What happened:
The ICO has published two new sets of guidance on how organisations can comply with the requirements set out in the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) (as amended) (PECR) when carrying out direct marketing by email and live calls.
Direct Marketing
Guidance on direct marketing using electronic mail explains, the PECR rules for sending direct marketing by email, text and in-app messages and the relationship between the PECR and data protection regimes, as well as defining terminology such as the meaning of “direct marketing”, “solicited” and “unsolicited”.
The guidance covers the legal requirements under PECR, characterised as what an organisation must do. For example, businesses must give people the free choice to consent to email marketing messages and must keep the consent separate from other things such as terms and conditions to ensure such consent is freely given.
The guidance also includes commentary on what the ICO consider important to help organisations comply by setting out examples of what a company should do; for example, keeping a record of consent in order to demonstrate the consent was valid. Businesses are encouraged to follow the good practices set out in the guidance unless they have a good reason not to. For example, business should keep a record of the consent they received (who, when, how) in order to demonstrate that such consent is valid.
Finally, the guidance also includes examples of practices business could do, which refers to options businesses may wish to consider to help them comply. For example, business could offer an opt-out by telling people to send a ‘STOP’ message to a short code number.
Live calls
Guidance on direct marketing using live calls follows the same format as the electronic mail marketing guidance and similarly provides practical guidance on the PECR rules for performing direct marketing via live calls, an overview of essential terminology, and organisations with all the information required to help avoid being in breach of PECR and exposed to the risk of enforcement action from the ICO.
Why this matters:
The ICO has previously stated that its objective is to help organisations comply with their legal obligations under PECR and data protection laws, and this update to the PECR guidance is a sign of the regulator’s commitment to such goal.
Organisations that fail to review and put the guidance into practice, and fail to comply with the PECR are warned by the regulator that they face the prospect of robust enforcement action, which could include the ICO issuing both an enforcement and a monetary penalty notice, depending on the circumstances of the non-compliance.
