In Ireland Data Protection law imposes strict obligations on the use of personal data for direct marketing. Direct marketing involves a person being targeted as an individual, and the marketer attempting to promote a product or service, or attempting to get the person to request additional information about a product or service. Under Irish law direct marketing is defined as“direct mailing other than direct mailing carried out in the course of political activities by a political party or its members, or a body established by or under statute or a candidate of election to or a holder of, elective political office”
An individual must be given a right to refuse their personal data to be used for direct marketing purposes, both at the time the data is collected (an "opt-out") and, in the case of direct marketing by electronic means, on every subsequent marketing message. The "opt-out" right must be free of charge. You must also make clear who you are and where you obtained the individual's personal data (where this is not obvious).
Customers should be given a choice as to whether or not they wish to receive direct mail. This information must be included on the website and at every point where data is captured on a website such as on log-in pages or online registration forms
Be careful when you have access to a customer’s email address and comply with the conditions
Where you have obtained contact details in the context of the sale of a product or service, you may only use these details for direct marketing by electronic mail if certain conditions are met. Also note that organisations must provide their commercial nature and identity on any communication sent and the recipient should understand how they can make a choice regarding whether they wish to continue to receive direct mailings.
Pay attention to your cookies
Insert a tabulated explanation for Third Party Cookies
Where third party cookies are being used, it is not sufficient to simply refer the user to third party websites. In such situations or where there are many cookies being created or read by the site (or its partners) the DPC recommends the inclusion in the Cookies Statement of a tabulated explanation of all cookies with the following details:
- A description of their purpose
- Their expiry dates
- Links to advertising networks’ opt – out mechanism for third party cookies.
Enforcement lessons from across the water
It is worth considering the approach of the ICO across the water and how they approach the regulation of marketing calls, texts and emails. In a recent case the Commissioner was satisfied that a company had instigated the sending of automated marketing calls to subscribers without their prior consent. The Commissioner was also satisfied that the Company did not identify itself as the person who was sending or instigating the automated marketing calls or provide an address or a telephone number on which it could be reached free of charge. The Company said the calls were made by a third party firm that had informed them their list was screened for consent. The company was hit with a £175,000 fine. By contrast in Ireland two companies were ordered to pay sums of money to charity in lieu of convictions after they were prosecuted for email marketing offences. It will be interesting to see what enforcement action would be taken in similar factual circumstances to the recent case in UK.
The ICO has recently published updated guidance (a key document in the UK) both as a guide to how organisations can make sure that marketing calls and texts are made in line with the law, and to inform the ICO’s enforcement activity. In view of the hefty fines recently imposed by the ICO it is worth a read. Helpfully the updated guidance gives more direction around third party consent which makes it clearer than ever that phrases like “are you happy to receive marketing from selected third parties” will rarely be likely to demonstrate the law is being followed.