On 10 September 2013, the UK’s Information Commissioner (ICO) released new guidance on direct marketing. The paper canvasses the marketing rules found in the Data Protection Act 1998 and the Privacy and Electronic Communications (EC Directive) Regulations 2003, with the aim of helping companies to comply with the law when engaging in direct marketing activities. Those activities remain broadly understood, and include the delivery of all promotional materials, including those with only a small marketing element, materials promoting not-for-profits like charities or political parties as well as market research activities if their real purpose is promotional. Direct marketing also encompasses traditional forms of marketing (e.g., telesales, mailshots) as well as newer methods (e.g., online marketing and social networking). However, the ICO suggests that advertising not targeted at particular recipients, such as website advertising that appears the same to all site visitors, is not covered by the direct marketing rules.
Overall, the guidance sets a high bar for organisations conducting direct marketing, especially via electronic channels. Among other things, the ICO underscores the general need to obtain the informed, freely given and specific consent of individuals before sending marketing materials to them and emphasizes that the rules are stricter for electronic marketing. The guidance sets out a list of conditions that a valid consent must meet, including the following:
- The individual must provide their consent directly to the sender or intend a third-party to pass on their consent to the sender. The more direct the consent the better; it is harder to show a valid consent where the individual’s contact information has been passed down through a chain of organisations. To be able to rely on an indirect consent, the sender should ensure that the individual anticipated that their details would be passed to the sender for marketing purposes (e.g., the sender was named or falls within a category of organisations described to the individual) and should have reasonably expected to receive the marketing materials in question (i.e., the promotion in question is similar to the context in which consent was originally given).
- The consent must be on-going. According to the ICO, an individual’s consent will not last indefinitely; a good rule of thumb is not to rely on a consent that is over six months old. In addition, consent is unlikely to remain valid after a significant change in the individual’s circumstances; for instance, if consent is given when signing up to a service, it is likely to expire once the individual cancels their subscription. The ICO also clarifies that consent furnished with regard to a particular promotional campaign is not a clear consent for on-going marketing about different products at some later point in time.
- The individual must specifically consent to the particular type of marketing communication. For example, a marketer can only make automated calls if the individual consented to automated calls, send texts if they consented to texts, and so forth. While more generic consent to receive marketing might be sufficient for mailshot campaigns, it will not suffice for electronic communications.
- The consent must be a positive expression of choice. The ICO recommends using unticked opt-in boxes wherever possible. For electronic marketing, companies should provide separate opt-in boxes for each type of marketing (e.g., automated calls, texts, emails). Pre-ticked boxes will not automatically be sufficient to show consent, as it is more akin to an opt-out consent. The individual may also take other positive action to communicate consent, such as clicking an icon, sending an email or subscribing to a service.
- The company should keep clear and accurate evidence of consents. The ICO recommends not only keeping evidence of consents in case an individual complains, but also maintaining a “suppression list” of individuals who object or opt out, to prevent accidentally re-contacting them in the future.
The guidance also sets out the potential enforcement actions that the ICO can take against companies that fail to comply with the rules. These include the power to issue fines of up to £500,000, which the ICO will consider using if an organisation persistently fails to comply with the law, sending mass texts without consent or selling marketing lists without individuals’ knowledge or consent.