Direct marketing has been and continues to be one of the key areas of focus of data protection legislation. The Information Commissioner (and her predecessors) in the UK have always paid particular attention to direct marketing activities whether by phone or by mail. This emphasis shows no signs of change with the development of e-commerce.
This article concentrates on UK data protection legislation and in particular the Data Protection Act 1998 (the "1998 Act").
What is Direct Marketing?
The 1998 Act helpfully defines direct marketing as "the communication (by whatever means) of any advertising or marketing material which is directed to particular individuals". This broad definition could apply not only to correspondence but only telephone and email marketing. In an e-commerce context banner adverts may not fall within this definition. (Banner adverts are those placed around the "window" containing the text on a website. The adverts may not be directed to particular individuals but may in fact simply be the electronic equivalent of newspaper advertisements around the side of a page of news text.)
It is understood that the Information Commissioner would take a broad view of direct marketing: it is not only marketing by commercial entities which would be captured. "Marketing" by political parties in order to canvass votes or encourage individuals to join the party would also be captured by this definition.
It is worth noting that there is no exemption for existing customers of a business. Therefore whether a business is marketing to existing customers in an attempt to sell new products or whether the business would like to transfer existing customers' details to business partners: both types of activities would fall within the ambit of the 1998 Act.
One of the first points to note is that businesses holding customers' personal data should ensure that their notification with the Information Commissioner is up to date and adequate. Under notification a number of purposes need to be included to indicate the purposes for which personal data are being processed. Relevant purposes for direct marketing might include:
- Advertising, marketing and public relations
- Advertising, marketing and public relations for others (for example, host mailing and list brokering)
- Canvassing political support amongst the electorate
- Fund raising
- Trading/sharing in personal data (i.e. the sale, hire or exchange of personal information).
The First Principle
The most significant part of the 1998 Act for direct marketing is probably the first data protection principle. This requires data to be processed fairly and lawfully. Under this principle businesses are required to make certain information available to the individuals on whom they will hold data. The information to be provided is:
- The identity of the data controller (i.e. the business holding the personal data);
- The purpose or purposes for which the data are intended to be processed; and
- Any further information which is necessary, having regard to the specific circumstances in which the data are or are to be processed, to enable the processing in respect of the data subject to be fair. This final point is something of a catch-all which requires careful consideration by a business in each situation where personal details are obtained.
Broadly this information must be made available when the business first processes data or when the data are first disclosed. However, where personal data have been acquired from a third party (e.g. brought from a list broker) the business must comply with the obligation to provide information but only where this does not result in "disproportionate effort". Therefore, it seems likely that if a list has been purchased from a list broker although there has been a disclosure it would be disproportionate effort to write to everyone on the list the moment the list is disclosed. It would seem sufficient for the purchaser to include this information when writing to everyone on the list for the first time. (Note, however, that particular record must be made of the disproportionate effort and why it applies in the circumstances).
Under previous legislation the Information Commissioner's predecessors considered (and in some cases brought tribunal cases on) the prominence and type size of notifications. It is hardly surprising that notifications made to minors should be of far greater clarity. Non-obvious uses or disclosures should be properly described. Uses such as cross marketing (i.e. from sister companies), host mailing (i.e. placing inserts into mailings) or list rental would be likely to require more prominent notification. Marketing of the business' own goods and services, where these are not similar to goods and services initially provided to the individual, may also require more prominent notification.
The Information Commissioner's predecessors have recognised that a relationship between a business and an individual customer may last many years and develop. For example, relationships between banks and customers may change over time as the banks' business develops. The key issue is that these developments must be within the customer's expectations for the marketing of them to take place. If the developments are not within the customer's expectations then specific notification and some form of consent is likely to be required.
In some cases personal data are collected from an individual known to the individual data subject. For example, a family member may pass on the individual's personal data (this is relatively common in "recommend a friend" schemes). The data protection issues in this situation can be extremely convoluted. Prior to the 1998 Act the Information Commissioner considered that where obtaining data a business must be fair to both the individual as well as to the source of the data. Where the source could reasonably be expected to be aware of and respect the wishes of the individual concerned then this was likely to be fairer. Complications arise where the data concerned is sensitive personal data (see further on this below) or where the contact details passed are not simply the home address but also the work address of the individual. Although, strictly speaking, these schemes may have a number of data protection problems, in practice most businesses use such schemes and accept a risk of non-compliance.
The Issue of Consent
The first data protection principle also introduces a requirement of compliance with pre-conditions for processing. For any processing of personal data a business is required to comply with one condition listed in Schedule 2 to the 1998 Act. The most relevant conditions in that Schedule are:
- The individual has given his consent to the processing; or
- The processing is necessary for the purpose of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.
In practice compliance with either of these conditions is likely to result in similar steps, i.e. provision of information and obtaining implied consent.
Where sensitive personal data are being processed then a further condition in another Schedule (Schedule 3 to the 1998 Act) must also be complied with. Sensitive personal data is a new definition added by the 1998 Act. It is personal data which relates to particular private areas of a person's life, for example information relating to their health, religious or other beliefs, criminal convictions or sex life. The most relevant condition here is likely to be that the individual has given his explicit consent to the processing of the personal data.
Traditionally there has been a debate in direct marketing circles over the use of opt-in and opt-out consent (i.e. whether it is necessary to have an individual tick a box and positively require themselves to be added a list for marketing purposes, or whether it is sufficient to place on a form a box allowing an individual to tick a box and be removed from a marketing list).
Requirement for consent within Schedule 2 and explicit consent within Schedule 3 makes no mention of opt-in or opt-out. Directive 95/46/EC upon which the 1998 Act was based defined consent as meaning "any freely given specific and informed indication of [an individual's] wishes by which [an individual] signifies his agreement to personal data relating to him being processed". This highlights the importance of some signifying action by the individual. For example, this might be requiring an individual to read a privacy statement on a website and then clicking on "I accept" at the bottom before allowing the individual to access services on the website. Alternatively, it might require a clear note being provided in a form sent to the individual, who then returns the form in order to obtain some services without having marked the form to show that the individual objects to the collection of data.
The key issue is that it is not sufficient to rely on inaction by an individual and thereby infer consent. The important point about explicit consent seems to be the requirement for very clear notification (perhaps in terms of location of the notification, size of wording and clarity of language).
It is not clear whether opt-in and opt-out will continue to be debated. Further legislation may require prior consent (perhaps by opt-in) for email marketing. (The EU is reviewing the present Telecoms Directive 97/66/EC and intends to expand it to ensure that it covers all communications. This will encompass marketing by email and, if enacted in its present form, will require opt-in for email marketing).
These exist at present for both postal and phone/fax marketing. The services are operated by the Direct Marketing Association Limited and allow individuals (and in some cases companies) to opt out of receiving marketing material. Under the Telecommunications (Data Protection and Privacy) Regulations 1999 businesses are required to check with the phone/fax list to ensure that they do not market a person on that list. There is not, at present, an official email preference list, although the Direct Marketing Association website does include a link to a sponsored email preference list (see www.the-dma.org).
Right to Prevent Direct Marketing
The 1998 Act introduced a new right for individuals specifically addressed to direct marketing. Under this right an individual is entitled to require a business to cease or not to begin processing for the purposes of direct marketing. The right must be exercised by notice in writing and must specify a reasonable period to allow the business to comply. There is no requirement to show any particular damage or distress in order to prevent the processing: it is simply sufficient for the individual to require the processing for direct marketing to stop. One point to note is that under Directive 95/46/EC which gave rise to the 1998 Act there is a requirement on member states to ensure that individuals are aware of the existence of this right. The 1998 Act does not make provision for this obligation.
As businesses attempt to make more efficient use of their customers' data there will be data protection implications. Customer relationship management (CRM) software offers, in some cases, huge benefits for businesses: it allows them to manage a number of different individual databases as one and to operate efficiently using all the information which is held about a particular customer. However, where data has been collected on a customer for different purposes and at different times, it is important that data collected for a particular purpose is only used for that purpose. For example, data collected from an individual in order to mail them some goods should not be used for direct marketing by that company or another company of unrelated goods, unless the individual has consented. It is therefore important that data is appropriately tagged and marked with the purposes for which it may be used.
When collecting data it is important that proper notification is given to the individual of the purposes for which the data will be used. This needs to take place by means of including text on paper forms, in telephone call centre scripts and on websites. The information must be clear and as broad as possible in order to benefit the business.
When acquiring new customer details from a third party a business must be particularly careful about the basis on which the customers' details have been collected. When "buying" a list of customers the business should ensure that it obtains adequate warranties on the collection of names on the list and the purposes for which those names can be used. Similar arrangements should apply where lists are exchanged between business partners: each business partner will wish to be sure that the other has collected the names in a fashion that is compliant with the 1998 Act and allows the other business partner to market them.
Entities in favoured positions, i.e. where an individual has little or no choice but must disclose personal data to the entity, have to take care. An example of a favoured entity would be an electricity company holding data on an electricity customer. The individual has little or no choice about handing over personal data to an electricity company. Therefore further use of those data (beyond supply or marketing of electricity) is likely to require consent.
An issue which frequently arises under the 1998 Act is the use of business contacts. Under the 1984 Act there was often a valid argument that lists of individuals at companies or businesses would not classify as personal data (this is on the basis that the data was not being processed in relation to the individual as such). This technical exemption does not exist under the 1998 Act: any personal data relating to any living individual would be captured. Therefore marketing between businesses but directed to individuals at a particular business would be caught by the provisions above.
Further Developments and Conclusion
Direct marketing continues to be an area in which there are a number of new pieces of legislation and proposed legislation. The March 2001 issue of Privacy and Data Protection contained an article on the relatively new Telecoms Regulations. These Regulations include provisions specifically relating to marketing individuals and companies by fax and phone. The EU is considering a new Directive which will expand and update the Telecoms Directive 97/66/EC (which gave rise to the Regulations) to cover all forms of communication including email.
Apart from such new developments, the basic understanding of direct marketing and data protection continues to apply. In effect compliance with data protection legislation should be a matter of common sense and good customer handling. Every business should ensure its customers know what information is collected on them and why.