LAYTONS
Direct Marketing Rules Is your business compliant?
LAYTONS Our Sectors • • • •
Technology, Communications & Digital Media Construction, Land & Planning Personal Affairs, Private Wealth & Philanthropy Retail & Hospitality
Our Expertise • • • • • • • • • • • •
Banking & Finance Charities Commercial & Corporate Data Protection & Information Disputes Employment & Immigration Family & Matrimonial Insolvency & Restructuring IP & Technology Real Estate Tax Trusts, Estates & Private Client
This information is offered on the basis that it is a general guide only and not a substitute for legal advice. We cannot accept any responsibility for any liabilities of any kind incurred in reliance on this information.
Direct Marketing Rules Is your business compliant? In this year’s Queen’s Speech it was announced that the new Digital Economy Bill would increase the ICO’s power to fine companies for sending promotional emails to consumers where they have not obtained their specific consent to do so; this Bill is currently making its way through Parliament. The ICO also set out a stricter approach to the rules about obtaining marketing consents in its latest guidance. We summarise the key direct marketing rules that apply in the UK together with the practical steps that organisations can take to comply with them.
Michael Edgar Solicitor | Commercial michael.edgar@laytons.com +44 (0)20 7842 8000
Direct Marketing Rules | Is your business compliant?
The rules & penalties Direct marketing law is harmonised across the EU by European Directives. These rules have been incorporated into UK law through national legislation such as the Data Protection Act 1998 (“DPA”) which protects the privacy rights of individuals, and the Privacy and Electronic Communications Regulations 2003 (“PECR”) which regulates direct marketing conducted by electronic means such as telephone calling, fax, email and SMS. At present the UK regulator, the Information Commissioner’s Office (“ICO”), is able to issue public enforcement notices as well as issue fines of up to £500,000 against organisations that breach the direct marketing rules. When the EU General Data Protection Regulation (“GDPR”) comes into effect in spring 2018, the maximum fine that can be issued for a breach will increase to €20m. Of course compliance is not just about avoiding financial penalties. By adhering to the rules organisations can demonstrate that they take individuals’ privacy seriously and strengthen their reputation as an organisation that consumers can trust.
4
Direct Marketing Rules | Is your business compliant?
Definition of direct marketing
For all types: honouring opt out requests
The DPA defines “direct marketing” broadly as the communication (by whatever means) of any advertising or marketing material which is directed to particular individuals. Therefore, communications to companies are generally excluded from the scope of the rules. It should also be noted that the term “marketing” covers the promotion of aims and ideals as well as the sale of products and services. This means that the rules apply not only to commercial organisations but also to not-forprofit organisations (e.g. charities, political parties etc).
The DPA gives individuals the right to object to the use of their personal data for direct marketing purposes. This means that, for all types of direct marketing, organisations must promptly comply with opt out requests that they receive from individuals who do not want to be sent marketing materials. In addition to deleting individuals who have opted out from an organisation’s mailing lists, it is also best practice to maintain a separate “suppression list” of individuals to ensure that their preferences are respected in the future.
Key types of direct marketing are: •
marketing by post
•
automated calling systems
•
telephone marketing
•
emails and texts
5
Direct Marketing Rules | Is your business compliant?
Post marketing Individuals: These marketing rules only apply to postal communications sent to individuals. They do not apply where an organisation is sending a marketing communication to a business. Since marketing by post is not an electronic means of marketing it is not covered by the PECR. However, organisations must still comply with the DPA.
Individuals can register their address with the Mail Preference Service (“MPS”), which works in a similar way to the Telephone Preference Service (“TPS”). The DPA does not specifically require organisations to screen against the MPS, but it is good practice to do so and can save time and money. It will also help ensure compliance with the requirement under the DPA to act fairly and lawfully in relation to personal data. If an organisation is sending mailshots to every address in an area and does not know the identity of the people at those addresses, it is not processing personal data for direct marketing, and the DPA rules will not apply. However, it may still need to comply with other guidelines and codes on marketing and advertising.
In essence, the DPA requires that: •
individuals are aware that an organisation has their contact details and intends to use them for marketing purposes
•
the organisation must have obtained individuals’ addresses fairly and lawfully. It cannot send marketing mail if the addresses were originally collected for an entirely different purpose
•
organisations must not send marketing mail to anyone who objects or opts out. They must comply with any written objections promptly
6
Automated calling systems In most cases, making automated marketing calls (calls made by an automated dialling system which play a recorded message) is unlawful. This is because organisations are only permitted to make automated calls to people who have specifically consented to receiving them, which is unusual.
Direct Marketing Rules | Is your business compliant?
Telephone marketing Under the PECR, organisations can make live unsolicited marketing calls (provided they comply with the rules summarised below), but they must not call any number registered with the TPS without specific prior consent. In practice, this means that organisations should screen the list of numbers they intend to call against the TPS register.
Individuals and businesses: Similar rules apply to businessto-business calls. Sole traders and partnerships may register their numbers with the TPS in the same way as individual consumers, while companies and other corporate bodies register with the Corporate Telephone Preference Service (“CTPS”). Therefore, organisations making B2B marketing calls to individuals and businesses need to screen against both the TPS and CTPS registers. Generally, organisations must: •
have obtained the person’s contact details fairly and lawfully to start with
•
individuals should be aware that the organisation has their number and plans to use it for marketing purposes
•
the organisation must not make any calls that the person would not reasonably expect, or which would cause them unjustified harm
New transparency rules: As of 16 May 2016, when making marketing calls an organisation must always say who is calling, allow their number (or an alternative contact number) to be displayed to the person receiving the call, and provide a contact address or freephone number if asked.
7
Direct Marketing Rules | Is your business compliant?
Marketing texts & emails Individuals: Organisations can generally only send marketing texts or emails to individuals (including sole traders and some partnerships) if that person has specifically consented to receiving them. Indirect consent (that is, consent obtained by a third party) is unlikely to be sufficient unless certain conditions are met (see the section on Consent). There is, however, a limited opt out exception for previous or existing customers that an organisation can use if they meet the following four-fold test:
1. the email address of the recipient must have been obtained by the sender directly from that individual in the course of a sale or negotiation for the sale of a product or service 2. the products or services promoted must be provided by the sender (rather than an unrelated third party) and be similar to those for which the recipient is regarded as a customer 3. the opportunity to opt out must be given when the individual’s details are collected and 4. the opportunity to opt out must be repeated in every promotional email that is sent. Organisations must not disguise or conceal their identity in marketing texts or emails, and should not make it difficult to opt out. It is good practice to allow individuals to reply directly to the message to opt out or provide a clear “unsubscribe� link.
8
Direct Marketing Rules | Is your business compliant?
Consent Consent is central to the rules on direct marketing. Organisations will generally need an individual’s consent before they can send marketing texts, emails or faxes, make calls to a number registered with the TPS, or make any automated marketing calls. To be valid, consent must be knowingly and freely given, clear and specific. Key points to note in relation to marketing consents are:
•
There should be a clear and prominent statement explaining that the action indicates consent to receive marketing messages from that organisation (including what method of communication it will use). Text that is hidden in a dense privacy policy which is easy to miss will not be enough.
•
Beware using bought-in email marketing lists. The latest ICO guidance highlights that, although there is a well-established trade in third party opt-in lists for traditional forms of marketing (e.g. postal marketing), indirect consent will generally not be enough for texts or emails. (In this context, “indirect consent”, or “third party consent”, refers to situations where a person tells one organisation that they consent to receiving marketing from other organisations.) This is because the rules on electronic
•
•
The clearest way of obtaining consent to send
marketing are stricter, to reflect the more intrusive
marketing messages is to invite individuals to tick
nature of electronic messages. However, indirect
an opt in box confirming that they wish to receive
consent might be valid in some circumstances, if
marketing messages via specified channels (e.g.
it is clear and specific enough. Broadly, this means
post, email, live phone call etc). This represents best
that the customer must have anticipated that their
practice and the ICO advises all organisations to
details would be passed to the specific organisation
adopt this approach, although it is not necessarily
in question, and that they were consenting to receive
the only way of obtaining consent.
marketing messages from that organisation.
Whatever method of obtaining consent is chosen, there should be some form of communication or positive action by which the individual clearly and knowingly indicates their agreement. This might involve clicking an icon, sending an email, subscribing to a service, or providing oral confirmation.
9
Direct Marketing Rules | Is your business compliant?
Codes of practice This Focus summarises key direct marketing rules under the DPA and PECR. But it is important to be aware that there are also rules and guidelines that apply to specific industries and groups, such as the CAP Code for advertisers, agencies and media owners, and the DMA Code to which DMA members and their business partners must adhere.
Further information For more information the ICO’s Direct Marketing Guidance is available to view online here. The ICO has also produced a Direct Marketing Checklist to help businesses ensure that they are compliant with the rules and good practice.
10
Sectors
Expertise Technology, Communications & Digital Media
Commercial & Corporate
Retail & Hospitality
Data Protection & Information
IP & Technology
London
Manchester
Guildford
2 More London Riverside London SE1 2AP +44 (0)20 7842 8000 london@laytons.com
22 St. John Street Manchester M3 4EB +44 (0)161 214 1600 manchester@laytons.com
Ranger House, Walnut Tree Close Guildford GU1 4UL +44 (0)1483 407 000 guildford@laytons.com
laytons.com
Š Laytons Solicitors LLP which is authorised and regulated by the Solicitors Regulation Authority (SRA Nº 566807). A list of members is available for inspection at the above offices.