In the wake of recent enforcement action against two Swansea based firms which led to the city being dubbed the "UK's cold call capital" the ICO has issued updated direct marketing guidance in an effort to help firms better comply with the Privacy and Electronic Communications (EC Directive) Regulations 2003 (the "PECRs") in their marketing activities.
The updated guidance was announced at the ICO's recent annual conference and follows a year that saw high profile enforcement action against several charities. This enforcement focus has led to a greater focus in the updated guidance on not-for-profit organisations. The updated guidance also provides more direction around the issue of third-party consent and consent in general.
Given that most readers will be familiar with the previous guidance I will focus here on the key changes introduced in the updated guidance which are also summarised in a blog published by the ICO:
1. Focus on not-for-profit sector
The most notable addition in the updated guidance is sector specific advice for charities and other not-for-profit organisations. Charities, despite their not-for-profit status, are still required to comply with the PECRs in their marketing activities and the updated guidance seeks to make this clearer with more tailored advice and sector specific examples. The updated guidance sets out that "direct marketing is not limited to advertising goods or services for sale. It also includes promoting an organisation's aims and ideals". This brings squarely under the remit of the PECRs the activities of, for example, charities and political parties.
Amongst other things, the updated guidance makes clear to not-for-profit organisations that:
- The "definition of direct marketing will cover any messages that contain marketing elements even if this is not the main purpose of the message", meaning that charities will need to be careful that administrative communications do not contain anything that may be deemed marketing, to avoid those communications becoming subject to the PECRs;
- They will need to screen against the Telephone Preference Service when undertaking telephone campaigns;
- They need to obtain clear specific consent for electronic marketing, for example to send further marketing to a supporter following a donation by text message. The donation does not constitute consent for the charity to make use of the contact details provided by the supporter to contact them about future campaigns; and
- They will need to obtain specific consent to share or sell their marketing lists with other organisations. The updated guidance makes it clear that "consent cannot be inferred from supporters just because a marketing list is to be shared with or sold to an organisation which has similar aims/objectives to the originating organisation".
Despite the focus of the additions to the updated guidance being on the not-for-profit sector, the guidance provided is of more general use and applicability and serves as a useful reminder of what activities will be caught by the PECRs and how best an organisation can comply with them.
2. Third party consent
Another area that has received particular attention is the guidance in respect of obtaining consent for direct marketing activities where such consent is given to a third party, this is sometimes called "indirect consent" or "third party consent". We have previously reported on the Information Tribunal's consideration of this issue in the case of Optical Express (Westfield) Ltd v Information Commissioner in January of last year. The Tribunal's decision inferred that, in order for a direct marketing consent to be valid when provided via a third party, it should identify the ultimate sender.
At its annual conference the ICO indicated that it would not go as far as to require that each individual sender be identified. However, the updated guidance does require data controllers who propose to share their marketing lists to move away from vague statements such as "we may share your data with selected third parties", now requiring them to make very specific references to groups of third parties.
The guidance also applies to organisations that have bought in marketing lists. As the organisation will not have had contact with those customers contained on bought in marketing lists before, it will not have received direct consent to market to them. Even where the seller of the list claims to have received consent for customers to receive marketing from third party organisations, the guidance makes clear that this consent may not be valid for marketing by electronic means.
The PECRs require that "the customer has notified the sender that they consent to messages from them", which in most cases would not be met by indirect consent. To be valid in these circumstances when providing consent the customer must have "anticipated that their details would be passed to the organisation in question, and that they were consenting to messages from that organisation", which would be satisfied for example by specifically naming the third party or by clearly describing precise and defined categories of organisations. By way of example, the ICO advised that it would not be sufficient to refer to sharing data with "other charities". To be valid, the consent would need to identify the specific sector in which those charities operated.
Therefore, both organisations who share marketing lists and those who purchase them are advised to review their marketing consents and procedures to ensure they are compliant. Those organisations who wish to continue sharing marketing lists in compliance with the PECRs should ensure their privacy notices are sufficiently clear and precise and that they only share their lists with organisations that are either expressly listed or would clearly fall within precisely defined categories. However, it will be the ultimate responsibility of the third party using the marketing list to ensure it has adequate and necessary consents. It should therefore perform rigorous checks as to how and when consent was obtained and by whom, and what the customer was told. The updated guidance clearly shows that it is not acceptable to rely on "assurances of indirect consent without undertaking proper due diligence". Once a third party is satisfied adequate consent has been obtained, it should then also ensure any marketing carried out is consistent with that consent.
3. How consent may be given
As well as revisiting its guidance around third party consent the ICO has also provided more detail as to what it means for a data subject to give consent. As before the guidance states that "to be valid, consent must be knowingly given, clear and specific" and also refers to definition of consent set out in the European Directive 95/46/EC which describes it as "any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed".
However, the updated guidance goes into greater detail as to what it considers "freely given" to mean. In order for consent to be considered freely given the data subject must have a "genuine choice" as to whether or not to consent to the marketing. The ICO's Steve Woods set out in his blog on the updated guidance that this means "it isn't within the law to unduly incentivise people to give their consent to marketing". Data subjects should also not be penalised for refusing to provide their consent and generally it will not be compliant to require consent to marketing as a condition of subscribing to a service.
Organisations should therefore review their marketing consents and processes to ensure that the consent they obtain from their customers meets the requirements set out in the updated guidance and in particular that their customers are not required to receive marketing communications in order to receive any service or useful information related to it.
The ICO's blog on the updated guidance also refers to the statement made by Baroness Neville Rolfe at the recent Direct Marketing Association Data Protection Conference in which she supported the proposal to issue the direct marketing guidance as a Code of Practice, with specific statutory recognition. This would allow it to be considered by the courts and would give its requirements greater authority in the enforcement of the PECRs. Although this would require legislative change and a full consultation before going before Parliament, it clearly signals the ICO's intentions in relation to the oversight of direct marketing activities.
The ICO's blog also mentions that it is working on further new guidance to help organisations undertaking direct marketing comply with the data protection legislation, including: an updated Privacy Notices Code, a checklist for selling and buying marketing data and standard wording for organisations to use when collecting personal data for marketing purposes.