Who: The Information Commissioner’s Office
Where: Wilmslow, Cheshire
When: September 2013
Law stated as at: 3 October 2013
What happened:
The Information Commissioner has published a guidance document focusing on direct marketing (“Guidance”).
Topped off with a 17 point “Direct marketing checklist” and an “At a glance guide” to the consent rules for various marketing channels, the 45 pager is a must read for all marketers wanting to comply with data protection and electronic communications laws, and for their advisers too.
What’s more, since the Guidance goes beyond previous ICO pronouncements in key areas such as consent to direct marketing, urgent attention will need to be paid to data capture mechanisms in case changes are needed to ensure the data can be used for the intended purposes.
Existing databases may also be rendered unusable for certain purposes at a stroke.
More of this below, but first here are some highlights from the numerous passages dealing with consent.
1. Time limits on consent
ICO is tightening up its attitude on consent shelf life in the context of direct marketing. This is particularly relevant for marketing channels such as email and text, where the Privacy and Electronic Communications Regulations 2003 (“PECRs”) expressly require prior consent.
ICO advises particular care in the following scenarios:
– when the data subject gives consent to marketing as part of signing up for a service and the service expires, the consent will likely also expire;
– where consent is given to receive messages about a particular product launch, this should not be taken as consent for messages about a different product launch a year later;
– in the context of emails or texts, the PECRs refer to consent “for the time being.” ICO interprets this as making it likely that if there is any significant change in circumstances the consent will come to an end;
– “Indirect consent” for calls, texts or emails (given to a third party via the “first party” when the first party captured the contact details) creates special time challenges. As a default position, ICO advises third party marketers looking to get in touch for the first time by telephone, text or email not to rely on consent which was given to the first party more than 6 months previously. It accepts there will be exceptions to this, however, such as consent to receive messages about annually renewable insurance services.
2. “Indirect” or third party consent
ICO takes a stricter view than before on the validity of third party consent, particularly in the context of email or text marketing under the PECRs.
Indirect consent is relied on heavily by the UK list rental market, so there will be particular concern in this sector over ICO’s new positioning here.
The regulator says that where the consent was originally given to “X” and the marketer intending to send the email or text is “Y”, ICO will now expect the consent given to X to have either specifically named Y or at least described a specific category of organisations which includes Y.
In contrast, consent to hear from “selected third parties” is very unlikely to cut the mustard, says ICO. Moreover, where the consent given to X allows X to share the email address with “trusted third parties,” this is unlikely to extend to third parties selected by Y, no matter how much Y trusts them.
3. Proof of consent
Not surprisingly, ICO urges marketers to up their act in terms of ensuring that they have proof of consent.
Clear records should be kept of the date of consent, who obtained it, and exactly what information was provided to the person consenting. Marketers should not rely, ICO says, on a bought-in list unless the seller or broker can provide these details. The Guidance goes further by including an eleven point list of aspects that should be checked by any marketer considering using a third party list.
4. Consent as a condition of being entitled to something else
ICO makes it clear that consent to direct marketing cannot be valid if it is given as a condition of subscribing to a service or completing a transaction.
Why this matters:
The stricter approaches to, for instance, indirect consent for marketing and time limits on consent will cause concern, particularly as ICO has not been crystal clear about the extent to which the Guidance is retrospective.
It has stated that the Guidance will not be retrospectively applied before its 9 September 2013 publication date, but what about those millions of email addresses and mobile numbers obtained using consent wording for third party marketing which now fails the more rigorous ICO test?
Will these lists be excused from having to follow the new Guidance? Or if not, will there be a transitional period allowing marketers time to adapt?
The Direct Marketing Association is raising this and other questions with ICO and requesting further clarification. In the meantime, all businesses capturing personal data which may be used for future direct marketing (which probably means all businesses) should be urgently reviewing their sign-up mechanisms with a view to making necessary changes.
The ICO Guidance is here.