Last week saw two UK regulatory bodies crack down on organisations for breaching the rules on direct marketing:
- The Advertising Standards Authority (ASA) ruled that Lands' End Europe Ltd (Lands' End) breached the rules on direct marketing in the UK Code of Non-broadcast Advertising and Direct & Promotional Marketing (CAP Code).
- Additionally, the Information Commissioner's Office (ICO) fined Flybe £70,000 and Honda £13,000 for sending unsolicited direct marketing communications.
ASA – what did they say?
The complainant in this matter challenged an advertisement sent to them by Lands' End, a clothing company, on 10 October 2016 claiming it was unsolicited.
Lands' End responded to the complaint advising that the email was sent via an email targeting agency. This agency had obtained consent from the complainant to receive third party email communications through one of their partners. The complainant had opted in to receive these communications through an opt-in box.
To obtain consent, the partner used an un-ticked tick box next to a statement which read "You understand and agree that you are establishing a business relationship with our network of affiliate partners, and you may be contacted by one of our partners by telephone or mobile using automated dialling or electronic mail".
Despite the use of an opt-in tick box, the ASA ruled against Lands' End and found that explicit consent had not been given. The ASA noted:
- The statement next to the tick box was not sufficiently detailed. The ASA found that consumers would understand this statement to mean that they were consenting to receive emails from third parties, but the general reference to "our...affiliate partners" did not make clear the nature of such third parties.
- There was no clear connection between the types of products or services provided by the website the complainant signed up to and those provided by Lands' End.
ICO – what happened with Flybe and Honda?
The ICO found both Flybe and Honda to be in breach of the Privacy and Electronic Communication Regulations (PECR) by sending unsolicited marketing emails to people who had told them that they did not want to receive marketing emails.
Flybe sent more than 3.3 million emails in August 2016 titled "Are your details correct?", advising recipients to amend their data to ensure it was up to date. By updating, they would also be entered into a prize draw. Honda had sent 289,790 emails aiming to clarify customers' choices for receiving marketing emails.
Both companies believed the emails would not be classed as marketing, but customer service emails to help them comply with data protection law. However, the companies could not provide the ICO with evidence that customers had given consent to receiving these types of emails, which is a breach of the PECR.
The ICO has made clear that "sending emails to determine whether people want to receive marketing without the right consent, is still marketing" and therefore both companies were guilty of breaching the PECR and fined accordingly. Organisations should ensure that they maintain clear records of what an individual has consented to, and when and how consent was obtained, so that they can demonstrate compliance should a complaint be made.
Direct Marketing – what are the rules?
Those involved in direct marketing must have the consent of those individuals they aim to target with marketing campaigns.
- Consent: to be valid, consent must be (1) knowingly and freely given; (2) clear; (3) specific; and (4) involve a positive action indicating agreement.
- Explicit: explicit consent is always the safest option and this is required for sending electronic mail under the CAP Code.
- Opt-in: the ICO promotes opt-in consent as best practice and this will be mandatory as of May 2018. Opt-in consent is a safe way to demonstrate valid consent as it generally involves a person confirming their agreement to specified methods of contact by ticking a box or boxes. An indication from an individual that they object to, or opt-out of, certain methods of contact is less certain as failure to object or opt-out only means that the individual has not objected and does not automatically mean that they have consented.
- Method of contact: For consent to be given to direct marketing, the individual must also consent to the type of communication; therefore an organisation cannot send text messages unless the individual has specifically consented to receiving text messages.
- Statement: The organisation must have provided the individual with a clear and prominent statement that explains the action required will be taken as consent and what the organisation will do with this consent. Make sure your statement is sufficiently clear so that you are not caught out like Lands' End. The ICO's Privacy Notices Code of Practice recommends that if you intend to pass data onto third parties, those third parties should either be named or people should be given a clear idea of the types of organisations to whom you will supply their information.
Read more on consent under the GDPR (General Data Protection Regulation), which will come into force in May 2018, in our mini-series on the ICO's draft guidance on Consent:
Part 2: What does this mean for your business?
Part 3: Do we always need consent?
Part 4: Recording and managing consent
Disclaimer
The material contained in this article is of the nature of general comment only and does not give advice on any particular matter. Recipients should not act on the basis of the information in this e-update without taking appropriate professional advice upon their own particular circumstances.
