ICO has released updated guidelines for utilising email and telephone to do direct marketing
Information Commissioner’s Office (ICO) new guideline on direct marketing via electronic mail and live calls aims to provide a more complete overview of regulations on direct marketing as well as practical examples.
The new guidelines enhance the previous ones on this subject, such as the ICO’s Guide to the Privacy and Electronic Communications Regulations 2003 (as amended) (PECR) and the draught Direct Marketing Code of Practice.
What follows is a summary of some of the most important insights and the next steps that businesses should take.
If and when does PECR start?
Organisations that wish to send unsolicited messages by electronic mail or make live calls for the purposes of direct marketing have to comply with the marketing rules in PECR, irrespective of whether they are processing personal data in this context (and separately from their obligations under the UK GDPR and the Data Protection Act 2018). (and separately from their obligations under the UK GDPR and the Data Protection Act 2018). The purpose of PECR’s marketing regulations is to safeguard “subscribers,” who might be either natural persons or legal entities.
The “sender”/”caller” and/or “instigator” is responsible for compliance with the rules for direct marketing via electronic mail (including emails and texts, pictures and videos, voicemail messages, in-app messaging, and direct messages on social media). This means that there may be a number of people who share accountability for ensuring the marketing message complies with regulations.
Direct marketing does not include “service messages,” which include phone calls and emails conducted for administrative or customer service purposes (such as verifying contact information or doing legitimate market research). The ICO has made it plain, however, that if a service communication includes a promotional element, the entire message is considered direct marketing and must comply with the applicable rules.
Sending out promotional emails to potential customers directly
In order to market using electronic mail, firms must either seek consent or meet all the requirements of the soft opt-in exemption.
Organizations should make sure the consent they get from subscribers is freely provided, explicit, informed, and unambiguous in accordance with the UK General Data Protection Regulation (GDPR), the standard used in this context. For email marketing specifically, this means making sure the consent language used covers electronic mail marketing messages, include the name of the organisation, and stands alone from any other consent requests made (such as accepting the terms of service). A further reason why businesses need to document consent is so they can defend its legality in the event of a dispute.
On the other hand, businesses can use the soft-opt-in exemption if the following conditions are met:
This means that the sender cannot rely on the soft opt-in if it did not get the subscriber’s information directly.
The data must be collected throughout the course of a transaction or sale negotiation. When negotiating, it’s important for the other party to show interest in what you’re offering. This could mean downloading a free trial or otherwise taking some kind of action.
The advertising targets customers who might also be interested in connected items.
At the time of data collection, as well as in any following correspondence, the participant was given the option to decline participation. Users should be able to unsubscribe with a single click, as this is the preferred method.
These regulations only apply to individual subscribers, thus businesses can still send unsolicited commercial electronic messages to corporations.
Live-call-based direct marketing
Although prior consent is not required for marketing via live calls, with some exceptions (such as direct marketing calls about claims management services and pension schemes), businesses must still verify that their subscribers (1) have not objected to receiving live marketing calls, and (2) are not registered with the Telephone Preference Service (TPS) or the Corporate Telephone Preference Service (CTPS).
In effect, this implies that businesses can’t make marketing calls without first checking the numbers they want to reach out to against the TPS or CTPS records. Don’t make any live marketing calls to subscriber numbers that appear on the registers. The only time this is acceptable is if the person or company being called has explicitly stated that they do not mind getting marketing calls. Although “UK GDPR permission” is not relevant in the context of real-time marketing calls, the ICO has indicated that the bar to overcome the TPS/CTPS registration is practically equivalent to gaining opt-in consent.
Disclosing all information and respecting requests for removal or modification of personal data
When sending electronic mail or making live calls for direct marketing purposes, firms have an obligation to supply specific information. This includes both businesses and individuals, as well as solicited and unsolicited marketing communications.
As a general rule, organisations should show identification information, provide clear information about the marketing and make it easy for subscribers to object or opt out.
The sender of an electronic message must ensure that its identity is not concealed or disguised and that a working opt-out contact address is provided. Callers must identify themselves, state why they’re calling, and offer contact information while making a live call.
All subscriber preferences are “for the time being,” as stated in the PECR, and companies should treat them as such in accordance with the new ICO guidelines. Businesses must have a clear procedure for responding to opt-out requests. To that end, the ICO recommends compiling a list of opt-outs as a best practice.
It is possible for a subscriber to opt-out of receiving marketing via a specific contact type/method of communication without having that decision affect their receipt of marketing via other contact types/methods of communication, provided that the mechanisms for opting in and out are clear and internal systems are set up appropriately.
Making use of information collected by other parties
As long as compliance with the applicable rules under the PECR can be maintained, the use of third parties or information given by third parties may be allowed for direct marketing by electronic mail and live calls.
The Information Commissioner’s Office recommends that organisations and third parties have a contract in place that lays out each party’s obligations (if personal data is processed, then there is a legal obligation under the UK GDPR to have a contract in place).
It is the company’s responsibility to check that the purchased list conforms with the relevant marketing rules before using it for any marketing activities.
Specifically, businesses need to check that the people on their mailing list have agreed to receive direct marketing from them via that medium (noting that the soft opt-in exemption does not apply to bought-in marketing lists). In reality, this could entail making sure the list recipients were given the correct sender information, that they were given a clear understanding of what they were agreeing to, and that consent was properly gained.
The new ICO guidance makes it clear that, while PECR does not explicitly prohibit the use of publicly available contact details for marketing purposes, it is highly unlikely that an organisation will be able to use someone’s contact details collected from publicly available sources to send unsolicited electronic mail marketing (with the possible exception of someone’s business contact details that are on a publicly available website).
Organizations who plan to make use of purchased lists or publicly available contact details for marketing purposes should verify the numbers using the TPS/CTPS registers. As it can take up to 28 days for a TPS or CTPS registration to become active, it is best practice to double-check or make sure this has recently occurred, even if the information is obtained from a third party who says that the numbers have been checked against the necessary registers.
So, what should we do now?
This advice will help clarify the marketing requirements within the overall data protection framework until the ICO publishes the final version of the proposed Direct Marketing Code of Practice.
The advice does not significantly alter the status quo, but businesses should use the opportunity to assess their marketing strategies, policies, and internal processes in light of the new information in order to get the most out of their efforts and remain compliant with industry standards.Link