As the UK’s digital marketing industry wrestles with new regulations in force since last December, the Information Commission is taking a remarkably flexible view on compliance.
Topic: Digital marketing
Who: The Office of the Information Commissioner
When: February 2004
The Direct Marketing Association of the UK recently held a conference focusing on “Living within the law” in the context of the Privacy and Electronic Communications (EC Directive) Regulations 2003. These Regulations came into force on 11 December 2003 and introduced important new controls affecting a wide range of marketing channels including e-mail and SMS.
One of the speakers was Elizabeth Dunn, a Compliance Manager at the Office of the Information Commissioner (“OIC”). Ms Dunn was reporting from the coal face in that her office and her team dealt with numerous telephone enquiries and complaints received from members of the public as to alleged breaches of the relevant regulations. In many cases her pronouncements dedicated an encouraging and refreshing flexibility on the part of the data regulator.
Sort opt-in flexibility
One example was in the context of the so called “soft opt-in.” This is where it is not necessary to get express prior consent before sending unsolicited direct marketing e-mails. This occurs where the e-mail address has first been captured in the course of a sale or negotiations for a sale and various other requirements are met such as the ensuing marketing e-mails marketing only products and services that are “similar.”
Here there has been much debate and angst as to the precise ambit of “in the course of a sale or negotiations for a sale.” Debate has also raged about the exact meaning of “similar products and services.” Ms Dunn said, however, that the OIC’s current feeling was that they were not going to get too bogged down in technical debate over these issues. Their fundamental approach was simple: could it be said that any ensuing direct marketing e-mail, following the circumstances of the initial e-mail address capture, was within the “reasonable expectation” of the person who had originally supplied the e-mail address.
Another area where there has been much debate and discussion is the use of legacy lists.
The position under the Regulations here is that there is no special carve-out for lists in existence before the new rules came into force on 11 December 2003. This means that strictly speaking, if no prior consent had been obtained to send unsolicited direct marketing e-mails, when the list was compiled it simply cannot be used for that purpose after 10/12/03.
The OIC’s position here, however, is more pragmatic and realistic. It says that legacy lists compiled pre 11 December 2003 can continue to be used for direct marketing e-mails which are unsolicited on four conditions:-
1. all opt-out requests are honoured promptly and the names of those who opt-out are suppressed;
2. an opt-out opportunity is provided each time an e-mail message is sent;
3. the legacy list must have been used recently, by which the OIC means, for the moment at any rate, since the end of 2002; and
4. the legacy list was compiled in a manner that was compliant with all applicable law prior to December 2003. Essentially this means that it should have been compiled in conformity with the Data Protection Act 1998. This is a big if, principally because most lists in this category have not been compiled compliantly. Why? Because one of the requirements of the 1998 Data Protection Act has not been followed. This applies where A obtains personal data about B (including B’s e-mail address) from C. In such a case the 1998 Act requires that A should as soon as reasonable practicable communicate with B, tell them that they are holding B’s personal details and give them the opportunity of opting out of future use of those details for specified purposes. If there is one aspect on which all those contemplating use of legacy lists should focus when conducting their due diligence, it is this particular requirement.
Third party list
Another hot topic touched on was the use of third party lists for sending unsolicited direct marketing e-mail. Under the 2003 Regulations this is difficult. This is because, such use of these lists can only occur if the recipient of the e-mail has previously “notified the sender” that they consent for the time being to receiving unsolicited direct marketing e-mail sent either by the sender or at the instigation of the sender. The key question here is how the recipient might have notified the sender when the sender is a the third party who did not capture the recipient’s e-mail address in the first place.
In this area, the OIC is again taking a flexible and reasonably relaxed position. It is tending to the view currently that third party lists can be used this way provided the recipient has consented to receiving unsolicited messages from any marketer on a particular defined subject, and the subsequent third party e-mail is related to this particular subject. The OIC themselves say it is difficult to see how they could be more lenient in their interpretation of the requirements in this regard, and indeed marketers wishing to follow best practice rather than the minimum legal requirements may wish to give rather more information at the point of data capture about possible third party use.
On the question of viral marketing, again technically it could be said that if advertiser A is encouraging recipient B to forward A’s message onto B’s friend C without C’s prior consent, A is enticing B to commit a breach of the 2003 Regulations. However, the OIC is again quite relaxed about this. It currently takes the view that so long as A is not offering B any significant incentive to forward the message to C, then no major regulatory problems should ensue.
Complaints and enforcement
Finally Ms Dunn looked at the level of complaints currently being received by the OIC relating to digital marketing and at enforcement issues.
She reported that whilst there had been a significant increase in complaints about unsolicited marketing email and SMS, this had not been overwhelming. The focus of the complaints was currently on SPAM emanating from outside the EU and on UK SMS campaigns.
One theme of the complaints received in recent weeks was the fear of consumers of what might happen if they ‘unsubscribed’ by way of merely encouraging the sending of more SPAM. There was also many a demand that prosecutions be brought immediately, which took Ms Dunn on to her final topic, enforcement.
Ms Dunn explained that breach of the 2003 Regulations was not a criminal offence, but nevertheless fines of £5,000 awaited wrongdoers at the end of the enforcement process. However, this process was very long-winded and at the moment the OIC’s powers were quite limited.
For instance, the OIC was hampered in obtaining information about what possible breakers of the rules were actually doing. They could request information from alleged wrongdoers, but they could not compel them to deliver up information. However, the OIC was pressing for more extensive powers in this area and the landscape might change within the foreseeable future, with the DTI apparently getting closer to giving the OIC much greater powers.
Why this matters:
The OIC is refreshingly open about its approach to enforcement activity and complaint handling and its attitude to interpreting and applying the increasingly complex rules affecting digital marketers in the UK today.
One cynical response to the OIC’s flexibility and understanding towards industry in applying the new rules is that this is simply accepting reality, which is that the OIC’s enforcement powers are very limited and their resources even more so.
It should also be noted that the OIC’s view about the interpretation and application of a particular legal regulation is not the final word on the topic so far as compliance is concerned. For instance, email marketers may find that although they have satisfied the OIC, they may still encounter difficulties with the Advertising Standards Authority because of what the CAP Code says about digital marketing.