Using consumers’ data for marketing – Consent and legitimate interest

If you haven’t received consent from a consumer and don’t have a valid ‘legitimate interest’ (or other legal basis) for using their data, you’re likely to breach the rules in Section 10 if you send them a marketing communication.

This guidance explains the rules and how to make sure you don’t break them.

Consent or legitimate interest?

When collecting and using consumers’ data for marketing, the most common legal basis is either ‘consent’ or ‘legitimate interest’.  Other narrow grounds for processing or limited exemptions set out in the regulations (GDPR) may be available to marketers, but if you want to rely on them you would need to be able to readily explain to the ASA how they are applicable.  Since these rules are based on legislation, you could also face enforcement action from the Information Commissioner’s Office (ICO) if you break them.

What counts as consent?

There are several criteria that need to be met if you’re using people’s data on the basis of consent (these are outlined in the‘Definitions’ in Section 10);

  • First, the consent needs to have been freely given.  If you require people to consent to receive marketing as a condition to entering a promotion or accessing a product or opportunity, the ASA is unlikely to accept that it was ‘freely given.
  • Consent also needs to be specific, informed and unambiguous.  If consent to receive advertising messages is bundled in with other T&Cs, or is explained in a vague way, it’s unlikely to count as genuine consent.  So it needs to be separated and clearly explained.
  • Finally, consent needs to be given through a clear affirmative action.  This means that you should give consumers a means of giving consent through a positive action such as clicking a ‘tick box’.  As explained above, this ‘tick box’ (or equivalent) should relate specifically to consent to receive marketing communications, rather than this being bundled in with other T&Cs.  If consent isn’t given through an active gesture (e.g. if the ‘tick box’ is pre-ticked, so that consumers would have to actively un-tick it to withdraw their consent), this is unlikely to comply with the rules in Section 10.

When can you use your ‘legitimate interest’?

If you’re intending to use the data to send direct marketing to individuals/consumers by “electronic mail”, you can’t rely on legitimate interest – you need consent or to have obtained the contact details from a previous sale and be marketing a similar product.  ‘Electronic mail’ doesn’t just mean e-mail. It could be any type of text, voice, sound or image message sent over electronic media.  If you’re unsure whether your marketing message counts as electronic mail, we advise consulting this guidance from the ICO or seeking legal advice.

If the ads won’t be sent by “electronic mail” (or will, but will only be sent to corporate subscribers), data can also be processed if the marketer has a ‘legitimate interest’ in doing so.  Advertisers should seek legal advice to make sure their data-processing is based on a valid ‘legitimate interest’ (Code rule 10.2.3).  If it is, it’s important to remember that ‘legitimate interests’ don’t override consumers’ right to privacy, and they need to be given the opportunity to object to their data being used (10.5).  They should be informed of their right to do so when they are first contacted, and this should be stated clearly and separately from any other material in the message (10.13).


For further guidance on this topic, marketers are encouraged to contact the ICO for advice.  For advice related to specific non-broadcast marketing, you can also contact CAP’s Copy Advice Team.

More on

  • Keep up to date

    Sign up to our rulings, newsletters and emargoed access for Press. Subscribe now.