Direct Marketing Rules

Transcription

1 Direct Marketing Rules Is your business compliant? June 2016

2 Our expertise Banking & Finance Charities Commercial Construction Corporate Corporate Tax Disputes Employment Family & Matrimonial Immigration Information Law Insolvency & Restructuring IP, Technology & Media Planning Real Estate Trusts Estates & Private Client This information is offered on the basis that it is a general guide only and not a substitute for legal advice. We cannot accept any responsibility for any liabilities of any kind incurred in reliance on this information.

3 Direct Marketing Rules: Is your business compliant? In last month s Queen s Speech it was announced that the new Digital Economy Bill will increase the ICO s power to fine companies for sending promotional s to consumers where they have not obtained their specific consent to do so. The ICO has also set out a stricter approach to the rules about obtaining marketing consents in its latest guidance. In this Focus, we summarise the key direct marketing rules that apply in the UK together with the practical steps that organisations can take to comply with them. The rules and penalties Definition of direct marketing Direct marketing law is harmonised across the EU by European Directives. These rules have been incorporated into UK law through national legislation such as the Data Protection Act 1998 ( DPA ) which protects the privacy rights of individuals, and the Privacy and Electronic Communications Regulations 2003 ( PECR ) which regulates direct marketing conducted by electronic means such as telephone calling, fax, and SMS. At present the UK regulator, the Information Commissioner s Office ( ICO ), is able to issue public enforcement notices as well as issue fines of up to 500,000 against organisations that breach the direct marketing rules. When the EU General Data Protection Regulation ( GDPR ) comes into effect in spring 2018, the maximum fine that can be issued for a breach will increase to 20,000,000. Of course compliance is not just about avoiding financial penalties. By adhering to the rules organisations can demonstrate that they take individuals privacy seriously and strengthen their reputation as an organisation that consumers can trust. The DPA defines direct marketing broadly as the communication (by whatever means) of any advertising or marketing material which is directed to particular individuals. Therefore, communications to companies are generally excluded from the scope of the rules. It should also be noted that the term marketing covers the promotion of aims and ideals as well as the sale of products and services. This means that the rules apply not only to commercial organisations but also to not-for-profit organisations (e.g. charities, political parties etc). Key types of direct marketing are: marketing by post automated calling systems telephone marketing s and texts Direct Marketing Rules June

4 For all types: honouring opt out requests The DPA gives individuals the right to object to the use of their personal data for direct marketing purposes. This means that, for all types of direct marketing, organisations must promptly comply with opt out requests that they receive from individuals who do not want to be sent marketing materials. In addition to deleting individuals who have opted out from an organisation s mailing lists, it is also best practice to maintain a separate suppression list of individuals to ensure that their preferences are respected in the future. Individuals can register their address with the Mail Preference Service ( MPS ), which works in a similar way to the Telephone Preference Service ( TPS ). The DPA does not specifically require organisations to screen against the MPS, but it is good practice to do so and can save time and money. It will also help ensure compliance with the requirement under the DPA to act fairly and lawfully in relation to personal data. If an organisation is sending mailshots to every address in an area and does not know the identity of the people at those addresses, it is not processing personal data for direct marketing, and the DPA rules will not apply. However, it may still need to comply with other guidelines and codes on marketing and advertising. Post marketing Automated calling systems Individuals: These marketing rules only apply to postal communications sent to individuals. They do not apply where an organisation is sending a marketing communication to a business. Since marketing by post is not an electronic means of marketing it is not covered by the PECR. However, organisations must still comply with the DPA. In most cases, making automated marketing calls (calls made by an automated dialling system which play a recorded message) is unlawful. This is because organisations are only permitted to make automated calls to people who have specifically consented to receiving them, which is unusual. Telephone marketing In essence, the DPA requires that: individuals are aware that an organisation has their contact details and intends to use them for marketing purposes; the organisation must have obtained individuals addresses fairly and lawfully. It cannot send marketing mail if the addresses were originally collected for an entirely different purpose; organisations must not send marketing mail to anyone who objects or opts out. They must comply with any written objections promptly. Under the PECR, organisations can make live unsolicited marketing calls (provided they comply with the rules summarised below), but they must not call any number registered with the TPS without specific prior consent. In practice, this means that organisations should screen the list of numbers they intend to call against the TPS register. Individuals and businesses: Similar rules apply to businessto-business calls. Sole traders and partnerships may register their numbers with the TPS in the same way as individual consumers, while companies and other corporate bodies register with the Corporate Telephone Preference Service 4 Direct Marketing Rules June 2016

5 ( CTPS ). Therefore, organisations making B2B marketing calls to individuals and businesses need to screen against both the TPS and CTPS registers. Generally, organisations must: have obtained the person s contact details fairly and lawfully to start with; individuals should be aware that the organisation has their number and plans to use it for marketing purposes; the organisation must not make any calls that the person would not reasonably expect, or which would cause them unjustified harm. 2. the products or services promoted must be provided by the sender (rather than an unrelated third party) and be similar to those for which the recipient is regarded as a customer; 3. the opportunity to opt out must be given when the individual s details are collected; and 4. the opportunity to opt out must be repeated in every promotional that is sent. Organisations must not disguise or conceal their identity in marketing texts or s, and should not make it difficult to opt out. It is good practice to allow individuals to reply directly to the message to opt out or provide a clear unsubscribe link. New transparency rules: As of 16 May 2016, when making marketing calls an organisation must always say who is calling, allow their number (or an alternative contact number) to be displayed to the person receiving the call, and provide a contact address or freephone number if asked. Marketing texts and s Consent Consent is central to the rules on direct marketing. Organisations will generally need an individual s consent before they can send marketing texts, s or faxes, make calls to a number registered with the TPS, or make any automated marketing calls. Individuals: Organisations can generally only send marketing texts or s to individuals (including sole traders and some partnerships) if that person has specifically consented to receiving them. Indirect consent (that is, consent obtained by a third party) is unlikely to be sufficient unless certain conditions are met (see the section on Consent below). There is, however, a limited opt out exception for previous or existing customers that an organisation can use if they meet the following four-fold test: 1. the address of the recipient must have been obtained by the sender directly from that individual in the course of a sale or negotiation for the sale of a product or service; To be valid, consent must be knowingly and freely given, clear and specific. Key points to note in relation to marketing consents are: The clearest way of obtaining consent to send marketing messages is to invite individuals to tick an opt in box confirming that they wish to receive marketing messages via specified channels (e.g. post, , live phone call etc). This represents best practice and the ICO advises all organisations to adopt this approach, although it is not necessarily the only way of obtaining consent. Direct Marketing Rules June

6 Whatever method of obtaining consent is chosen, there should be some form of communication or positive action by which the individual clearly and knowingly indicates their agreement. This might involve clicking an icon, sending an , subscribing to a service, or providing oral confirmation. There should be a clear and prominent statement explaining that the action indicates consent to receive marketing messages from that organisation (including what method of communication it will use). Text that is hidden in a dense privacy policy which is easy to miss will not be enough. Codes of practice This Focus summarises key direct marketing rules under the DPA and PECR. But it is important to be aware that there are also rules and guidelines that apply to specific industries and groups, such as the CAP Code for advertisers, agencies and media owners, and the DMA Code to which DMA members and their business partners must adhere. Further information For more information the ICO s Direct Marketing Guidance is available to view online here. Beware using bought-in marketing lists. The latest ICO guidance highlights that, although there is a well-established trade in third party opt-in lists for traditional forms of marketing (e.g. postal marketing), indirect consent will generally not be enough for texts or s. (In this context, indirect consent, or third party consent, refers to situations where a person tells one organisation that they consent to receiving marketing from other organisations.) This is because the rules on electronic marketing are stricter, to reflect the more intrusive nature of electronic messages. However, indirect consent might be valid in some circumstances, if it is clear and specific enough. Broadly, this means that the customer must have anticipated that their details would be passed to the specific organisation in question, and that they were consenting to receive marketing messages from that organisation. The ICO has also produced a Direct Marketing Checklist to help businesses ensure that they are compliant with the rules and good practice. 6 Direct Marketing Rules June 2016

7 About the Author Michael Edgar Michael is a solicitor in our Commercial and Intellectual Property group. His specialisms include: E-commerce; Consumer rights and data protection; Intellectual property including trademarks, brand protection and exploitation, and licensing; Supply and distribution contracts Direct Marketing Rules June

8 Our Commercial Law Offering Our Commercial Group is focussed on supporting businesses in high-tech industries. Our clients include medical device manufacturers, biotech companies, software vendors and SaaS providers, world-leading scientific instrumentation manufacturers, university spin-outs, service providers to the entertainment and FMCG sectors who use disruptive and innovative technologies to competitive advantage. They range in size from the smallest start-ups to globally recognised brands. They recognise: Delivering Results Our technical expertise with our highly experienced partner-led team supported by a growing team of superb and enthusiastic junior lawyers Our ability to grasp, quickly and accurately, technical and commercial imperatives and to use these to inform our legal advice Our speed of response, flexibility of approach and our values Our enthusiasm for their sector and the challenges and opportunities it produces Competition Law Computer & Software Agreements Confidentiality Consultancy Data Protection e-commerce International Licensing & Franchising Outsourcing Product Safety Strategic Alliances Supply Chain Technology Development, Exploitatiom & Transfers

9 London 2 More London Riverside London SE1 2AP +44 (0) london@laytons.com Manchester 22 St. John Street Manchester M3 4EB +44 (0) manchester@laytons.com Guildford Ranger House, Walnut Tree Close Guildford GU1 4UL +44 (0) guildford@laytons.com Laytons Solicitors LLP which is authorised and regulated by the Solicitors Regulation Authority (SRA Nº ). A list of members is available for inspection at the above offices.