Skip to content
[New School IT logo]

Guidelines for Direct Marketing

This guidance is intended for all university faculty and staff who maintain or use databases of contacts for “marketing” purposes.

Direct marketing applies only to targeting named individuals. It does not apply, for example, to print advertising in newspapers and magazines, or display advertising on websites and social media where anyone who visits the site will see it. It also does not apply to mail-based marketing to unnamed persons (e.g., mail addressed to “Occupant”). It includes communicating the advertising or marketing of products and services for sale, fundraising, and all messages promoting The New School or its values and beliefs. This could include information promoting university events and public programs, or opportunities for students.

Direct marketing covers all forms of communication, such as marketing by letter, telephone, email, and other forms of electronic messages. It is important to also note that any activity where the ultimate aim is to send marketing—activities that lead up to, enable or support the sending of direct marketing—is also considered part of direct marketing. Examples are lead generation, data enrichment, matching, or screening.

Requirements for all forms of marketing

Any Personal Data collected and held for direct marketing purposes must abide by the seven principles of data protection:

  1. lawfulness, fairness, and transparency;
  2. purpose limitation;
  3. data minimization;
  4. accuracy;
  5. storage limitation;
  6. integrity and confidentiality; and
  7. accountability.

This means that:

  • Data Subjects must always be informed (through the privacy notice) that their Personal Data wil be used for marketing purposes; they must also be informed of the way(s) they will be contacted (e.g., telephone, email).
  • The New School must have a Legal Basis for Processing the data.
  • The information must not be kept for longer than necessary.
  • The information must be held securely.

If Personal Data has been acquired from a third party for marketing purposes, the following must be answered:

  • What information about the use of the data was provided at the time the data was collected?
  • Did the individuals indicate any preferences about their means of contact?
  • How have unsubscribe requests been handled?
  • How has the list been kept up-to-date?

If Personal data has been acquired form public sources such as LinkedIn, Facebook, or other websites, privacy information (notice) must be provided at the time of first communication with the individual, but no later than one month from the date of collection. It is not acceptable to assume that simply because an individual has put their Personal Data into the public domain that they agree to being contacted for direct marketing purposes.


To rely on the "disproportionate effort" exemption to the above requirement, an assessment must be performed and documented to determine whether there is a proportionate balance between the effort required to provide privacy information and the effect the Processing has on the individual. The more significant the effect is likely to be, the less likely it is that this exemption may be relied upon.

Data protection laws and regulations distinguish between direct marketing using electronic means and non-electronic means and established different requirements for each. Currently, “electronic means” covers the use of email and text messaging.

Marketing by non-electronic means

Marketing by letter

When sending marketing information to named individuals by letter, “legitimate interests” is the Legal Basis for doing so. All letters must clearly identify and provide contact details for the Data Controller (usually The New School). Data Subjects must also be made aware in every letter that they may object to the Processing and be given information on how to do this, i.e., that they can opt out of receiving further letters by calling a particular (toll-free) telephone number or sending an email to a particular address.

Marketing by telephone

When contacting individuals for marketing purposes by telephone, “legitimate interests” is the Legal Basis for doing so. On every call, staff must identify themselves and, if requested, provide an address or telephone number where they can be reached. Data Subjects must also be made aware during every telephone call that they may object to the Processing and be given information on how to do this, i.e., that they can opt out of receiving further calls by calling a particular (toll-free) telephone number or sending an email to a particular address.

Marketing by electronic means

Any electronic marketing to private individuals requires the use of “consent” as the Legal Basis. Consent must be “opt-in,” must fulfil all the requirements for consent, and any direct marketing messages should only be sent to those people who have in fact opted in to receiving such communications. All marketing communications must contain an option to opt out of receiving further communications with details of how to do so, such as an “unsubscribe” link at the bottom of an email. Opt-out requests received in relation to marketing must be acted on as soon as possible; there are no exceptions to this.

When requesting consent, it is good practice to request consent separately for different forms of communication (e.g., paper mail, telephone, email, text message). This is because the different forms of communication are covered by different laws and regulations.

“Soft opt-in”

One exception to the need to obtain prior consent is the so-called “soft opt-in,” which is based on the Legal Basis of “legitimate interests.” Soft opt-in can be used in situations where there is a pre-existing business relationship with the individual:

  • The individual has purchased something from The New School such as a product (e.g., merchandise from The New Store) or service (e.g., enrolling as a student or taking an Open Campus course).
  • The individual has participated in a university-sponsored alumni engagement activity (e.g., by donating their time).
  • The individual has made a donation of money or property to the university.
  • The individual has attended a university-sponsored event.

In these cases, similar goods, services, events, or fundraising appeals may be marketed to the individual without consent as long as they are given the option of opting out from receiving marketing communications at the time their Personal Data is collected and an opt-out or “unsubscribe” option is provided in every communication.


The above definition of soft opt-in is less restrictive than the definition used by the current European Union ePrivacy Directive or the forthcoming ePrivacy Regulation. If direct marketing is to be performed from within the EU (e.g., by Parsons Paris) using a contact list based on soft opt-in, consult the Information Security and Privacy Office for assistance.

Business-to-business marketing

Business contacts are individuals who can be considered as representatives of their company, organization, or institution, such as students or academics from another university, or professionals from all sectors.

For business-to-business (B2B) communications, “legitimate interests” is an appropriate Legal Basis and it will not be necessary to ask for consent. However, recipients must be given the option to opt out in every communication (e.g., by including an “unsubscribe” link in the footer of the email).

Marketing via tracking software through social media

Before using tracking software, consult the New School Cookie Statement and contact the Information Security and Privacy Office for assistance.

Document history
Date Author Description
Jul 2020 D. Curry
  • Initial publication

Parts of this guideline are adapted from the University of Edinburgh’s guidance regarding marketing and data protection, the contents of which are used with permission.