UK: ICO Publish Guidelines On Direct Marketing

Background

The Data Protection Act 1998 (the 'DPA') is based on eight data protection principles. The DPA protects individuals' personal data and places obligations on organisations to process that personal data fairly and safely.

The DPA applies to direct marketing by mail. The DPA defines "direct marketing" as:-

"The communication (by whatever means) of any advertising or marketing material which is directed to particular individuals"

The definition also applies to electronic marketing carried out under the Privacy and Electronic Communications (EC Directive) Regulations 2003 as amended by the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 (the 'PECR'). Organisations which carry out unsolicited direct marketing or advertising by electronic means (for example by telephone, fax, email, text, picture or video message or by using an automated calling service), must comply with the PECR.

Consent

Consent is central to the rules on direct marketing. The PECR does not apply to any marketing which has been authorised or requested by the recipient. Under the first data protection principle, organisations will generally need an individual's consent before they can send marketing materials to them.

Penalties for Breach

The ICO has the power to issue monetary penalty notices of up to £500,000 to organisations which are in serious breach of the data protection principles or PECR. In November 2012, the ICO served monetary penalty notices totalling £440,000 on two owners of a marketing company, Tetrus Telecoms, which "plagued" the public with millions of spam texts over a three year period. This was the first time that the ICO had used its powers to issue a monetary penalty notice under the PECR since the powers were approved in January 2012.

Tetrus Telecoms would send huge volumes of unsolicited texts without the consent of the recipient and without identifying the sender. Any replies were then used to generate leads which were later sold to third parties at a considerable profit. Evidence gathered against Tetrus Telecoms shows that they used unregistered pay-as-you-go sim cards to send out as many as 840,000 text messages a day, generating an income of around £7,000-£8,000 a day.

Keeping within the law

The ICO has published a series of guides and checklists which relate to automated marketing calls, texts, e-mails, faxes and mail, to help organisations keep within the law and maintain a good reputation with customers.

The ICO's Privacy and Electronic Communications – Direct Marketing Guide provides the following guidance on key issues:-

• There is no restriction on sending solicited marketing. PECR rules only apply to unsolicited marketing messages and the DPA will not prevent an organisation providing information which someone has asked for. If marketing has not been requested, it will be unsolicited and the PECR rules apply, even if the customer has "opted in". An opt-in is likely to mean that the marketing is lawful but it is still unsolicited so the PECR rules apply.
• To be valid, consent must be knowingly given, clear, specific and the customer must have been given the opportunity to have made an informed choice. Organisations should keep clear records of what an individual has consented to and when and how this consent was obtained.
• Neither the DPA nor the PECR state that consent must be explicit. Implied consent can also be valid in certain circumstances. If it is reasonable to conclude that the person consents, then consent can be taken as having been given. For example, it would be reasonable to assume that a customer who provides address details after purchasing goods, consents to an organisation using those details to deliver the goods to them.
• In some cases, as in the example of delivering goods to a provided address, the use of personal data is so obvious that the act of providing the data indicates consent for the specific use of that data. Direct marketing is, however, highly unlikely to form such an obvious part of a service or activity.
• Organisations should note that implied consent is not necessarily easier to demonstrate than express consent and organisations are likely to have to take similar steps as they would when obtaining express consent.
• The clearest way to obtain consent is to invite the customer to tick an opt-in box confirming that they wish to receive the marketing message. There are, however, various methods which an organisation might utilise to obtain consent.
• Organisations should not rely on consent provided by customers to third parties, unless the consenting individual knew that their consent might be passed on to another organisation and they specifically consented to this. Consent to having information transferred to a third party cannot be inferred.
• There are no fixed time limits upon which consent will expire, but consent does not remain valid forever and will lapse. The question will be one of reasonableness and how reasonable it is to treat the customer's consent as an on-going indication of the customer's wishes. Consent may be withdrawn by the customer at any time.
• Organisations should keep clear records of what it is that customers have consented to. The ICO recommends that a record should be obtained of: the date of consent, method of consent, who obtained the consent and the information provided to the consenting person before their consent was given.
• Customers should be given a right to opt-out and if this right is exercised then their details should be suppressed (rather than just deleted) so that the organisation knows who not to market to.
• When generating marketing leads organisations must ensure that they do so fairly, carefully and lawfully in compliance with the first data protection principle.
• Direct marketing is not limited to goods and services. It also includes the promotion of an organisation's aims and ideals. This means that the DPA and PECR will apply to the promotional and campaigning activities of not-for-profit organisations. Not-for-profit organisations will therefore need to follow the same rules as commercial organisations.

Conclusion

The ICO has shown that it is willing to issue monetary penalty notices to organisations for breaches of the PECR. The ICO's guidance is designed to help both commercial and not-for-profit organisations avoid prosecution and maintain a good reputation with the public. The ICO considers nuisance marketing to be an on-going problem and has recently called on the government to lower the level of harm that is required from such marketing so that it can issue more monetary penalty notices to organisations behind nuisance calls and texts. Should these proposals proceed, it will be even more imperative for organisations to comply with the direct marketing rules.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.