Data protection and electronic marketing compliance

Yet success is not just about reaching the largest possible audience. To thrive, businesses must align their marketing with the wishes of their audience and with data protection law.

Current practice appears to fall short of this objective.  The Information Commissioner's (IC) annual report published on 15 July 2014, revealed a record number of data protection complaints to his office, a rise of over 10% on the previous reporting year. The report flagged complaints about unsolicited marketing calls and texts as a continuing problem, with the IC's office receiving just over 160,000 reports of concern.   Speaking at the launch of the annual report, the IC said that "it is clear that organisations' use of data is getting ever more complicated. People need to know that someone is watching over their information."

This increasing complexity is reflected in the IC's Guidance on Direct Marketing (Guidance) published in September 2013. The Guidance spans 44 pages and seeks to provide a full analysis of the compliance issues arising under the Data Protection Act 1998 (DPA) and the Privacy and Electronic Communications Regulations 2003 (PECR) which both restrict how organisations conduct unsolicited marketing.

Scope of direct marketing

The DPA defines direct marketing as "the communication (by whatever means) of any advertising or marketing material which is directed to particular individuals".  This definition applies equally to PECR.

By way of example, the Guidance makes clear that contact by an organisation with its customers for genuine market research would not be viewed as direct marketing but that selling under the pretence of research would be caught within the scope.

The Guidance also makes clear that contact need not be limited to promoting goods or services to be considered direct marketing. Any form of promotional approach, including those relating to an organisation's aims or ideals would be caught.   Charities, political parties and not-for-profit organisations must, therefore, also abide by the DPA and PECR in relation to their campaigning or other promotional approaches to individuals.

Direct marketing and the DPA

Where an organisation knows the name of the person it is contacting, it must comply with the principles of the DPA relevant to the processing of personal data.  The Guidance identifies the following principles as being most relevant to marketing:

• the first principle requirement to process personal data fairly and lawfully: in other words to be transparent with people and always act within their reasonable expectations;
• the second principle requirement to only use personal data for specified purposes - this would prevent, for example, using data for marketing purposes if the data was not originally collected with that purpose in mind; and
• the fourth principle obligation to maintain the quality of personal data - meaning here that marketing lists must accurately record people's communication preferences.

In addition to the above, the DPA also gives individuals a right to object (in writing) to direct marketing.

Marketing and PECR

These days the majority of marketing is conducted by electronic means and, for this reason, the focus of the Guidance is on PECR which complements the DPA whilst providing more detailed rules covering, for example, marketing communications by fax, email, text messages and telephone calls.  Unlike the DPA, the rules apply even if the organisation does not know the name of the person it is contacting.

The rules under PECR also vary depending on whether the marketing is business-to-consumer (B2C) or business-to-business (B2B).

Consent and direct marketing

Consent is seen as central to the Guidance and to the rules in the DPA and PECR relevant to direct marketing.  Consent is defined by the European Data Protection Directive (from which UK data protection rules within the DPA are based) as any "freely given specific and informed" indication of the wishes of the data subject by which they actively demonstrate their agreement to personal data relating to them being processed.

The Guidance makes a number of points relevant to a valid consent:

• consent cannot be made a condition of subscribing to a service or completing a transaction;
• the consent collected must be relevant to the type of marketing;
• information must be clear and prominent and not hard to find if people are to understand what they are consenting to; and
• consent must constitute a positive indication of agreement.

Indicating agreement does not mean, however, that an opt-in box must be checked in all cases. The IC restates his view that consent can sometimes be given by submitting an online form where "there is a clear and prominent statement that this would be taken as agreement and there was the option to opt-out" although this mechanism would only be relevant where it is part of a positive action such as registering with a service, rather than merely a failure to respond.

Consent in the context of marketing by email and text

In the case of email and text marketing, it is important to note that consent must be notified to the 'sender' and be specific to the type of communication.  Where the intention is to share collected data with third parties for their separate marketing use, then for an indirect consent to the collector rather than the sender to be valid, the consent would need to be specific to the named third party organisation or clearly describe the category of organisations that it falls within.

The role of an indirect consent is more relevant to circumstances where the organisation does not disclose the list to the third party but sends a marketing communication on their behalf.

There is an exception from the requirement for express consent for email and text direct marketing where:

• a person's details are obtained in the course of a sale (or negotiations for a sale) of a product or service to that person;
• the collecting organisation is only marketing their own similar products or services; and
• they gave the person the option to refuse or opt-out of the marketing at the time of collecting their details and in every subsequent email.

Other points to take account of include:

• consent will not remain valid forever – it will end where a person withdraws their consent and is likely to expire where they cancel their subscription to a service or where the consent collected was only specific to a particular promotional campaign in the absence of a clear expectation of future use;
• in the case of a third party using data collected with an indirect consent, it is unlikely to be able to rely on any indirect consent given more than six months previously; and
• organisations need to keep clear records of what someone consented to, when and how the consent was collected, by whom and based on what information having been provided to the individual.

Marketing calls

The Guidance reiterates the existing position that organisations must not make unsolicited marketing calls to numbers that are registered with the Telephone Preference Service (TPS) in the case of calls to individual B2C subscribers or with the Corporate Telephone Preference Service (CTPS) in the case of B2B subscribers, unless the subscriber of the line in each case has specifically told them that they do not object to receiving that organisation's calls. In addition, organisations should not make it difficult for people to opt-out.

In the case of automated calls made using automatic dialling systems, organisations can only make calls to people who have specifically consented to receiving these automated calls from them.

In all cases, an organisation must identity itself and provide a contact address or freephone number where requested.

Other types of direct marketing

Although the Guidance is focused on marketing emails, calls and texts it does also touch on those other types of direct marketing that are either regulated by PECR, including by fax and online advertising as well as those marketing practices that are outside PECR but covered by the DPA, such as traditional postal marketing to named individuals. It also points to some of the other rules and industry codes that affect marketing practices.

Enforcement

Due to the high volume of complaints received by the IC about unwanted calls and texts, non-compliance with the DPA and PECR requirements (as reflected in the Guidance) is supported by  targeted enforcement action by the IC against those organisations that generate the most complaints. Breaches of the DPA or PECR may result in an Enforcement Notice requiring remedial steps to be taken and failure to comply is a criminal offence.  In addition, the IC can also impose fines of up to £500,000 for serious breaches, such as where an organisation persists in ignoring objections to direct marketing or sending large volumes of calls or texts without the consent of the recipients.

Conclusion

The Guidance covers a broad sweep of marketing practices and the relevant data protection law but those seeking instant and immediate direction and answers relevant to a particular marketing scenario may be frustrated. The very detail of the Guidance and its carefully couched language means that it requires close and detailed reading to ensure it is correctly interpreted.

If you have any questions on this article please contact us.

Regulatory

Privacy & Cookie Policy

Terms of Use

© 2021 Taylor Wessing LLP