Article 21(1) vs Article 21(2): why marketing is different
The right to object in UK GDPR has two distinct versions, and the difference matters enormously in practice. Article 21(1) is the general objection right. It applies when processing is based on legitimate interests under Article 6(1)(f) or on a public task under Article 6(1)(e). An individual can object on grounds relating to their particular situation, and the controller may continue processing if it can demonstrate compelling legitimate grounds that override the individual's interests, rights, and freedoms. There is a genuine balancing exercise to perform, and the controller can sometimes win it.
Article 21(2) is categorically different. It states that where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to such processing. No qualifying ground is required. Article 21(3) then confirms that where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
The word "shall" is doing real work here. There is no discretion. The controller cannot argue that its commercial interest is more pressing, that the data subject is a highly valuable prospect, or that suppression will cause operational inconvenience. Marketing objections are absolute under UK law, and the Information Commissioner's Office (ICO) treats any attempt to apply a balancing test to a marketing objection as a misunderstanding of the regulation.
What counts as "direct marketing"?
The ICO defines direct marketing as the communication of advertising or marketing material which is directed to particular individuals. This covers email, post, telephone calls, SMS, and any other channel where you are targeting a named or identified person with commercial messages. Account-management calls to existing customers discussing live contracts sit outside this definition, but upselling calls to prospects or lapsed customers fall within it.
What counts as a valid objection?
UK GDPR does not require the individual to use specific legal language or cite Article 21. Any communication that makes it reasonably clear the individual no longer wishes to receive marketing from you is sufficient. In practice, the following all count:
- Clicking an unsubscribe link in a marketing email.
- Replying to a marketing email with any variant of "please remove me", "unsubscribe", or "stop contacting me".
- Telling a sales representative during a telephone call that they do not want to be called again.
- Submitting an opt-out or contact-preferences web form on your site.
- Sending a direct message via LinkedIn, social media, or another platform asking to be removed.
- Writing a formal letter or email citing their data protection rights.
- Registering with the Telephone Preference Service (TPS) for calls, or the Mailing Preference Service (MPS) for postal mail. These are sector-wide objection mechanisms that carry the same legal weight for their respective channels.
The moment the objection is received, the obligation to stop processing for marketing kicks in. A 30-day processing window, by analogy with the Subject Access Request timeline, does not apply here. The ICO's position is that suppression should be actioned promptly. In most cases "promptly" means within one business day for automated channels such as email, and before the next campaign send for postal or telephone programmes.
How to build a suppression file that actually works
The single most common compliance failure in direct marketing is not the initial objection itself but the failure to prevent the objector's record re-entering the active file weeks or months later. A new data purchase arrives, someone imports a refreshed CRM export, or a third-party email system is replaced and suppression settings are lost. The ICO has seen this pattern many times. It is not treated as an innocent technical glitch when it appears in enforcement investigations.
A suppression file must contain enough information to match against incoming records. At minimum, retain the email address(es), telephone number(s), and full name plus postal address if direct mail is in scope. Do not simply delete the contact record from your CRM as that removes the ability to identify the person in future. The ICO's guidance explicitly confirms that keeping a suppression entry does not breach the storage limitation principle under Article 5(1)(e), because the purpose is prevention of further processing rather than active use.
What "permanent" means in practice
Permanent suppression means the record stays on your suppression file until one of two things happens: the individual actively re-consents to marketing (with a clear, positive opt-in action, not a pre-ticked box), or there is a legitimate legal reason to remove it, such as a court order. It does not mean "until we switch CRM systems", "until the current marketing manager leaves", or "until we do a GDPR housekeeping exercise". The obligation transfers with the data.
In our experience, organisations that treat suppression as a permanent liability rather than a deletable record avoid the ICO enforcement pattern described above. A suppression file of 10,000 records costs almost nothing to store. The fine for re-mailing objectors does not.
Cross-channel propagation: the trap most organisations fall into
Article 21(2) applies to processing for direct marketing purposes generally, not to a particular channel. This is the clause that catches organisations off guard most often.
Consider a scenario: a contact at a Manchester-based manufacturing firm clicks unsubscribe in one of your email campaigns. Your email platform correctly removes them from future sends. Six weeks later, your telesales team dials the same individual from a refreshed call list. That call is a breach of the original objection, regardless of the fact that the unsubscribe happened in a different channel and your telephone outreach team may not have been informed.
Cross-channel propagation requires a single suppression master list that all outbound channels check before processing. Your email platform, your CRM, your telephony system, and any third-party campaign tools must all reference the same suppression data. Where you use external agencies for postal campaigns, you are responsible for supplying them with an up-to-date suppression file before each send, as the data controller. The agency's ignorance of an existing objection is not a defence.
PECR adds a second layer for electronic channels
The Privacy and Electronic Communications Regulations (PECR) run alongside UK GDPR for electronic marketing channels (email, SMS, automated calls, and cookies). Where a marketing email is sent to an individual who has previously objected, the organisation faces a potential breach of both UK GDPR Article 21(2) and PECR Regulation 22 simultaneously. The ICO can and does pursue both in the same investigation. For a more detailed breakdown of which PECR rules apply channel by channel, see our guide to PECR explained: what UK marketers need to know.
Telling people about the right: Article 21(4) obligations
Many compliance teams focus on handling objections after they arrive. Fewer pay close enough attention to the obligation to proactively communicate the right before it is invoked. Article 21(4) of UK GDPR states that the right to object shall be explicitly brought to the attention of the data subject at the latest at the time of the first communication, clearly and separately from any other information.
For email marketing, this is relatively straightforward: every email must include an unsubscribe link or clear opt-out instruction. The ICO does not accept a privacy policy URL as a substitute for a functional unsubscribe mechanism in the email itself.
For telephone marketing, the obligation is more demanding. On first contact, the caller must communicate that the individual can ask not to be called again, and the organisation must honour that request immediately. Many organisations satisfy this by training telesales staff to open calls with a short disclosure and by providing a direct opt-out number or email address. Scripts that bury the opt-out at the end of a two-minute pitch, after the contact has already requested removal, do not meet the standard.
For postal marketing, the obligation is typically met through a clear return address and opt-out instruction on the mailing itself, combined with a privacy notice that covers the right to object. The mailing preference washing against the MPS before each send is recommended as a complementary step, but it does not substitute for including the right in the communication.
Supplier-side propagation: what happens when you buy data
If you purchase B2B or B2C data from a supplier, the supplier-side suppression only goes so far. A reputable UK data supplier will wash their file against TPS before delivering telephone data and will provide records that, at the time of delivery, have not previously objected to their own processing. But once that data enters your CRM, any subsequent objections you receive become your suppression obligation, not theirs.
When you re-order data from the same supplier six months later, you should supply your existing suppression file to them for matching, so that previous objectors are excluded from the new batch before delivery. This is standard good practice, and most reputable UK B2B data suppliers support it. When using legitimate interests as the lawful basis for B2B prospecting, the Legitimate Interests Assessment (LIA) you complete should address how you will handle objections as part of the necessity and balancing tests. For guidance on writing that assessment, see our article on how to write a Legitimate Interests Assessment for B2B prospecting under UK GDPR.
Article 21(1) vs Article 21(2): a practical comparison
| Feature | Article 21(1): General right to object | Article 21(2): Marketing objection right |
|---|---|---|
| Applies when processing is based on | Legitimate interests (Art. 6(1)(f)) or public task (Art. 6(1)(e)) | Any lawful basis, if the purpose is direct marketing |
| Individual must provide grounds? | Yes, relating to their particular situation | No, no justification is required |
| Controller can override? | Yes, if compelling legitimate grounds exist that override the individual's rights | No, the right is absolute |
| Result if valid objection accepted | Must stop processing unless override applies | Must stop processing for marketing; no override available |
| Obligation to communicate the right | In privacy notice at collection (Art. 13/14) | At the latest at first communication, clearly and separately (Art. 21(4)) |
| Suppression required? | Depends on outcome of balancing exercise | Yes, permanently, across all marketing channels |
What the ICO enforcement record tells us
The ICO's published enforcement actions on direct marketing show a consistent pattern. Fines and enforcement notices are most commonly issued where organisations have either continued sending marketing to individuals who have opted out, re-introduced suppressed contacts after a system migration, or failed entirely to implement an opt-out mechanism in their communications. The ICO's maximum penalty under UK GDPR is £17.5 million or 4% of global annual turnover, whichever is higher. In reality, most direct-marketing fines sit in the £50,000 to £500,000 range for mid-sized organisations, but the reputational damage from a published enforcement notice often outweighs the financial penalty.
The ICO's enforcement notices are public and fully searchable on the ICO website. Reading through them is instructive. A recurring theme is the organisation that had a technically sound privacy policy and a functioning unsubscribe link but failed to check that unsubscribes were reliably propagating to its telephony system or postal fulfilment house. The legal framework is well understood by most compliance teams; the operational breakdown is where enforcement cases are made.
Dual enforcement risk for electronic channels
Sending a marketing email or SMS to someone who has previously objected creates concurrent liability under UK GDPR Article 21(2) and PECR. The ICO does not limit its investigation to one regime where both have been breached. Penalty calculations are separate. A single mailing to a suppressed list can therefore attract two distinct findings in the same enforcement action.