Who: Information Commissioner’s Office (the “ICO“)
When: 24 March 2016
Law stated as at: 10 April 2016
In a blog post on 24 March 2016, the ICO announced the publication of an updated version of its much talked about direct marketing guidance. The guidance clarifies the law in three main areas:
Application to not-for-profit organisations
Back in July 2015, we reported on the launch of an investigation by the ICO into the fundraising practices of a number of charities and call centres responsible for carrying out fundraising calls on their behalf.In light of those investigations, the ICO has substantially expanded the sections of the guidance on the use of direct marketing by charities, political parties and other not-for-profit organisations. Specifically, the guidance re-iterates that:
- Not-for-profit organisations are not exempt from the requirements of the Data Protection Act 1998 (“DPA“) or the Privacy and Electronic Communications Regulations 2003 (“PECR“);
- Any messages that contain marketing elements are covered by the PECR, even if that is not the main purpose of the message;
- Existing supporters registered on the Telephone Preference Service (the “TPS“) must have specifically consented to receiving marketing calls;
- Organisations must clearly and prominently explain to supporters what their details will be used for and obtain clear, specific consent;
- Just because an individual donates once, that does not mean that they consent to receiving marketing communications in relation to other fundraising campaigns; and
- Supporters must be made aware if their details are going to be shared or sold, even to organisations with similar aims/objectives.
Indirect (third party) consent
Relying on consent obtained by third parties requires careful consideration, particularly when sending marketing communications by text or e-mails or when making automated calls. It is not uncommon to see check boxes asking users to consent to receipt of marketing from “selected third parties”, or from a long, seemingly exhaustive list of general categories of third parties.
In its updated guidance, the ICO re-iterates that for indirect consent to be valid, the third party organisation must be either specifically named, or fall within a clearly described and precise category of third party organisation.
Individuals must be able to reasonably foresee: (a) the types of companies that they would receive marketing from; (b) how they would receive that marketing; and (c) what the marketing would be.
Further, the guidance clarifies that consent for third party marketing is a one-stage process; information can only be shared from party A to party B, and not any further (i.e. it cannot be shared from party B to party C, and then from party C to party D), irrespective of whether parties C and D are specifically named or within a clearly defined category..
This guidance appears to apply to all types of direct marketing, not just those using channels such as email or text, where consent is an express requirement under the PECR.
“Freely given” consent
For consent to be valid, it must be freely given (as well as being specific and informed).It is not uncommon for organisations to use prize draws or other such competitions to bulk up their marketing databases, by making consent to marketing a condition of participating in the competition. The question is whether this provides the entrant with the “genuine choice” as to whether to consent that the Guidance says is required.Although paragraphs 60 and 66 of the new Guidance seems to focus on the point in the context of “subscribing to a service” and there may be questions as to whether this extends to entering a one off prize promotion, the point remains that consent has to be “freely given” and If there is no alternative but to consent to receive marketing messages if a consumer wants to enter a prize promotion, then there has to be a significant question as to whether that consent is “freely given” and this new Guidance underlines the point.
- Again this guidance appears to apply to all types of direct marketing, not just those using channels such as email or text, where consent is an express requirement under the PECR.
- The ICO recommends that organisations do not make consent to marketing a condition for subscribing to a service or activity unless they can demonstrate that consent to marketing is necessary and cannot be sought separately. It concludes that direct marketing is “highly unlikely” to form an obvious or integral part of a service or activity.
Why this matters:
Organisations flouting the rules on direct marketing, which are laid down by the DPA and the PECR, are rarely outside of the headlines. Just three months into 2016 and the ICO’s crackdown shows no signs of slowing down.
So far in 2016, the ICO has issued a record fine of £350,000 against Prodial Ltd for making over 46million automated calls; and fined MyIML Ltd and Direct Security Marketing Ltd a total of £150,000 in just one week for making direct marketing calls in breach of the PECR.
The ICO’s guidance is crucial to many organisations seeking to avoid such enforcement action. It is so crucial that there are proposals to put it on a statutory footing, meaning that it could be considered by the courts. Baroness Neville-Rolfe, Minister for Intellectual Property, has recently supported those proposals. Such a change would require a full consultation and legislative change. However, given the current momentum behind enforcement, statutory recognition is certainly not beyond the realms of possibility…