UK data protection authority, the Information Commissioner’s Office (ICO), has published new guidance, an accompanying checklist, and an at-a-glance guide to help organisations understand the rules governing direct marketing under the Data Protection Act 1988 (DPA), and the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 (PECR).
The ICO guidance attempts to clarify direct marketing under the DPA, and interprets it as any communication targeted at a named individual of unsolicited commercial material, such as that which promotes an organisation’s aims and ideals, including market research for marketing purposes or communications aimed at generating marketing leads.
Consent is a key concept in the context of direct marketing. The ICO advises that the use of ‘opt-in’ boxes is best practice for seeking explicit consent from individuals to direct marketing from a specific organisation. The ICO also recommends keeping clear records of the date, method and purpose to which consent has been given in the event of an audit. Due diligence should be undertaken when relying on third-party indirect consent from bought-in mailing lists to ensure adequate consent has been obtained and can be relied upon. The ICO also stressed individuals’ rights to opt out at any time, with an organisation then obliged to cease further direct marketing within 28 days for electronic communications, or two months for postal communications.
The checklist addresses the various methods of direct marketing by outlining the different types of consent:
- Postal Mail: Individuals may be contacted unless registered on the Mail Preference Service (MPS)
- Unsolicited Calls: Individuals may be contacted unless on the Telephone Preference Service (TPS) or Corporate Telephone Preference Service (CTPS)
- Automated Calls: Only those individuals who have given specific consent may be contacted
- Fax: Individuals and organisations may be contacted unless registered on the Fax Preference Service (FPS)
- Texts, emails, electronic mail or voicemail: Individuals may only be contacted if they have given specific consent, unless they have exercised subsequent right to opt out
The ICO recently stepped up its enforcement of direct marketing activities that fall foul of the DPA or PECR, with fines against organisations totalling several hundred thousand pounds. Organisations should take heed of the ICO’s guidance to avoid facing monetary penalty notices of up to £500,000.