The act gives individuals the basic right to request their personal details are not used for direct marketing. This covers any kind of direct marketing, provided you are using personal details to send it.

In order to comply with this right, businesses must to be able to record those individuals who have exercised their right to refuse marketing, especially as the right can be enforced even if the individual had previously consented to receiving marketing. But the marketer's obligations under the act do not stop there.

In more general terms, any marketing will need to be carried out in accordance with the data protection principles, found in Schedule 1 of the act.

Perhaps the most important principle in this context is the first, which requires that all personal data be processed fairly and lawfully.

In order to process data fairly, the individuals concerned must be informed of the way in which the processing will take place, including by whom it will be carried out, and why.

This "fair processing" information could be placed on a website by means of a privacy policy, or on any forms where personal information is collected, but should be given to all recipients of marketing, by whatever media.

If the purpose for which you use the information changes and is no longer covered by the fair processing statement provided, you must obtain the individual's consent before using it for the new purpose.

The E-Privacy regulations

Since December 2003 the Privacy and Electronic Communications (EC Directive) Regulations 2003 have added a new dimension for all electronic forms of marketing. The regulations deal with aspects of all marketing by such means, including telephone, email, fax and SMS marketing.

The regulations make it a legal requirement for businesses to obtain an individual subscriber's consent - in other words, "opt-in" - before sending them unsolicited direct marketing by e-mail or SMS, unless they fall within narrow exceptions ie, marketing similar goods and services to existing customers.

However, debate is still raging over what constitutes an "individual subscriber".

"Individual" means any living individual, including unincorporated bodies such as partnerships in England, but not incorporated bodies such as limited companies or LLPs.

A subscriber is defined in the regulations as being "a person who is a party to a contract with a provider of public electronic communications services for the supply of such services".

The position is clear in the case of generic addresses, such as e80@eversheds.com If however, the email address clearly comes from a corporate entity, but contains the individual's name, such as gayletrigg@eversheds.com, you need to consider whether or not they are a subscriber.

In most circumstances the corporate entity will be the subscriber, as they pay the bills for the service which allows access to email. But what if, for example, I am accessing my email from home using my own Internet connection?

Obviously there is room for confusion here, but in general it would seem that the potential for a business to target an individual user who is not a subscriber, has been left open. For example, individual employees who use their employer's computer systems to access email, where the business is the subscriber, will fall outside the scope of the opt-in provisions.

The CAP Code

The regulations are further backed up by the Committee of Advertising Practices (CAP) Code, enforced by the Advertising Standards Agency (ASA). The code was recently amended and, in some regards, sets a stricter standard than the regulations.

As with the regulations, the code also requires marketers to obtain specific consent before sending marketing emails or SMS, with a similarly limited exception for existing customers. Explicit consent is not, however, required when "marketing business products to corporate subscribers, including to their named employees".

As the code doesn't have the same specific definition of "subscriber", this is a much plainer exception for corporate subscribers, but does limit the type of marketing that may be sent.

If you are sending marketing information to corporate subscribers, in order to comply with the code, this information must only be about business products.

Why comply with the CAP Code? It doesn't have any legislative force, as the CAP is a self-regulatory body. However, if nothing else, the adverse publicity that often results from published ASA decisions is persuasive to encourage compliance and a ruling can be made as the result of just one complaint.

In addition, CAP trade associations and professional bodies can withdraw valuable trading privileges that they offer their members.

Preference services

Under the regulations, marketers must regularly screen their marketing lists against two preference services, for telephone and for fax marketing.

Both individual and corporate subscribers can sign up to these and it is a legal requirement that within 28 days of being added to the register, marketers should cease to send them unsolicited direct marketing.

The applicability of the telephone preference service to corporate subscribers is a recent change, taking effect only at the end of June 2004. We have yet to discover how many organisations will register such a preference.

There are also email and postal mail preference services.

Businesses can screen their mailing lists against these preference lists to ensure that they are not sending email or postal marketing to people who do not wish to receive it.

However, these are voluntary schemes, and there is no legal obligation to screen against such lists.