The Information Commissioner has published updated guidance on the use of direct marketing, giving more direction on what constitutes valid consent.
What’s the issue?
The ICO provides guidance on the rules around sending direct marketing materials under the Data Protection Act 1998 and the Privacy and Electronic Communication Regulations (PECR). It was originally published in 2013, since when there have been calls for further clarification, particularly in relation to the role of consent. In addition, in the wake of the scandals around the use of direct marketing by not-for-profit organisations, the ICO had promised a revised version of the guidance.
What’s the development?
The ICO has now published updated guidance on use of direct marketing.
In terms of what’s new, the ICO says the guidance gives:
- more direction around “indirect” or third party consent – the ICO says that indirect consent is insufficient for texts, emails or automated calls due to the stricter rules on electronic marketing under PECR which require that the sender of the message obtains consent. However, indirect consent may be acceptable under certain circumstances where it is sufficiently clear and specific. In essence, the customer must have anticipated their details would be passed to the organisation in question, for example, where the third party organisation was specifically named or where the class of third parties to whom personal data might be transferred was sufficiently well defined. A customer is unlikely to consent to unlimited marketing calls or texts from anyone, says the ICO, so the question is what the customer would reasonably expect given the context. If the third party marketing content is different from the type of content in relation to which the consent was originally obtained, it is unlikely to be valid under PECR;
the ICO also says that the fact that consent does not last indefinitely is even more important in relation to third party consent and reminds organisations that consent to pass personal data to third parties is a one-step process so that A may get consent to pass data to B but that will not allow B to pass data to C;
organisations should make rigorous checks as to how and when consent was obtained, by whom and what the customer was told. They should not rely on assurances that consent was properly obtained but should conduct their own due diligence. Where consent was generic, it will be very difficult to show it was specific enough for calls, texts or emails. And, at the very least, any promotion sent e.g. by mail must be consistent with the context in which consent was given and aimed at a similar market;
- information about what constitutes “freely given” consent – it is not acceptable to ‘over-incentivise’ someone for giving consent to receiving direct marketing materials, nor to make it a condition of receiving products or services; and
- a greater focus on scenarios involving not-for-profit organisations – a reminder that they have to follow the same rules as other organisations in the wake of the high profile scandals involving the marketing practices of some not-for-profits.
What does this mean for you?
The revised guidance is particularly relevant to those seeking to rely on third party or indirect consent. The increased focus on the role of consent in direct marketing in the guidance will be be helpful for many organisations. The ICO acknowledges, however, that most of the guidance will be familiar and says it has deliberately not not issued sector specific guidance, nor is it possible to give definitive answers to all questions as each case will be specific on its facts.
The ICO is lobbying to have the guidance issued as a Code of Practice which would give it statutory recognition and allow it to be considered by the courts but, for now, it remains a useful indicator as to the kind of behaviours that would trigger enforcement action by the ICO who has been on something of a crusade against companies sending nuisance marketing recently.