UK privacy regulation
UK privacy regulator shines a spotlight on marketing
Following a year that saw investigations into direct marketing by charities and a change in the law that led to the UK Information Commissioner’s Office setting record fines for nuisance calls and texts, ICO’s recent update of its guidance on direct marketing comes at a critical time. In light of the new guidance – as well as the new EU data protection regulation and expected review of the e-privacy directive – it’s more important than ever that those involved in direct marketing understand how to apply this complex area of law.
Most of the new guidance focusses on helping charities to comply with the law, but it also gives helpful clarification for businesses that do direct marketing: particularly on the issue of what constitutes consent to use data, including ‘indirect’ consent. This article highlights the changes to ICO’s guidance, and what else is on the horizon that might affect how businesses conduct direct marketing.
Clarification on consent: ICO’s guidance now gives more examples to help organisations understand the need to get ‘freely given, specific and informed’ consent (the standard required under EU law).
More direction on ‘indirect consent’: Reliance on indirect consent has been a key area for enforcement action. Among other things, the new guidance makes it even clearer that asking people to agree to receive marketing from ‘selected third parties’ is not good enough.
Charities/not-for-profit focus: Although the law is the same for charities as any other organisation, ICO views the recent high-profile difficulties of the charitable sector as evidence that more sector-specific guidance is needed. The additions are also a useful reminder for all organisations as to what practices will be acceptable.
Clarification on consent
- The updated guidance reminds organisations that everyone must have a ‘genuine choice’ over whether or not to consent to marketing – a person must not be coerced or unduly incentivised to give consent, nor penalised for withholding consent.
- Using a mixture of opt-in and opt-out boxes can be very confusing for customers and can mean that informed consent is harder to demonstrate. ICO recommends best practice is to use opt-in boxes wherever possible.
- Organisations that use consent to marketing as a condition of subscribing to a service will have to demonstrate that consent was freely given.
- An automated computerised message rapidly listing third party companies that may contact an individual, played after someone has been asked whether they consent to being contacted by selected third parties, is not informed consent.
More direction on 'indirect consent'
- For an organisation to rely on indirect consent (consent obtained by a third party) the person must have been told, when they gave consent, which organisation would be sending messages, or else the precisely-defined categories of organisation that might do so. A long list of general categories of organisations is unlikely to be acceptable. A person must be able to reasonably foresee that the organisation will contact them, how it will contact them and for what purpose.
- Indirect consent is valid only for the third party that first seeks to rely on it. If that third party re-sells the marketing list to another organisation, that organisation can’t rely on the original consent given by the individual.
- Organisations sending out third party material (eg a supermarket sending out an email that promotes a charity’s work) must ensure that they have appropriate consent from the recipients to receive marketing promoting the third party (even though the email is sent out from the supermarket and not the charity).
- Not-for-profit organisations are reminded that they aren’t exempt from UK data protection laws. The law on direct marketing covers the promotion of aims and ideals as well as the sale of products and services. This means that any promotional, campaigning and fundraising activities of not-for-profit organisations are covered by the law on direct marketing (which is found in the Data Protection Act 1988 and the Privacy and Electronic Communication Regulations 2003).
- Care must be taken where communications contain any ‘marketing elements’, even if their main purpose is not marketing: these communications are still covered by the direct marketing rules. Charities should be particularly careful when confirming donations, for example by telephone, to ensure that these calls aren’t used to promote the charity’s work or to persuade the donor to give more money.
- Marketing lists must be screened against the Telephone Preference Service and organisations mustn’t make calls to any person registered with the service unless that person has specifically consented to receive marketing calls from that organisation. There is no exemption that applies to existing supporters.
- If a person has donated to a charity by text message, this does not mean that they have given their consent to be contacted by the charity for marketing purposes.
- Charities that want to share or sell their marketing lists must ensure that individuals are made aware of this when their personal details are collected, and given specific details of who their details will be passed on to. Consent cannot be inferred simply because the charity is sharing its marketing list with another body that has the same aims or objectives.
Further guidance and reform expected
We expect to see related guidance from ICO soon, including on privacy notices, buying and selling data, and collecting data for marketing purposes; we’ll publish further updates here. In the meantime, the European Commission has launched a consultation on the ePrivacy Directive, which may lead to further changes to the law governing electronic direct marketing. This consultation is open until 5 July.
If you’d like to discuss any of these issues – or any other area of data privacy law - please contact Giles Pratt.