Over the last year, the Information Commissioner’s Office (ICO) has stepped up enforcement action for breaches of data protection and privacy rules relating to direct marketing. Action has arisen from unlawful marketing by telephone (live or automated), SMS and email, and from the unlawful sale of marketing lists. This article outlines some key themes arising from these cases.
The privacy rules for direct marketing derive from both the Data Protection Act 1998 (DPA) and the Privacy and Electronic Communications (EC Directive) Regulations 2003, and are also reflected within industry rules such as the Direct Marketing Association Code of Practice.
Under the DPA, the usual data protection principles must be followed when collecting or using personal data for marketing purposes, and individuals also have a right to object to direct marketing. Under PECR, there are requirements to obtain consents or provide options to object to unsolicited direct marketing communications, which vary depending on the method of communication (including telephone, fax, email, SMS). The options must be given to the “subscriber” to the line, which may be an individual or a company. There are additional requirements under PECR for those sending marketing communications to identify themselves and provide a free way to contact them.
The ICO has the power to take enforcement action for breaches of the DPA and PECR, including issuing monetary penalties for serious breaches, issuing enforcement notices, and requiring organisations to give undertakings to change their practices. There are also criminal penalties for some breaches, for example if an employee unlawfully uses his employer’s customer list to send marketing communications for another business.
The threshold for monetary penalties under PECR was lowered in April 2015 to remove a requirement for the breach to be likely to cause substantial damage or distress. This has enabled the ICO to issue more fines for serious breaches – monetary penalties totalling over £2m were issued in the year following the change. In many cases, evidence of distress, worry and irritation from recipients has been a factor in issuing such penalties.
The DPA is due to be replaced by the EU General Data Protection Regulation (GDPR) in May 2018. This does not amend PECR, although the EU Directive from which PECR derives is also currently under review. The GDPR requirements relating to direct marketing are similar to the DPA – there is a right to object, and the data protection principles must be followed. Contrary to some recent blogs on the issue, consent will (still) not always be required for direct marketing activities, although, where it is sought, it must be “unambiguous”, as well as (as under current law), specific, informed and freely given.
Under PECR, automated calls cannot be made without the prior consent of the recipient (or, more accurately, the subscriber to the line). This is different to the rule for live calls, where prior consent is not always required (see (2) below). Recipients have the option to refuse live calls, and may register on the TPS register as a way to provide a blanket objection to all marketing calls to their line.
In a number of recent cases, companies have not sought the required consent before instigating automated marketing calls, but have instead checked the TPS register. Consent cannot be inferred from a lack of objection (by registering on the TPS register or otherwise).
Examples:
Direct marketing by telephone often does not require prior consent1. However, individuals and companies may register with the Telephone Preference Service and the Corporate Telephone Preference Service respectively, indicating their wish not to receive marketing calls. It is therefore important for organisations to screen their marketing lists against these registers before making the live calls. To avoid the need to screen against the lists, an option is to obtain specific consent for your organisation (which can override a general TPS opt-out). In several recent cases, organisations have failed to screen their lists or obtain consent.
Examples:
1 Prior consent may be required under the DPA if the “legitimate interests” condition cannot be satisfied (e.g. because the manner of the activities is particularly privacy intrusive). Consent may also be best practice in any case (see Age International and British Red Cross undertakings in 2016), and, as raised above, may avoid the need to check the TPS and CTPS registers.
It is not uncommon for an organisation to purchase a marketing list from a third party, or to appoint a third party to carry out marketing activities on its behalf. In such cases, the organisation remains responsible for ensuring that the requirements have been met in relation to marketing communications which it sends or which are sent on its behalf. Enforcement action has been taken against organisations for the actions or failures of their third party providers.
It is therefore important to carry out appropriate due diligence on each third party to check that marketing rules are being followed. Appropriate obligations, warranties and indemnities can also be included within contracts with providers.
See also (5) below in relation to consents obtained by third parties.
Examples:
The “soft opt-in” rule under PECR allows businesses to use an opt-out approach for sending marketing emails and SMSs to existing customers. However, the marketing must relate to the sale of similar products and services. Organisations cannot therefore rely on this rule if the marketing email or SMS is intended to promote aims or ideals, which may be the case, for example, with political parties and charities.
In addition, the soft opt-in only applies where the marketing communication is about the sender’s own products or services, so it cannot be relied upon to market third party products or services.
If the soft opt-in is not an option, then prior consent must be obtained.
Example: Telegraph Media Group Ltd monetary penalty, December 2015.
Where consent is required to a marketing communication (e.g. for email or SMS), it must be notified to the sender of the communication. This raises a problem where a marketing list has been purchased from a third party, as any consents will not have been given directly to the purchaser.
The ICO has indicated that indirect or third party consent can be valid but only if it is sufficiently clear and specific, and enforcement action has been taken where this is found not to be the case.
Organisations should therefore take extra care to check such consents obtained by third parties (see also (3) above). Recipients must have intended for their consent to be passed on to the organisation doing the marketing, which means they must be clearly informed, when giving consent, that their details will be passed to that specific organisation or one clearly fitting its description for marketing purposes.
Consents (whether obtained directly or indirectly) must also be specific to the proposed marketing activities. A general consent seeking to cover all types of communications or activities is unlikely to be sufficient, as also demonstrated in recent enforcement action.
Examples:
How long a direct marketing consent lasts will depend on the context; it is unlikely that a consent will last indefinitely, particularly if there has not been regular contact with the recipient and/or the circumstances change. Individuals must also be given the ability to withdraw consent at any time. Recent undertakings in the charity sector have set out some best practice on these matters.
Examples:
Organisations will need to find practical ways to facilitate ongoing management of customer choices and marketing data. In particular, if someone makes a request for marketing communications to stop, this request must be acted upon. This may mean suppressing rather than deleting contact details, in order to ensure the request is respected in relation to future marketing campaigns when the same details may find their way onto the marketing system. In some recent cases, requests for marketing to stop have not been acted on appropriately.
Examples:
Organisations often focus on providing appropriate opt-in and opt-out boxes or options to address data protection and privacy requirements. Whilst these are an important part of compliance, there are many additional matters to address. Other failures cited in recent cases include:
Examples:
As from 16 May 2016, organisations must also ensure that the number of the sender of a marketing call is displayed; caller line identification may not be blocked. Prior to this, in March 2016, the monetary penalty against Advice Direct Ltd (see above), took into account that marketing calls (falsely) gave the appearance that the call was coming from a local number.
The ICO has investigated organisations and taken enforcement action as a result of a relatively low number of complaints, compared to the number of marketing calls or communications actually made. For example:
Olivia Whitcroft, principal of OBEP, 16 June 2016
This article provides general information on the subject matter and is not intended to be relied upon as legal advice. If you would like to discuss this topic, please contact Olivia Whitcroft using the contact details set out here: Contact Details