In October, the Information Commissioner’s Office (ICO) received 4,772 complaints from the public about the receipt of direct marketing.
Direct marketing which, under the Data Protection Act 2018, includes all “communications (by whatever means) of advertising or marketing material which is directed to particular individuals” is often a subject where companies fall foul of the rules. Getting it wrong can reduce trust in the organisation’s brand and can potentially lead to enforcement action by the ICO. The majority of ICO enforcement actions are against organisations which have breached the direct marketing rules, with the ICO recently taking action against Easylife Limited, which was fined £130,000 for breaching the rules under the Privacy and Electronic Communications Regulations 2003 (PECR).
The ICO has now published two new sets of detailed guidance on how to comply with the rules under PECR.
The guidance on direct marketing using electronic mail explains essential terminology and the relationship between PECR and data protection regimes. The upgrade to the guidance is in step with the ICO’s stated objective to help and empower organisations to comply with their legal obligations.
What are the PECR rules?
PECR sits alongside the data protection regime, with both aiming to protect people’s privacy. The PECR rules apply to “individual subscribers” which includes individual customers, sole traders and some types of partnerships. The same rules would not apply to a corporate subscriber for example a limited company, Scottish partnerships and some government bodies.
The PECR rules apply to anyone who wishes to send unsolicited messages by electronic mail for the purposes of direct marketing. Electronic mail covers emails, text (SMS) messages, picture or video messages, voicemail messages, in-app messages, and also includes direct messaging on social media.
It is the sender or the instigator who has responsibility for complying with the rules; there is no official definition of “instigator”, however this will usually be any person who asks another to send an email on their behalf.
You can only send direct marketing by electronic mail if you either have the recipient’s consent or you can meet all of the requirements of the “soft opt-in” requirements of PECR.
Consent
The guidance document details what consent is and how consent should be used to send marketing by electronic mail. The main things to remember in relation to consent are the following:
- You must give people a free choice to consent so they can refuse without detriment.
- You must make it clear that consent covers your electronic marketing messages and you must give your name in the consent request.
- You must have no doubt that they are consenting to your electronic mail marketing.
- They must take a positive action to consent, so you must not use pre-ticked opt-in boxes, silence or inactivity.
You should also keep a record of the consent so that you can demonstrate its validity and you must make it easy for people to withdraw their consent.
Soft opt-in
In order to use the soft opt-in to send direct marketing by electronic mail, you must meet all of its requirements, which can be broken down into five elements:
- You must obtain the contact details directly from the person to whom you want to send the marketing. If someone else has obtained the contact details, then you cannot rely on the soft opt-in to send direct marketing.
- You must have obtained the contact details in the course of a sale or negotiation of a sale of a product or a service. The person to whom you want to send direct marketing must have actively expressed an interest in buying your products or services.
- You are marketing your similar products and services in the direct marketing that you want to send.
- You provided an opportunity to refuse or opt-out when you collected the details. You must give a clear opportunity to opt-out of your direct marketing when you first collect the details.
- You must provide an opportunity to refuse or opt-out in every subsequent communication and you must make it simple for them to change their mind.
Organisations which fail to make use of the new guidance and fail to comply are warned by the ICO that they face the prospect of robust action. Given that the majority of the fines which are issued by the ICO are for PECR breaches, organisations must ensure compliance with the guidance and the regulations.
You can read the guidance document here. If you have any questions on compliance with PECR or the guidance document from the ICO, please contact Eleanore Beard in our Data Protection team.
