In September 2013 the Information Commissioner's Office ("ICO") issued a lengthy Guide to direct marketing.
The Guide addresses requirements under the Data Protection Act 1998 ("DPA") and the Privacy and Electronic Communications Regulations 2003 ("PECR"), such as the Regulation rules on e-mail marketing.
In many areas, the Guide collects and restates earlier guidance. In a few places, the guide does take a different approach - in particular on whether consent is required for sharing information for marketing purposes and whether an organisation can make a service 'conditional' on an individual accepting direct marketing. On time limits, the Guide brings back old guidance (dating back to the 1995 Data Protection Tribunal decision in the Innovations case) that direct marketers probably hoped had been forgotten: that consent to share lists would typically expire after six months.
The Guide emphasises that the ICO receives a large number of complaints about direct marketing - this is reflected in its enforcement priorities. Tackling repeat marketing calls and texts, made in disregard of individuals' wishes is a high priority for it. The ICO also highlights illegal list rental as an area of focus. The Guide notes that the ICO can issue monetary penalty notices of up to £500,000 against organisations for breach of data protection rules, and has done so in past enforcement action cases.
What is direct marketing?
The DPA applies to "the communication (by whatever means) of any advertising or marketing material which is directed to particular individuals".
The Guide reminds political parties and charities that their awareness raising campaigns would also fall within this definition: a point confirmed by the Information Tribunal on a number of occasions (including the 2006 Scottish National Party case).
Direct marketing would not include "Dear occupier" letters (unless the marketer actually knows who the occupier is), but would include online marketing which is directed to particular individuals - so Online Behavioural Advertising.
Genuine market research is not covered. However, selling disguised as market research is covered. Here, the Guide refers approvingly to the detailed guidance and Code developed by the Market Research Society.
What are the key data protection principles?
The Guide highlights:
- fairness and transparency;
- the connected principle of purpose limitation (if I obtain your information for one purpose, I cannot then use it for something which is incompatible with this);
- data quality; and
- consent and rights to object. Most of the Guide focuses on consent and fairness.
Consent and rights to object
The DPA grants individuals a right to object to direct marketing. In other words, the marketer can send marketing unless the individual takes steps to object. However, in some situations, consent is needed. Consent is always required for automated marketing calls and for much e-mail marketing. The Guide also states that organisations who wish to share marketing details "are likely to need consent to do so". This is one of the areas where the Guide indicates a new and more restrictive approach by ICO, the historical approach having been that list rental is permissible provided individuals have been told about this in advance or at the time their data was collected, and had an opportunity to object to the collection.
What does consent mean?
The Guide refers here to the Data Protection Directive - noting that consent must be freely given, specific, informed and an indication of the individuals' wishes.
This is an area where, again, some elements of the Guide seem to show new and more restrictive thinking by the ICO. The Guide follows European guidance, noting that someone should not be penalised for refusing consent and that consent cannot be a condition of subscribing to a service or completing a transaction. Consent to provisions which are hard to find, difficult to read or rarely read may also not be valid. Historically, the ICO has been more willing to apply 'freedom of contract' principles to this area and to conclude that (save for essential services and monopoly providers) there is no difficulty in making direct marketing a condition of service - as the individual does not have to take that particular service. The new approach will make it difficult for organisations to offer services which are subsidised on the basis of direct marketing: the consumer may be able to take the service and then refuse the direct marketing which subsidises it.
Pre-ticked boxes will not deliver valid consent. Helpfully, however, the guidance carries forward previous advice which outlined that consent does not necessarily mean opt-in and, "in some circumstances, failure to tick an opt-out box (or untick an opt-in box) might be part of the wider mechanism of indicating consent". If a marketer makes clear that, by providing my e-mail address, I will give consent to direct marketing unless I tick an opt-out box, then this will be valid consent, notwithstanding that an opt-out box is used.
E-mails and texts
PECR provides that, with one exception, organisations must not send 'unsolicited' direct marketing by e-mail to individual subscribers unless the recipient "has previously notified the [sender] that he consents for the time being to such communications..."
The Guide restates previous topic-specific advice on this, noting that the rules for e-mail marketing are more stringent, requiring that the consent must be specific to the organisation sending the e-mail and the type of communications sent (so consent to receive phone calls does not extend to e-mail). It follows that organisations that wish to sell or buy e-mail marketing lists must be particularly clear about who will be marketing what, so as to be able to show that consent was given 'to the sender' and 'to such communications'. Here, the consent must name the organisation, or the types of organisations: 'selected third parties' will not be sufficient.
Organisations can send marketing e-mails without consent where they satisfy the so called 'soft opt in' - that is where they obtained the contact details during the course of sale or negotiations for sale, they are marketing their own similar products and services, and they gave the individual a chance to opt out at the outset (and this is repeated in each e-mail). The guide restates previous guidance on this topic: the ICO considers the exemption itself to be limited; similar goods and services will be interpreted in line with the consumer's expectations (so this could cover a broad range of products for a supermarket but, according to the ICO, would not extend to white-labelled insurance or financial services products offered by the retailer).
'Viral marketing' (asking customers to forward deals to friends, or to provide friends' details to the marketer) cannot be used to avoid these rules: the consent rules apply both to the sender and the person 'instigating' the e-mail marketing. Organisations wishing to use viral marketing should clearly explain:
- that the contact should only provide friends' details with their consent; and
- that person may be told who provided their details.
Marketers should also usually send a privacy notice to all contacts obtained in this way.
E-mail campaigns asking individuals to consent to e-mail marketing are subject to the same consent rules as e-mail marketing itself , as are opt-back-in campaigns - although here the ICO suggests that it will accept them if they are a 'minor and incidental' addition to a message being sent anyway for other purposes.
Again, the Guide restates previous guidance on the PECR. In line with the ICO's enforcement priorities, the Guide emphasises the obligation not to call subscribers who have registered with the Telephone Preference Service ("TPS").
By virtue of the PECR, the TPS is a statutory preference service: the Regulations provide that a marketer must not call numbers registered with the TPS. There is an exception where the subscriber has notified the caller that s/he does not object to receiving calls from that organisation. So, if a customer has given consent to marketing calls from an organisation, then this would override TPS registration (and subsequent registrations).
Buying in lists
Organisations buying in lists are dependent on the quality of the notices given by and consent obtained by the vendor. The ICO recommends 'rigorous checks': a fair obtaining warranty (i.e. confirmation from the vendor that it has met relevant obligations and that the purchaser's use will be lawful) is no longer sufficient. Instead, the ICO recommends checking:
- The date the list was compiled and amended
- Consent - who obtained it, when and in what context and whether it was opt-in or opt-out
- Whether clear and intelligible information was provided and how it was provided (foot note, pop up, link)
- Whether e-mails or texts or automated calls were specifically called out
- Whether organisations, or types of organisations, were described
- Whether the list was screened against preference services
- Whether the individual expressed preferences about the medium of communication (e.g. e-mail in preference to phone)
- Whether the seller received previous complaints
- Whether the seller is a member of a professional body
Audit rights and sampling of lists are also recommended.
The ICO has also issued other relevant guidance - for example, on cookies and it's Code of Practice on Privacy Notices. The Guide also notes that direct marketers must also comply with other rules on marketing. For example, the Guide notes that Ofcom has powers to tackle silent and abandoned calls and the Advertising Standards Authority enforces the CAP Code. Bad direct marketing can also breach the Consumer Protection from Unfair Trading Regulations 2008. There is a useful summary of these related areas in the Guide