The Information Commissioner’s Office (ICO), the UK’s independent authority set up to uphold information rights in the public interest, published its new direct marketing guidance on Thursday 24 March.
The importance of the new guidance was underlined by the penalties associated with it; notably it has already been suggested by the Minister for intellectual property, Baroness Neville-Rolfe, that the guidance may be written into statute in order to give it teeth in the Courts, and the ICO has stated that it will consider using its enforcement powers, including the power to issue a maximum fine of £500,000 where an organisation either repeatedly ignores the guidance and the law or receives significant consumer complaints and objections to its marketing.
The new guidance focuses on explaining the rules on direct marketing set out in the Data Protection Act 1998 (DPA) and the EC Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR). Both the DPA and PECR both restrict the way organisations can carry out unsolicited direct marketing i.e. the marketing that is not requested by consumers.
“the communication (by whatever means) of any advertising or marketing material which is directed to particular individuals”.
Direct Marketing covers the promotion of ideas, goals and objectives, for example the messages which might be promoted by charities as well as companies which are selling a product or service. However, there are different rules for different mediums of communication, and therefore companies must take this into account in producing their media messages, emails or post marketing. The rules on calls, texts and email are stricter than those relating to postal communications. A key focus of the guidance is around ‘opt in’ rules which organisations must follow when presenting marketing options to consumers.
Under the DPA, if an organisation knows the name of the person it is contacting for marketing purposes, it must comply with the principles set out in the legislation, which include a requirement to treat the personal data fairly and lawfully, meaning that the individual must know that their information could be used for marketing purposes. A person must also be aware of whether that data will be shared or sold on to third parties, something which will generally require that person’s consent. The DPA also requires that where an organisation seeks these preferences from their clients that they are kept up to date, failure to do so could result in a breach. Importantly, Section 11 of the DPA also gives individuals the right to give, at any time, written notice to an organisation to stop (or not to begin) using their details for direct marketing. The organisation does not have to reply, but the guidance reiterates that it is good practice for it to respond to a consumer indicating that the marketing will stop.
The PECR specifically sets out more detailed privacy rules in relation to electronic communications, particularly where these are unsolicited. However, the ICO guidance is also clear that the PECR and DPA rules are designed to be complementary. The PECR will also apply to calls and texts which try to generate marketing, even if the first message or communication does not, in itself contain any such information. The ICO highlights that the PECR guidance is broader than that of the DPA in that even if the organisation does not know the name of the person it is contacting (i.e. personal data), the PECR will still apply.
The new ICO guidance goes into full detail and gives worked examples on the areas set out above, and is a must-read for organisations using direct marketing in the United Kingdom. A full link is included here.