Getting direct marketing right – New data protection guidance issued

Posted by Simon Stokes on
The UK's data protection regulator, the Information Commissioner's Office (ICO), has recently published guidance for organisations that engage in direct marketing – which the Data Protection Act 1998 (DPA) defines as:

"the communication (by whatever means) of any advertising or marketing material which is directed to particular individuals."

All promotional material falls within this definition, including material promoting the aims of charities and other not-for-profit organisations. It covers any means of communication and is not limited to traditional forms of marketing such as telesales and mailshots. Indeed, the definition extends to online marketing, social networking and other emerging channels of communication.

It is the area of electronic marketing – email, SMS and via social networking that has received much recent attention from the ICO.

Organisations can easily fall foul of the complex rules here and for serious breaches ICO has taken recent enforcement action including imposing monetary penalties of £100,000 or more against two telesales companies. So the rules need to be taken seriously.

The law

Most direct marketing will involve the processing of personal data. So the DPA principles relating to lawful processing, collecting personal data for a specified purpose, and ensuring that personal data is accurate and up to date must be complied with if you intend to engage in direct marketing.

In addition the Privacy and Electronic Communications Regulations 2003 (PECR) compliment the DPA provisions and provide specific rules relating to marketing and advertising sent by electronic means, such as by telephone, fax, email, text, and picture or video message, or by using an automated calling system.

The ICO's top 8 tips to comply with the law

  • Generally organisations require consent in order to send marketing to individuals, or to pass on their details, and must demonstrate such consent was knowingly given. Use of opt-in boxes is advised;
  • Rules regarding calls, texts and emails are stricter than those imposed on mail marketing, and consent must be more specific. So for example getting consent for email marketing doesn't mean you have consent for SMS/text marketing;
  • Rigorous checks should be carried out by organisations intending to rely on indirect consent, whereby consent was originally given to a third party – for example where bought-in lists are used;
  • Organisations must not call any number listed on the Telephone Preference Service (TPS) without specific prior consent from the individual, and should only make live marketing calls to those not listed where it is fair to do so;
  • Making automated pre-recorded marketing calls and sending marketing texts or emails to individuals without specific prior consent is also not permitted. A limited 'soft opt-in' exception exists in the case of contact made with previous customers;
  • An organisation must not send marketing messages to any person who objects to or opts out of such marketing;
  • Bought-in call lists, which are not banned under the legislation, should nevertheless be screened against the TPS; and.
  • Bought-in lists are in any case likely to be ineffective where they are intended for text, email or automated call campaigns, as those marketing methods require very specific consent.

Risks of non-compliance

The ICO wants to reduce the number of complaints it receives in relation to unwanted direct marketing. It has stressed that any breach of the DPA or PECR by an organisation could result in an enforcement notice being issued, requiring the organisation to take remedial action (failure to comply constitutes a criminal offence).

The ICO can also impose fines of up to £500,000 for a serious breach. Examples of circumstances in which it would impose such monetary penalties include where an organisation persistently ignores people's objections to marketing calls or texts, sends mass texts without consent, or fails to screen its call list against the TPS.

Helpful checklist

The ICO has also issued a useful checklist for those who engage in direct marketing.

About the Author

Simon is experienced in data protection including compliance, trans-border data flows, privacy policies, cookie laws, cloud services and international issues. His experience includes advising clients in the financial services sector on trans-border privacy issues including relating to the cloud and advising clients on processing data for marketing purposes. He also advises on the IP protection and licensing of data and databases.

Simon Stokes
Email Simon
020 7814 5482

View Profile