The ICO-FCA Compromise: How UK Regulators Just Rewrote Direct Marketing Rules for Financial Services

The Information Commissioner’s Office and Financial Conduct Authority just published a joint statement that fundamentally reshapes how financial services firms can communicate with customers who’ve opted out of marketing. Buried in regulatory guidance about “targeted support” is a remarkable concession: the ICO is allowing financial firms to bypass traditional direct marketing restrictions in the name of consumer financial wellbeing.

For privacy practitioners, this represents either pragmatic regulatory flexibility or a dangerous erosion of consumer consent rights—depending on whether you’re advising financial services clients or consumer advocacy organizations.

What Just Happened: The Regulatory Background

On December 11, 2025, the FCA published its final policy statement (PS25/22) establishing rules for “targeted support”—a new regulated activity allowing financial firms to provide suggestions to groups of consumers with common characteristics. Examples include warning pension holders they’re drawing down unsustainably, alerting consumers they’re not saving enough for retirement, or suggesting customers could benefit from investing cash savings.

Targeted support sits between generic financial guidance (unregulated) and personalized investment advice (heavily regulated). It allows firms to make specific suggestions to customer segments without the full regulatory burden of providing individual advice.

The problem? Privacy and Electronic Communications Regulations (PECR) and UK GDPR’s direct marketing provisions would normally require explicit consent before sending such communications. Industry estimates suggested these restrictions would limit targeted support to just one in four consumers—precisely the engaged, financially sophisticated customers who need it least.

Enter the ICO-FCA joint statement, which provides regulatory “clarity” on how firms can deliver targeted support without violating data protection law. But clarity is a generous description of what amounts to creative regulatory interpretation designed to enable a desired policy outcome.

The Direct Marketing Dilemma: Why Financial Firms Were Stuck

Under current UK data protection law, direct marketing communications require either:

1. Opt-in consent for electronic marketing to individuals (PECR Regulation 22)
2. Legitimate interests with clear opt-out rights for non-electronic communications
3. The “soft opt-in” exemption allowing marketing to existing customers about similar products/services if they didn’t opt out when data was collected

The challenge for targeted support: these communications look exactly like product marketing. When a pension provider emails saying “You’re not saving enough for retirement—consider increasing contributions to our workplace pension scheme,” that walks, talks, and quacks like marketing, regardless of regulatory labeling.

Financial services firms told regulators that PECR restrictions meant they could only reach customers who’d actively opted into marketing—a minority skewing toward engaged, higher-income individuals. Disengaged customers with deferred pensions, sub-optimal savings, or risky drawdown patterns—precisely those targeted support aims to help—would be unreachable.

The industry argument boiled down to: privacy rules prevent us from helping the most vulnerable customers. Something had to give.

The ICO’s Solution: Redefining Direct Marketing

The joint statement performs regulatory gymnastics to create space for targeted support communications without explicit consent. The key move: distinguishing between “direct marketing” and something else.

Under UK GDPR and PECR, “direct marketing” means communications sent to promote goods, services, or organizational aims. The ICO-FCA statement argues targeted support communications can be structured to fall outside this definition if they:

1. Don’t actively promote or encourage uptake of specific products
2. Present factual, neutral information about available services
3. Empower consumers to make informed choices rather than steering toward particular decisions
4. Focus on consumer outcomes rather than firm commercial interests

The statement provides a roadmap for crafting compliant communications:

Acceptable approach: “As an FCA-authorized provider of targeted support, we can help customers in your situation consider their retirement options. You can learn more about this service and decide whether to participate by visiting [website link]. Our privacy policy explains how your information would be used if you choose to receive this service.”

Problematic approach: “Take action now to secure your retirement! Our targeted support service can help you make better decisions. Click here to get started and see personalized recommendations.”

The difference? Tone, urgency, and whether the message actively encourages action versus neutrally informing about availability.

This is an extraordinarily fine line. The ICO is essentially saying: you can contact opted-out customers to tell them about services they explicitly said they didn’t want to hear about, provided you’re sufficiently bland and indirect about it.

The PECR Workaround: Legislative Fixes Coming

For workplace pension providers specifically, the joint statement hints at forthcoming legislative changes. HM Treasury committed to amending PECR to allow these providers to use the “soft opt-in” exemption when communicating with members who were auto-enrolled into pensions.

The rationale: auto-enrolled members entered pension schemes without active choice, so many never made marketing preference decisions. Extending soft opt-in would allow providers to contact these members about pension-related services unless they actively opt out.

This represents meaningful policy change. The soft opt-in exemption currently applies when organizations collect contact details “in the course of a sale or negotiations for a sale.” Auto-enrollment doesn’t fit this framework—employees don’t negotiate for or purchase workplace pensions; employers automatically enroll them.

Expanding soft opt-in to auto-enrolled pension members acknowledges that existing PECR rules don’t align with automatic enrollment policy goals. But it also weakens consent requirements for a specific sector based on lobbying that privacy rules hinder commercially and politically desirable outcomes.

What This Means for Financial Services Compliance

For firms planning to offer targeted support, the ICO-FCA statement provides cautious green lights with caveats:

You can send “awareness messages” to opted-out customers if these messages:

• Neutrally reference what targeted support is (linking to MoneyHelper website)
• Explain your FCA authorization to provide this service
• Direct customers where to find more information (your website/app)
• Describe how personal information will be used if they engage
• Avoid encouraging specific actions like clicking particular links

You must still comply with core data protection principles:

• Lawful basis for processing (likely legitimate interests for awareness messages)
• Transparency about data use
• Purpose limitation
• Data minimization
• Security and accountability

You cannot simply relabel marketing as “targeted support”. The ICO makes clear that communications promoting products or encouraging commercial outcomes remain direct marketing requiring consent. Regulatory relabeling doesn’t change legal classification.

You need robust processes distinguishing targeted support from marketing. Organizations offering both must clearly segregate these activities, train staff on distinctions, and maintain evidence that communications meet targeted support criteria rather than marketing purposes.

You should document your compliance approach. When regulatory guidance relies on qualitative distinctions like “neutral” versus “encouraging,” documentation proving your interpretation becomes critical. If the ICO later challenges communications as marketing, you’ll need evidence justifying your classification.

The Legitimate Interests Tightrope

For organizations relying on legitimate interests as their lawful basis for awareness messages, the ICO-FCA statement doesn’t eliminate balancing test requirements. You must still demonstrate:

1. Legitimate interest: Helping customers make informed financial decisions qualifies, especially if framed around consumer welfare rather than commercial gain
2. Necessity: Contacting opted-out customers must be necessary to achieve that interest—document why targeted support fails if limited to opted-in customers only
3. Balancing test: Your interests and consumer benefits must outweigh privacy intrusions

The challenge: opted-out customers explicitly said they don’t want firm communications. Overriding that preference requires strong justification that targeted support’s consumer benefits outweigh expressed privacy preferences.

The ICO seems to accept this balance tips toward firms for neutral awareness messages about FCA-authorized services designed to improve financial outcomes. But this remains untested territory. The first enforcement action or ICO guidance update could significantly narrow acceptable practices.

The Trust Problem: When “Support” Looks Like Sales

Here’s the uncomfortable reality the joint statement doesn’t address: consumers opted out of marketing because they don’t trust financial firms’ motives. Receiving “awareness messages” about new services from companies they specifically told to stop contacting them will, for many customers, feel like marketing dressed up in regulatory language.

The financial services industry has earned skepticism. Mis-selling scandals (PPI, interest rate swaps, pension transfers), aggressive sales tactics, hidden fees, and prioritizing commercial outcomes over customer welfare created an environment where many consumers reflexively distrust firm communications.

Against this backdrop, the ICO-FCA statement asks consumers to believe that messages about new services from firms they’ve opted out of are genuinely helpful rather than commercially motivated. That’s a hard sell.

The risk: if targeted support gets implemented poorly—with firms pushing boundaries on what counts as “neutral” messaging or using awareness communications as Trojan horses for product marketing—consumer trust erodes further. The regulatory flexibility the ICO granted could backfire spectacularly if firms abuse it.

What Other Sectors Are Watching Closely

Make no mistake: sectors beyond financial services are watching this development intensely. The ICO-FCA joint statement establishes precedent that direct marketing restrictions can bend when regulators decide consumer welfare justifies it.

Healthcare providers could argue they need to contact opted-out patients about preventive screening, vaccination programs, or health management services—all clearly beneficial consumer outcomes that current marketing rules might hinder.

Energy suppliers might claim they should bypass marketing restrictions to contact opted-out customers about switching to cheaper tariffs or energy efficiency programs—serving consumer financial interests and environmental policy goals.

Telecommunications providers could justify contacting opted-out customers about better-value plans or service upgrades framed as consumer support rather than marketing.

The common thread: organizations arguing that privacy restrictions prevent them from helping consumers, with regulators sympathetic to policy outcomes that supersede individual preference rights.

This represents a meaningful shift. UK data protection law historically prioritized individual choice—you decide whether companies can contact you, and they must respect that decision. The ICO-FCA statement carves out exceptions when regulators determine the collective benefit of allowing communications outweighs individual opt-out preferences.

The Industry Response: Relief Mixed with Concern

Financial services trade bodies largely welcomed the joint statement while noting it doesn’t solve all problems.

The Investing and Saving Alliance (TISA) called the statement “helpful” but emphasized that PECR barriers impact all targeted support providers, not just workplace pensions. TISA argues that legislative fixes should extend to all firms, not just pension providers, warning that without broader changes, “millions of consumers will be left languishing in the advice gap.”

This framing—privacy rules trap vulnerable consumers in an “advice gap”—positions data protection law as harmful to consumer welfare. It’s effective political rhetoric but glosses over why opt-out preferences exist: many consumers made informed decisions that they don’t want financial services communications.

Other firms expressed concern about the vagueness of acceptable messaging. The distinction between “neutral information” and “encouraging action” isn’t bright-line. Marketing and compliance teams face judgment calls on every communication, with regulatory risk if they misjudge.

Legal advisers note the joint statement provides some comfort but isn’t binding guidance. It represents the ICO and FCA’s current interpretive positions, but doesn’t insulate firms from enforcement if the ICO later decides communications crossed into marketing territory.

What Privacy Counsel Should Advise

For privacy lawyers counseling financial services clients on targeted support:

1. Conservative Interpretation Is Safer

The ICO-FCA statement permits more than previous guidance, but that doesn’t mean aggressive implementation is wise. Err toward bland, information-focused messaging over anything that could be construed as encouraging action.

2. Separate Targeted Support and Marketing Completely

Maintain clear organizational separation between teams handling targeted support and those doing product marketing. Different governance, different approval processes, different tracking. If the ICO investigates, you need to demonstrate these aren’t just rebranded marketing operations.

3. Document Everything

Maintain detailed records of how you determined communications qualify as awareness messages versus marketing. Include your balancing test analysis for legitimate interests, evidence that messaging is neutral and informational, and processes ensuring compliance with data protection principles.

4. Monitor Customer Responses

Track complaint rates, opt-out requests, and customer feedback about awareness messages. If customers consistently perceive these as marketing despite your framing, you have a trust problem that creates regulatory risk. Adjust messaging or reconsider whether legitimate interests actually balance in your favor.

5. Prepare for Potential ICO Scrutiny

The ICO will inevitably receive complaints about targeted support communications from consumers who feel firms are circumventing their opt-out preferences. Be prepared to demonstrate your compliance approach, justify legitimate interests reliance, and show how your messaging qualifies as awareness rather than marketing.

6. Don’t Extrapolate Too Broadly

The joint statement addresses targeted support specifically—a new FCA-regulated activity with defined consumer protection frameworks. Don’t assume similar flexibility applies to other financial services communications. Product marketing, service updates, and general customer outreach remain subject to normal PECR and UK GDPR requirements.

7. Watch for Legislative Changes

The proposed PECR amendments for workplace pensions could significantly expand what’s permissible. Stay informed about legislative developments and be prepared to adjust compliance approaches as rules evolve.

8. Consider Reputational Risk Alongside Legal Risk

Even if your awareness messages technically comply with the ICO-FCA interpretation, customers who opted out might perceive them as violating their preferences. Reputational damage from negative customer reactions could outweigh benefits of reaching opted-out segments.

The Bigger Picture: Consent Erosion or Pragmatic Flexibility?

The ICO-FCA joint statement reflects tension at the heart of modern data protection law: balancing individual autonomy with collective welfare and enabling beneficial uses of data.

One perspective: this is pragmatic regulatory flexibility responding to legitimate concerns that overly restrictive consent requirements prevent organizations from helping vulnerable consumers. Financial decisions have enormous life consequences, and the advice gap leaves millions of people making poor choices. If privacy rules prevent firms from offering guidance that could improve outcomes, maybe those rules need adjusting.

The counter-perspective: this is regulatory capture eroding consent rights to serve industry interests. Consumers opted out of financial services marketing for good reasons—mistrust, feeling overwhelmed, or simply preferring to make decisions without firm influence. Allowing firms to bypass those preferences because regulators think people need help is paternalistic and sets dangerous precedent for undermining explicit consumer choices.

Both views have merit. The challenge is that data protection law must work in real-world contexts where absolute rules sometimes produce suboptimal outcomes. Rigid application of consent requirements might prevent genuinely beneficial communications, but flexible interpretation risks becoming loophole-sized.

The ICO-FCA statement tries to split this difference by permitting awareness messages while maintaining that actual marketing still requires consent. Whether that distinction holds in practice remains to be seen.

What Happens Next

The targeted support regime launches in April 2026, with firms able to apply for permissions starting March 2026. The ICO and FCA will inevitably receive complaints from consumers receiving awareness messages they perceive as violating their opt-out preferences.

How regulators handle these complaints will reveal whether the joint statement’s flexibility holds or gets walked back. If the ICO enforces strictly, finding that most awareness messages actually constitute marketing, the statement’s guidance will prove meaningless. If the ICO takes a permissive view, we’ll see gradual expansion of what qualifies as acceptable contact with opted-out customers.

Other sectors will lobby for similar flexibility. Healthcare, energy, telecommunications, and other industries serving policy goals beyond pure commerce will argue they too should bypass marketing restrictions to help consumers. The ICO will face pressure to either extend this precedent or explain why financial services deserves special treatment.

Legislative changes extending soft opt-in to auto-enrolled pension members could open debates about expanding exemptions elsewhere. Once you start carving out sectors where consent requirements seem to hinder desirable outcomes, it’s hard to maintain principled boundaries.

The most likely outcome: gradual erosion of consent as a gatekeeper for commercial communications, with regulators taking increasingly contextual approaches that balance individual preferences against collective benefits. This shifts UK data protection law away from bright-line consent requirements toward regulatory judgment calls about when overriding consumer choices serves broader interests.

Whether that’s evolution or erosion depends largely on your perspective about the proper role of privacy law in a society with competing values and complex trade-offs.

ICO-FCA joint statement

The ICO-FCA joint statement doesn’t change data protection law—it interprets existing law in ways that enable desired policy outcomes. That interpretive approach creates opportunities for financial services firms while establishing precedent that could extend far beyond pensions and investments.

Privacy counsel must navigate this new terrain carefully. The flexibility to contact opted-out customers comes with significant compliance obligations and reputational risks. Getting it wrong could trigger ICO enforcement, customer complaints, and erosion of the trust targeted support aims to build.

For now, financial services firms should approach targeted support implementation conservatively, documenting compliance approaches thoroughly, and recognizing that the ICO-FCA statement represents current regulatory thinking that could shift as enforcement experience develops.

The broader question—whether regulators should override individual opt-out preferences for collective benefit—deserves ongoing debate. The ICO-FCA statement answers pragmatically: yes, when done carefully, for defined purposes, under regulatory oversight. Whether that balance holds or tips further toward organizational interests over individual autonomy will shape UK privacy law for years to come.