Document history and version control - Home | ICO

Privacy and Electronic Communications Regulations

Direct marketing

I? CO.

Information Commissioner's Office

Direct marketing

Data Protection Act Privacy and Electronic Communications Regulations

Contents

Introduction.............................................................................3 Overview.................................................................................5 Legal framework ......................................................................6

Data Protection Act ................................................................7 Privacy and Electronic Communications Regulations ...................8 Other regulation .................................................................. 10 ICO enforcement .................................................................... 11 Direct marketing .................................................................... 13 The definition of direct marketing .......................................... 13 Market research and `sugging' ............................................... 14 Charities, political parties and other not-for-profit organisations 15 Solicited and unsolicited marketing ........................................... 18 Consent ................................................................................ 19 The definition of consent ...................................................... 20 Implied consent................................................................... 24 Methods of obtaining consent ................................................ 26 Opt-in and opt-out boxes...................................................... 27 Indirect (third party) consent ............................................... 29 Time limits.......................................................................... 33 Proof of consent .................................................................. 34 Marketing calls ....................................................................... 35 General rule: screen live calls against the TPS......................... 35 Fairness ............................................................................. 37 The right to opt out.............................................................. 38 Automated calls................................................................... 39 Business-to-business calls .................................................... 39 Marketing texts and emails ...................................................... 39 General rule: only with consent ............................................. 39 Existing customers: the `soft opt-in' ....................................... 40 The right to opt out.............................................................. 43 Business-to-business texts and emails ................................... 44

Direct marketing 20180306 Version: 2.3

Other types of direct marketing................................................ 44 Marketing faxes................................................................... 45 Marketing online.................................................................. 45 Marketing mail .................................................................... 46

Lead generation and marketing lists ......................................... 47 Generating leads ................................................................. 47 Selling a marketing list......................................................... 49 Buying a marketing list......................................................... 51 In-house marketing lists ....................................................... 54 Suppression ........................................................................ 55

Other considerations............................................................... 57 More information .................................................................... 57

Direct marketing

2

20180306

Version: 2.3

Introduction

This guidance has been updated to include `GDPR update' boxes. These updates signpost key differences in the new data protection regime that will affect those wanting to conduct direct marketing from 25 May 2018 onwards, and link to new sources of relevant GDPR guidance.

This guidance was produced under the Data Protection Act 1998. We have since consulted on a draft marketing code of practice.

For more information on the GDPR, see our Guide to the GDPR.

1. The Data Protection Act 1998 (the DPA) is based around eight principles of good information handling. These give people specific rights in relation to their personal information and place certain obligations on those organisations that are responsible for processing it.

2. The Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) provide rules about sending marketing and advertising by electronic means, such as by telephone, fax, email, text and picture or video message, or by using an automated calling system. PECR also include other rules relating to cookies, telephone directories, traffic data, location data and security breaches.

3. An overview of the main provisions of the DPA and PECR can be found in The Guide to Data Protection and The Guide to the Privacy and Electronic Communications Regulations.

4. This is part of a series of guidance, which goes into more detail than the Guides, to help organisations to fully understand their obligations and to promote good practice.

5. This guidance explains the DPA and PECR rules on direct marketing ? with a focus on calls and texts to individuals ? and how this affects lead generation and the use of marketing lists. It will help responsible organisations to keep within the law and maintain a good reputation with customers, and sets out what enforcement action the ICO can take against those who ignore the rules.

Direct marketing

3

20180306

Version: 2.3

6. This guidance can be read end-to-end for a full discussion of the issues, but it does not have to be used in that way. It has been designed so that organisations can dip in and out as necessary, using the links in the contents page to go directly to particular issues of concern. The text of each section will provide further links to other relevant parts of the guidance.

7. The guidance starts with a broad overview of the law, then contains separate sections on what counts as direct marketing, what counts as consent, the specific rules on calls and texts, and the use of marketing lists. We have also published a separate direct marketing checklist (pdf) to help organisations comply with the law and good practice.

Direct marketing

4

20180306

Version: 2.3

Overview

GDPR Update

A definition of direct marketing is contained within the DP Bill and is likely to be similar to the definition in the Data Protection Act 1998 (the 1998 Act).

The GDPR definition of consent is similar to the 1998 Act, but is clearer that consent must be unambiguous and involve an affirmative action. There is also more detail on the level of detail and control individuals must have.

An unambiguous affirmative action requires a positive optin. Don't use pre-ticked boxes or any other method of consent by default.

Any third party controllers who will rely on the consent must be named ? listing categories of organisation will not give valid third party consent.

The GDPR contains substantial fines for failing to comply with its requirements including fines of up to 20 million, or 4% of your total worldwide annual turnover, whichever is higher.

Direct marketing covers the promotion of aims and ideals as well as the sale of products and services. This means that the rules will cover not only commercial organisations but also not-forprofit organisations (eg charities, political parties etc).

In many cases organisations will need consent to send people marketing, or to pass their details on. Organisations will need to be able to demonstrate that consent was knowingly and freely given, clear and specific, and should keep clear records of consent. The ICO recommends that opt-in boxes are used.

The rules on calls, texts and emails are stricter than those on mail marketing, and consent must be more specific. Organisations should not take a one-size-fits-all approach.

Organisations can make live marketing calls to numbers not registered with the TPS, if it is fair to do so. But they must not call any number on the TPS list without specific prior consent.

Direct marketing

5

20180306

Version: 2.3

 Organisations must not make any automated pre-recorded marketing calls without specific prior consent.

Organisations making marketing calls must allow their number (or an alternative contact number) to be displayed to the person receiving the call.

Organisations must not send marketing texts or emails to individuals without their specific prior consent. There is a limited exception for previous customers, known as the soft opt-in.

Organisations must stop sending marketing messages to any person who objects or opts out of receiving them.

Organisations must carry out rigorous checks before relying on indirect consent (ie consent originally given to a third party). Indirect consent is highly unlikely to be valid for calls, texts or emails.

Neither the DPA nor PECR ban the use of marketing lists, but organisations must take steps to ensure a list was compiled fairly and accurately reflects peoples' wishes. Bought-in call lists should be screened against the TPS. It will be very difficult to use bought-in lists for text, email, or automated call campaigns as these require very specific consent (either where the specific organisation is named or it is within a precisely defined category of organisation).

The ICO will consider using its enforcement powers, including the power to issue a fine of up to ?500,000, where an organisation persistently ignores individuals' objections to marketing or otherwise fails to comply with the law.

Our direct marketing checklist can help organisations to comply.

Legal framework

8. The DPA and PECR both restrict the way organisations can carry out unsolicited direct marketing (that is, direct marketing that has not specifically been asked for).

9. This guidance focuses primarily on these DPA and PECR rules on direct marketing. However, direct marketing can engage a wide range of other regulatory and conduct issues.

Direct marketing

6

20180306

Version: 2.3

Organisations should ensure they are also familiar with other relevant laws and industry codes of practice. See the section below on other regulation for more information.

Data Protection Act

GDPR Update

The 1998 Act will be superseded by the new Data Protection Act 2018 (as supplemented by the GDPR) on 25 May 2018. See our Guide to the GDPR for further information.

10. If direct marketing involves the processing of personal data (in simple terms, if the organisation knows the name of the person it is contacting), it must comply with the principles set out in the DPA. The most relevant principles here are:

The first principle: organisations must process personal data fairly and lawfully. In particular, they will usually need to tell the individuals concerned who they are and that they plan to use those details for marketing purposes - see the Privacy notices code of practice for more guidance on this area. Organisations will also need to tell people if they plan to pass those details on to anyone else, including selling or sharing the data for marketing purposes, and are likely to need their consent to do so. Organisations must not do anything that people would not reasonably expect or which would cause them unjustified harm.

The second principle: organisations must only collect personal data for specified purposes, and cannot later decide to use it for other `incompatible' purposes. So they cannot use people's details for marketing purposes if they originally collected them for an entirely different purpose.

The fourth principle: organisations must ensure that personal data is accurate and, where necessary, kept up to date. So a marketing list which is out of date, or which does not accurately record people's marketing preferences, could breach the DPA.

11. Section 11 of the DPA also gives individuals the right to prevent their personal data being processed for direct marketing. An individual can, at any time, give written notice to stop (or not to begin) using their details for direct marketing. In other

Direct marketing

7

20180306

Version: 2.3

 ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download