A hefty fine imposed by the UK privacy regulator, the Information Commissioner’s Office (“ICO”), on DM Design, a Scottish company supplying fitted kitchens, has been widely reported in the media.
The company was fined £90,000 for breaches of rules relating to direct marketing under the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426 (“Privacy Regulations”). The company has reportedly made repeated unsolicited direct marketing calls to the public (known as “cold-calling”) consistently failing, in breach of the law, to check the Telephone Preference Service (TPS) to ascertain whether individuals or corporations had chosen to opt-out of receiving such marketing calls and had failed to respond to a large number of the complaints it received from members of the public and ignored requests from individuals to refrain from making such calls.
The ICO has announced that it is intending to impose significant financial penalties against two other companies over breaches of the law. A further ten companies are also being investigated in relation to cold-calling and sending marketing spam text messages.
These cases demonstrate the steady increase in enforcement action by the ICO that is likely to continue going forward. This note provides a reminder of the privacy rules that apply in the UK in relation to direct marketing.
The Right to Opt Out of Receiving Direct Marketing Communications
Direct marketing consists of advertising or marketing communications, including market research requests, that are directed to particular individuals or companies. Such communications are often unsolicited and include communications sent by email, telephone, post and/or fax.
The main legislation in the UK relating to direct marketing is the Data Protection Act 1998 (“DPA”) and the Privacy Regulations. Both instruments derive from European Union directives and similar (often stricter) rules apply throughout the European Union.
The DPA governs the use of personal data (data relating to individuals) and, amongst other things, provides for the right of individuals to notify any person holding their data that they object to the use of their personal data for marketing purposes. This right applies to marketing by whatever means, and so covers a wide range of communications, such as post, fax, telephone and emails.
The DPA only protects personal data of individuals. Accordingly, the provisions of the Act relating to use of personal data for unsolicited direct marketing purposes do not apply to marketing communications directed at legal entities. Similarly, the right to object to direct marketing communications does not apply to unsolicited postal communications which are addressed to “the occupier” of a premises, rather than an individual.
The right to object to the use of personal data for direct marketing purposes can be exercised by individuals at any time, even where the individual had previously given express consent to receiving direct marketing communications. This rule is known as the right to “opt-out”.
It is important to bear in mind that even without receiving an express notice from an individual objecting to the use of personal data for direct marketing purposes, the use of personal data for marketing purposes is subject to the general provisions of the DPA relating to the collection and use of personal data. The use of personal data for marketing purposes may not necessarily be in accordance with the law, even if an ‘opt-out’ notice was not received.
The Rules Against Unsolicited Marketing Communications Through Electronic Means
The Privacy Regulations apply to direct marketing through electronic communication systems which includes communications by telephone, fax and email. Unlike the DPA, the Privacy Regulations protect both individuals and legal entitles (although in some respect there is a different treatment). The emphasis is not on the use of personal data, but rather on the use (or abuse) of electronic communication systems.
The Privacy Regulations distinguish between different forms of electronic communications.
Automatic calls (where the marketing message is pre-recorded and the call is made through automatic means) are banned outright. The only exception is where the telephone line subscriber had previously notified the caller that for the time being he consents to the automatic calls being made (and as long as such consent is not withdrawn).
In relation to non-automated calls, there are preference services where individuals and companies can register their choice to ‘opt-out’ from receiving direct marketing communications. It is mandatory for marketers to check the register of the telephone preference service against their calling lists and it is a breach of the law to make direct calls to individuals or companies that registered their ‘opt-out’ through the preference service. In addition, it is unlawful to make unsolicited calls to a subscriber (whether individual or corporation) who notified the marketer of his objection to receive such calls. The fine imposed against the Scottish fitted kitchens company, DM Design, was for breaches of these rules.
The rules on the use of fax for unsolicited marketing communications are similar to the rules applying to unsolicited telephone calls, except that the legislation prohibits the sending of any unsolicited marketing communications by fax to individual subscribers (unless the subscriber had previously notified the marketer that he consents to such faxes being sent to his number, as long as such consent is not withdrawn). In other words, only companies need to register an ‘opt-out’ in relation to fax communications.
Unsolicited marketing communications by email are unlawful if sent to individuals, unless they gave their consent in advance. Companies do not enjoy that protection, although a promotional email sent to the corporate email account of an individual may well be regarded as a marketing communication to the individual.
This rule is subject to the "soft opt-in" exception which applies where the sender obtained the email address in connection with the sale of goods or service to the recipient of the message. In such cases, unsolicited marketing communications by email are permitted if the message relates to similar goods or services. The ‘soft opt-in’ is also subject to the right of the recipient to notify the sender that it wishes to ‘opt-out’ of receiving such communications. There are also requirements to offer the ‘opt-out’ to the recipient at different stages.
Although not mandatory, it is also good practice for direct marketing companies to check the email preference service and the mail preference service.
New CAP Code Rules for Online Behavioural Advertising
The Committee of Advertising Practice (“CAP”), part of the Advertising Standards Authority in the UK, is responsible for the creation and enforcement of the CAP code. Although a voluntary code, the Advertising Standards Authority that administers the CAP code can refuse advertising space and refuse membership of a trade association for direct marketers who fail to comply with the CAP code.
In March 2013, the Advertising Standards Authority adopted new rules concerning the implementation of the EU framework for online behavioural advertising (“OBA”). OBA is the practice by which online advertising is directed to internet users in accordance with various data (such as website browsing history) that can be collected from users and stored through cookies, through the user’s IP address and by other technical means.
The OBA rules are contained in a new Appendix 3 to the CAP code. The code requires that internet users must be notified of the collection of their data and must be given the option and opportunity to ‘opt out’ of both the collection of their data and the targeted advertising based on it. The 'opt-out' must be available in conjunction with every advertisement served.
The new CAP code rules apply where an operator collects data from a particular user’s computer based on the browsing by the user of various websites not controlled by the operator. The rules do not apply where the data is collected only from websites controlled by the operator. Accordingly, for instance, the rules would not apply to an online retailer that collects user data on its own site in order to use it to direct advertising on its website. Equally, they do not apply to a website that channels advertising to users based on the data collected on that site (for instance, the users’ browsing history within that particular website).
Where online behavioural advertising is concerned, it is important to take into account the rules on the use of "cookies" in addition to the new CAP code rules. The rules on ‘cookies’ are part of the Privacy Regulations and apply across the European Union.
‘Cookies’ are small text files that can be placed (automatically) on a user’s browser and the information contained in the 'cookie' can subsequently be read by the same or any other website. This allows tracking browsing history and any other information that is stored during the user’s use of a website. Most OBA systems rely on the use of 'cookies' (although other techniques exist).
European Union legislation (implemented through the Privacy Regulations) requires a person wishing to place a 'cookie' on a user’s computer (or browser), or to read such information, to first obtain the user’s consent. It is debatable what form such consent must take and it is currently common practice for many website operators and online service providers in the UK to rely on general notices displayed on websites to establish “implied consent”. Some websites prompt the users to confirm their agreement for the use of the 'cookie', others require only confirmation that the notice was read and some do not require any user confirmation. These practices are yet to be tested in the courts and what would be sufficient to establish ‘implied consent’ (assuming this is sufficient to meet the legal requirement) is still unknown.
Things to Look Out For
Failure to comply with the DPA and the Privacy Regulations and the law relating to cold-calling can lead to significant financial penalties being imposed. The ICO has the power to impose penalties of up to £500,000 and the telecoms regulator Ofcom can issue penalties of up to £2 million for breaches of the rules relating to abandoned and silent calls.
In summary, a company that carries out direct marketing should consider:
- whether the user’s prior consent is required;
- whether ‘soft opt-in’ potentially applies to the communication;
- whether the recipient notified the company of his or her objection to receiving such communications;
- whether the marketing list was checked against the preference services;
- whether it is engaged in online behavioural advertising and if so whether its practices are in line with the ‘cookies’ rules and with the new CAP code rules relating to OBA; and
- whether the company has in place systems and controls to keep track of consents, 'opt-out' and 'opt-in' notices from customers and potential customers and to ensure that the necessary checks are being made before making or sending marketing communications by post, telephone, fax or email.
Trainee Solicitor Lucy Johnson Cameron provided significant assistance in the creation of this update.