU and Eldon Insurance had breached regulation 22 of the Privacy and Electronic Communications Regulations (PECR) the ICO issued a monetary penalty notice (MPN) against both Leave.EU (for £45,000) and Eldon Insurance (for £60,000), and an assessment notice to conduct an investigatory audit into each organisation. It additionally issued an enforcement notice against Eldon Insurance, but not against Leave.EU.

What does regulation 22 of the PECR state?

Regulation 22 of the PECR states that if an organisation has obtained the contact details of certain consumers during the sales or negotiation process for a product or service, they may send or instigate the sending of emails for direct marketing provided:

  1. the direct marketing is in respect of that person’s similar products and services only and;
  2. the recipient has been given a simple means of refusing the use of their contact details for direct marketing at the time the details were first collected, and where they did not initially refuse the use of the details, at the time of each subsequent communication, (an example of the latter is adding an ‘unsubscribe’ link at the bottom of every new email sent). This is referred to as the soft option.

The UpperTribunal’s decision

Leave.EU and Eldon Insurance argued that the provisions in the PECR were not intended "to cover content in a newsletter which a subscriber had signed up for but which happened to contain some marketing material", rather, they were designed to address "indiscriminate, automated industrial-scale spamming".

The Upper Tribunal disagreed, stating:

“We consider this to be an unduly narrow reading of the 2002 Directive. The principal purpose of the 2002 Directive is to protect privacy – see e.g. Recitals (2) and (3). Indiscriminate spamming is simply a symptom of a wider problem, albeit one of the most egregious examples of modern intrusions on individuals’ privacy. There is nothing in the 2002 Directive to suggest that the breach of Article 13 (and hence regulation 22 PECR) is exclusively confined to conduct that might be characterised as spamming. Rather, the tenor of the legislation is that it is an intrusion on an individual’s privacy if they receive direct marketing to which they did not consent.”

Also rejected was Leave.EU and Eldon Insurance’s argument that because the recipients signed up to receive the newsletters they were not ‘unsolicited communication’. The Upper Tribunal stated that it was not the sending of the newsletters that triggered regulation 22, it was the unsolicited marketing information contained in them. The PECR is not precluded from applying simply because the primary purpose of an email was not direct marketing.

Finally, Leave.EU and Eldon Insurance claimed that they had acquired consent from the Leave.EU newsletter subscribers to send direct marketing information. However, the Upper Tribunal concluded that the subscribers had not provided "freely given, informed, and specific" consent to receiving direct marketing information, only the newsletter.

“There was no indication that subscribers were doing anything other than signing up for a Brexit newsletter. … agreeing to the very loosely drafted privacy policy amounted to signing a blank cheque. In sum, Leave.EU’s approach frustrated the ability of its subscribers to consent to receive a political newsletter and nothing else. Accordingly, the FTT was entitled to find on the facts that subscribers did not “consent”, as that term is properly understood, to receiving direct marketing about Eldon’s insurance products.”

Final words

There has been precious little case law on the PECR, therefore this decision provides welcome clarification regarding the scope of consent concerning email communications. It is also important to note that the PECR covers tracking technologies (known as cookies). If cookies are embedded in an email or within a website, a subscriber or website visitor must be provided "clear and comprehensive" information regarding how their data will be used and give their consent.

To find out more about data protection and privacy law training, please email us at or call 0370 04 27701.

Click your chosen course below to see our next available courses dates