Whether it’s Facebook in the hot seat over Cambridge Analytica or Messenger consents or councils being fined for data breach, barely an edition of the national press or legal news passes at the moment, without at least one article about data privacy, data security and/or the General Data Protection Regulation (“GDPR”).
With only a month until the GDPR becomes enforceable, prudent organisations are gathering ever-increasing momentum in their review of data privacy policies and data handling processes. In the race for GDPR compliance, the legal requirements applicable to direct marketing activities (which comprise a wider range of statutes, regulations and voluntary codes of conduct) can often be overlooked or misunderstood.
Isn’t it all about GDPR?
When it comes to unsolicited direct marketing – No.
Direct marketing is subject to a number of rules and codes of practice including the GDPR but also the Privacy and Electronic Marketing Communications Regulations (PECR):
- GDPR – Marketing databases and all solicited marketing communications will be subject to the principles and requirements of the GDPR. This requires all organisations processing data to ensure, amongst other things, they have a lawful basis for processing.
- PECR – These Regulations apply to electronic communications such as email, text, media message and automated calls. They give people specific privacy rights in relation to electronic communications and particular care must therefore be taken over unsolicited communications. Unfortunately, in the midst of GDPR preparations, organisations often overlook these Regulations.
When is marketing solicited or unsolicited?
If a client or prospective client specifically requests material, it will be solicited and there is no restriction on sending that marketing material. Any contact which goes beyond providing the requested material, however, is unsolicited. For example, if a customer submits an online form requesting a quote, sending this quote to the customer is solicited marketing, but sending them further details of special offers, other products etc. would be unsolicited, even if the client has ticked a box to opt-in to receive marketing emails.
What does this mean for my marketing?
Unsolicited direct marketing will be subject to PECR. The rules vary depending upon the mode of communication. For e-marketing, an organisation must have an individual's specific consent to receive their marketing communications. Whilst the GDPR recognises legitimate interests as a potential lawful basis for direct marketing, under PECR, there are no alternative grounds (e.g. legitimate interest, contractual performance) which e-marketers can rely on to send e-marketing communications; there is only consent.
The required standard of consent under PECR will, going forward, mirror that in the GDPR. This means that consent must be informed, clear, specific and relate to the mode(s) of communication in question (e.g. email AND/OR telephone AND/OR media message) and given by positive communication or action. PECR does distinguish between marketing to companies or corporates and to individuals (which includes sole traders and some partnerships), and there is a limited exception for existing customer contacts. Depending on the mode of communication, marketing to companies or corporates (and their employees) may be permitted either without consent or on an opt-out basis. For example, emails to a company’s employees which include an ‘unsubscribe’ or opt-out option are permitted.
Consequently organisations engaging in e-marketing should:
- Provide clear and prominent consent methods: Unless an exception applies, opt-in consent should be used.
- Keep clear records: when, how and to what have recipients consented to? Ensure the consent method used is appropriate for the mode of communication and the recipient (i.e. whether they are acting in an individual or corporate capacity).
- Remember that consent is not a ‘one-hit’ process: Organisations should regularly refresh the consents that they have.
- Be diligent when acquiring marketing lists from third parties: The requirement for specific consent means buying in of marketing lists for e-marketing purposes will be very difficult going forward
- Comply with the GDPR and PECR: Organisations need to ensure they have both a lawful basis under GDPR for their use of marketing databases and ensure they satisfy the consent requirement under PECR for e-marketing. Consents which are valid for marketing purposes under PECR should not be assumed to be sufficient for the purposes of processing marketing data for the GDPR, and data controllers may need to rely on other grounds for processing marketing data beyond e-marketing.
- Include an opt-out option in all marketing communications.
What should I do now?
Alongside their GDPR preparations, organisations should review their marketing activities and consents in light of PECR to ensure that they don’t breach one law in the process of preparing for the other or overlook one in their earnestness to comply with the other. Organisations should also keep an eye on the legislative horizon. PECR is due to be replaced by the new E-Privacy Regulation: it was originally expected that this would apply from 25 May 2018, in line with the GDPR, however the government has confirmed that this has been delayed. It is unlikely, however, that the new regime will be less onerous that the existing, and often overlooked, regime.