What are ‘similar products or services’, what are ‘negotiations for a sale’, what is an ‘individual subscriber’, what about legacy lists? – are there answers in this “Guidance” to these burning questions on the new regulations in force 11 December 2003?
Topic: Digital Marketing
Who: The Information Commission
Where: London
When: November 2003
What happened:
The Information Commissioner (“IC”) published his much awaited “Guidance to the Privacy and Electronic Communications (Directive) Regulations 2003″ (“PECRs”). These regulations came into force on 11 December 2003 and the IC’s Guidance is designed to aid understanding, interpretation and practical application of the new Regulations.
It follows in the footsteps of, and should be read in conjunction with, the IC’s previous relevant publications which are also available on its website, namely its “Legal guidance” on the Data Protection Act 1998, and its “Compliance advice/website frequently asked questions” report of June 2001.
The Guidance is in two parts. Part 1 deals with “Marketing by electronic means”. Part 2 deals with the rest, which consists of “Security, confidentiality, traffic and location data, itemised billing, connected line identification (CLI) and directories.”
In this marketinglaw report we will focus on Part 1 and the “location data” and “cookie” sections of Part 2.
“Direct marketing” definition
The PECRs apply to the sending of direct marketing messages by electronic means, such as by telephone, fax, email, text message and picture (including video) messaging and by use of an automated calling systems.
According to the IC, the plan of the PECRs was that they should be “technology neutral”, but rather than introducing a set of general rules which apply to all channels, regardless of the technology used, the PECRs scheme is very much to introduce sets of rules by channel.
There is a separate PECRs section, for instance, dealing with email marketing, which for these purposes extends to marketing by SMS.
The new rules for these marketing channels (i.e. opt-in, soft opt-in, no disguising or concealment of sender and providing a valid unsubscription address) only apply to messages sent for the purposes of “direct marketing”. Accordingly, it is critical to establish what “direct marketing” actually means. The IC Guidance reminds us that under section 11 of the 1998 Data Protection Act, direct marketing is defined as:
“the communication (by whatever means) of any advertising or marketing material which is directed to particular individuals.”
The Guidance goes on to repeat the view that it has expressed previously in this context. This is that under this definition, a wide range of activities, which will not just be the offering for sale of goods or services, will still be caught. Examples include the promotion of an organisation’s aims and ideals and charities or political parties making an appeal for funds or support.
An area which the Guidance does not go to is the provision of “information” by email or SMS. Is this “direct marketing”? Our best answer at this point is that in most cases it is unlikely to be an issue. Why? Because the provision of “information” is more likely to be in a B2B context than B2C, and if the information is being provided to the email address of a limited company’s employee, most of the new rules do not apply with the exception of the requirement not to disguise or conceal the sender and to give a valid un-subscribe address.
“Solicited/unsolicited” difference
The Guidance then goes on to deal with the crucial question of what is a “solicited” message. This is important because if the message is indeed “solicited”, then none of the new opt-in/soft opt-in rules will apply, only the new rules relating to non-disguising or concealment of the sender and the provision of a valid un-subscribe address.
In the IC’s view, a “solicited message” is one that you have “actively invited”.
All this is fine and dandy, but the new regulations seem to contemplate a hybrid situation. This is a strange breed of email marketing message which has not been “solicited”, but which the recipient has opted into receiving or, to use the words of regulation 22(2) “has previously notified the sender that he consents for the time being” to receiving from that sender. If the message is in this category, even though it is unsolicited it will be compliant with the PECRs as “opt-in” provided the sender’s identity is not disguised or concealed and a valid un-subscribe address is supplied.
Does the Guidance give us more help on what is “opt-in”, though not quite “solicited”? It offers that an unsolicited message that you have consented to receive is “one that you have not specifically invited, but you have positively indicated that you do not mind receiving”.
To illustrate its point, the IC uses a quaint bar-room analogy. If A asks B to buy A a drink, A is “soliciting” that drink. If on the other hand B asks A if B can buy A a drink and A says yes, then the drink is unsolicited, but A has previously notified B that A does not mind receiving it.
Hmm……..
Does “consent” mean ticking a box?
The IC explains that this is certainly one way in which positive consent can be notified but it is not the only way. For instance, this can be done by sending an email or subscribing to a service. It can also be done, the Guidance suggests, by way of an opt-out box. The example cited is the use of the following wording:
“By submitting this registration form, you will be indicating your consent to receiving email marketing messages from us unless you have indicated an objection to receiving such messages by ticking the above box.”
In summary, the Guidance goes on, the precise mechanisms by which valid and informed consent is obtained can vary. The crucial consideration, however, is that individuals must fully appreciate that they are consenting and must fully appreciate what they are consenting to.
“For the time being”
The general “opt-in” requirement for unsolicited direct marketing email applies where consent has been given to the receipt of such messages “for the time being”. The Guidance asks whether this means that consent only lasts a finite period of time.
Comfortingly, the IC answers its own question by expressing the view that consent will not inevitably lapse after a certain period. On the other hand, it will not last indefinitely. So how does a marketer know when to try to refresh a consent previously given? The Guidance’s perhaps not too helpful answer is that any consent given “will remain valid until there is good reason to consider it is no longer valid”.
Telephone marketing
The Guidance reminds us that this part of the new regulations essentially restates the 1999 Telecommunications (Data Protection and Privacy) Regulations, with only one significant difference. This is that from May 2004, corporate subscribers will be allowed to register their numbers with the Telephone Preference Service, whereas at present only residential subscribers, sole traders and other unincorporated partnerships can register.
The Guidance then goes on to helpfully summarise the TPS rules, including the fundamental requirement that no unsolicited telesales calls can be made to any number listed on the TPS register. Also, TPS registration takes 28 days to come into force so that calls can continue to be made to a number during that period unless a separate opt-out request has been made direct to the caller. Also, after the 28 day period calls can still be made to a previous registered subscriber, but only if that subscriber has previously notified you that for the time-being they do not object to receiving such calls.
An additional legal requirement is that a telesales caller must, when the service has not been outsourced, identify himself and, if asked, must provide a valid business address or free-phone telephone number on which he can be contacted. When using subcontractors, the subcontractor’s call centre staff must identify the instigator of the call, in other words the organisation on whose behalf they are making that call.
Subscribers’ FAQs and marketers’ FAQs then helpfully identify some of the practical questions asked and the response from the IC. (This follows a similar format to an opening “Introduction-General Questions” section, a helpful approach adopted throughout the Guidance, although it does mean that the answer you are looking for could be in either the General Questions, the Subscribers’ FAQs or the Marketers’ FAQs.) For instance, in the marketers’ FAQs the question is asked, where a subcontractor makes calls for a marketer, is it the subcontractor’s responsibility to make sure that the rules are not broken? The answer is that it remains the marketer’s principal responsibility to ensure that there is compliance.
Another practical question is whether call-centre staff have to give out their personal names. The answer is in the negative. The rules require that they give out the name of the company whose products or services they are promoting.
Fax marketing
A fax marketing section again restates the existing regulations from 1999, which are replicated in the PECRs. However, the Guidance does contain some useful FAQs in this area, noting in passing that unsolicited marketing faxes are the subject of the highest numberof complaints the IC has received to date.
Electronic mail
Perhaps not surprisingly, this is the largest section in the Guidance.
It starts out by clarifying that the rules in the PECRs for “electronic mail” apply also to text/picture/video marketing messages, as well as voicemail/answerphone messages left by marketers making marketing calls that would otherwise be “live”. This would seem to figure as the definition of electronic mail in the regulations reads:
“any text, voice, sound or image message sent over a public electronic communications network, which can be stored in the network or in the recipient’s terminal equipment, until it is collected by the recipient and includes messages sent using a short message service”.
“Valid address”
Regulation 23(b) requires that a “valid address” at which the recipient can unsubscribe from receiving further messages must be provided whenever a direct marketing email is sent, regardless whether it is solicited or unsolicited. The Guidance asks what would constitute a “valid address” for these purposes. A valid email address is cited as an example, but the IC makes it quite clear that it would not regard a premium rate, national rate or free-phone number as satisfying this obligation.
“In the course of a sale or negotiations for the sale of a product or service”
What does this mean? It is crucial to know, because to avoid the general “opt-in” requirement for unsolicited commercial email and use the “soft opt-in” route, the recipient’s email address has to have been obtained by the sender “in the course of a sale or negotiations for the sale of a product or service”.
The Guidance starts out by helpfully telling us that “it may be difficult to establish when “negotiations” may begin”. However, it goes on, where a person has “actively expressed an interest” in purchasing a company’s product and services, and they did not opt-out of further marketing of that product or service or similar products or services at the time their details were collected, then “soft opt-in” should apply, and it should be possible to continue sending them unsolicited marketing emails until they opt-out of receiving more.
The Guidance then deploys another of its quaint examples. If I send an email to a national retailer asking it if it is going to open a branch in my town, and it responds with either a “yes” or “no but details of other stores in your area are….”, my query does not constitute part of a “negotiation for the sale of a product or service”. All this indicates a quite restrictive interpretation of this phrase on the part of the IC.
“Similar” products and services
Again this is critical to “soft opt-in” compliance as subsequent unsolicited emails can only market “similar products or services,” following the sender first capturing the email address in the course of a sale or negotiations for a sale.
The IC states here that it is taking a “purposive approach”. It’s view is that the intention of this section is to ensure that an individual does not receive promotional material about products and services that they would not reasonably expect to receive.
For example, the IC goes on, someone who has shopped on-line on a supermarket’s website would expect at some point in the future, to receive further emails promoting the diverse range of goods available at that supermarket.
This will continue to be the situation unless and until the individual opts-out of receiving further such messages. The Guidance says the IC will be focusing particular attention on failures to comply with opt-out requests, and will take enforcement action against those companies within the UK jurisdiction who persistently fail to comply with them.
All this is consistent with the line previously adopted by the IC in the context of use of personal details for future marketing purposes. Does it mean that provided information about other products and services has been supplied to the individual before or at the time of them providing their email address, these will classify as “similar products or services” for the purposes of future emails? By and large, the answer has to be “probably yes”, but it has to be less likely that products and services will be regarded as “similar”, outside of a supermarket style situation, if they are in an altogether different category to the products that the person was buying or negotiating to buy at the time that they first supplied their email address.
Is collection of an email address from a competition entrant “in the course of negotiations for the sale of a product or service”?
Having raised the question, the IC does not answer it particularly satisfactorily. It says “a great deal would depend on the context” and on what the person is told when their details are collected. Arguably, it goes on, where a competition is part of an inducement to raise interest in a product or service, this constitutes a part of the negotiations for a sale. However, if the marketer is unclear at this stage about what is going to be done with the email address or mobile phone number or where this information is not readily accessible, then the marketer will be less likely to be able to rely on soft opt-in.
Text/picture/video messaging
Because of the 160 character constraints on a standard mobile phone screen, the Guidance raises the query as to whether SMS marketing can be subject to the same disclosure rules. The answer from the IC is quite clear: there is no such saving. The required disclosures about the marketing messages you intend to send can be given, it goes on, before you send the message or even before you capture the mobile number in question. For example, in an advertisement or on a website before the recipient signs up for the service.
Sending unsolicited marketing by text/picture/video messages – is TPS screening required?
The Guidance makes it quite clear that such messages have to identify the sender, and provide a valid address to which opt-out requests can be sent. They can also be only sent with prior consent unless “soft opt-in” applies. However, the TPS does not apply here, so screening against the TPS will not be required before sending such messages.
Legacy mailing lists – good news
The question on many marketers’ lips is whether they can carry on using email mailing lists compiled before 11 December 2003 and there is good news here. The IC looks as though it is prepared to be flexible on this. The Guidance says that “for the time being, we take the view that where own mailing lists were compiled in accordance with privacy legislation enforced before 11 December 2003 and have been used recently, you can continue to use them unless the intended recipient has already opted out”.
However, the IC makes it clear that the it will expect marketers to ensure that any opt-out requests received either before or after 11 December 2003 are acted upon promptly.
This concession for legacy lists by the IC is a significant one, coming from the principal regulator that is going to enforce the new rules. There were indications of such a saving in an earlier draft of the PECRs, but this came out of the final version. Nevertheless, the IC is making it quite clear that provided opt-out requests are promptly honoured whenever they are received, marketers can continue, after 11 December 2003, to use email marketing lists that existed pre 11 December 2003 to send unsolicited direct marketing messages. This will be the case even if those individuals have not previously opted in to receiving such messages, or their details have not been collected in the course of the sale of a product or negotiations for such a sale. What the marketer has to do is to make sure that the list has been recently used (pre 11 December 2003) and that it has honoured and will continue to honour any opt-out requests.
“Suppression” not deletion of opt-outs
The IC reminds marketers here that contact details in relation to individuals who have opted out should be “suppressed” rather than deleted. This should ensure that a person’s opt-out request is recorded, retained and respected until such time as that person provides consent which overrides their previous opt-out request. The IC also goes on to make it clear that in its view, overriding consent would only be valid where it is provided to the sender directly from the person concerned.
Third party electronic mailing lists
There has been much fear that it is going to be very difficult to utilise third party lists under the new PECRs. This is because regulation 22(2) states that for the email sender to be able to use the “opt-in” route to compliance, the recipient must have “previously notified the sender” that he consents for the time being to such communications being sent by, or at the instigation of, the sender.
The Guidance offers some comfort on this. It comments that on the use of third party lists in existence prior to 11 December 2003, it is prepared to “exercise some latitude”. This presumably will be along the lines of their relaxed approach, “for the time-being” in respect of legacy lists generally, as indicated in the “Legacy mailing lists” section above, with an additional caveat that marketers will still need to seek assurances from the third party list supplier as to the means by which the email addresses were collected, including the disclosures given at the time of collection and what the individual opted into or opted out of.
As regards arrangements entered into after 11 December 2003 for the use of third party lists, the Guidance offers a number of scenarios.
1. Lists of individual subscribers who have invited contact from third parties on a particular subject.
Email sent here will be “solicited”, so this will be compliant with the Regulations provided the recipient has not previously opted-out, the identity of the sender is not concealed or disguised and a valid unsubscribe address is given. Marketers are encouraged by the IC to seek assurances from the third party list provider as to the veracity of such a list, i.e. are these genuine invitations for contact from anyone on a particular subject?
2. Lists of individual subscribers who have invited contact from third parties on unspecified subjects.
Again, messages here will be “solicited”, so provided the individual has not previously opted-out and there is no concealment or disguising of the sender’s identity, as well as provision of a valid unsubscribe address, this should be acceptable, with the caveat again that marketers should actively seek assurances from third party suppliers as to the veracity of the list.
3. Lists of individual subscribers who have consented to receiving unsolicited marketing material by email from third parties on a particular subject.
This is an “opt-in” list and should be acceptable for continuing use, provided the marketer can show that the consent was given to him as “the sender”. This will be the case even though the email address was initially collected by a third party.
As the Guidance indicates, “a great deal will depend on the wording of any statement made when the information was collected.” If, for example, the consent was given before 11 December 2003, the marketer may wish to check with the broker just how recently it was compiled and whether it has already been used by their other clients. A list compiled in the course of 2003, for example, should have been compiled in the knowledge that the PECRs were on the way. However, a list compiled before 1 January 2003, for example, will be much more questionable.
Advertising third party products and services via email
The Guidance says that this is unlikely to be acceptable in a soft opt-in situation because the “similar products and services” have to be those of the collector of the email address.
Passing email lists to third parties
If these are lists of individual subscribers’ emails, the third party will be unable to use them to send unsolicited marketing material unless the subscriber has actively consented to receiving it from that third party (i.e. “the sender”). In other words, any marketer contemplating passing his list on to a third party should, when initially collecting email addresses, make it clear who it is proposing to pass the details on to and what sort of products and services they will be offering. They should then seek a positive indication that the recipient does not mind receiving such messages in the future.
For example, a positive response to a phrase such as “We would like to pass your details on to specially selected third parties so that they can email you more information about holidays in America. Do you agree to this?” is likely to be sufficient, whereas something like “We will pass your details on to third parties unless you write to us and tell us that you don’t agree” will not be.
Group companies/trading names
Where email addresses are being collected post 11 December 2003 and group companies are involved, the collector of the addresses must, according to the Guidance, ask individuals if they consent to receiving unsolicited marketing by electronic mail from other group companies. In an on-line environment, the Guidance goes on, a link to those other group companies could be supplied. In terms of the disclosure provided at that point, a similar approach to that suggested in the section immediately above in the context of passing emails to third parties is recommended.
Alternatively, an opportunity can be given to the recipient to solicit contact from other companies within the group or separate opt-in options can be supplied for each company on that list.
Where a company has a number of different trading names, particularly where those names are strong brands, the marketer should not assume that a customer who agrees to receive mailing from one trading entity is agreeing to receiving marketing from other trading entities operated by that company.
The Guidance recommends that the marketer should make the individual aware that they will receive unsolicited marketing from all of the relevant trading names when they opt-in to receiving e-mail marketing, giving full disclosure as to these other trading names at the same time.
On the other hand, if an individual opts-out of receiving unsolicited marketing from one of the company’s trading names, the IC will apparently regard this opting-out as applicable to all of the company’s trading names unless they make it clear otherwise.
In the “soft opt-in” scenario the Guidance indicates that there may be considerable difficulty in satisfying the “similar products and services” criteria if the marketer wants to send further unsolicited marketing relating to its full range of trading names. What the IC is saying here is in keeping with its general approach in this context. This is that one must have an eye to what the individual would reasonably expect to receive information about in the future, having made a particular purchase. They may not even be aware of any connection between different trading names. The IC’s counsel of perfection, therefore, is to provide an opportunity for the individual to expressly solicit emails from the other trading names in the future.
Marketinglaw’s take on this aspect is that the IC is perhaps being too restrictive here. Provided the “similar products or services” are sold by the same company that first collected the customer’s email address and details of those similar products and services were provided to the customer at that time, then provided any opt-out request is honoured, the identity of the sender is not disguised or concealed and a valid unsubscribe address is provided, we see no major difficulty.
Business to business
The Guidance here reflects the position that marketinglaw has been taking on the correct interpretation of the PECRs. This is that the “opt-in” and “soft opt-in” regimes do not apply to emails sent to “corporate subscribers”, in other words any unsolicited direct marketing email to the office email address of company employees (as opposed to employees of partnerships, for example, where opt-in/soft opt-in will still apply) will not be governed by these regimes, although the obligations not to disguise or conceal the sender’s identity and to give a valid unsubscribe address will apply.
This is not to say, of course, that the existing principles of data protection law will not continue to apply. Of course they will, and this means, for example, that if any such individual contacts the sender and asks not to receive future such emails, that request must be honoured. The IC underlines this in its Guidance by saying that any persistent failure to comply with these requirements may result in the taking of enforcement action.
The Guidance starts out encouragingly by saying that “it is our understanding that” there must be compliance with the laws of the jurisdiction in which the sender is based. However, it goes on more discouragingly to remind us that when implementing the EU directive, each member state was given the option to decide whether the rights given to individual subscribers should extend to corporate subscribers. Some jurisdictions have chosen to do so to a greater extent than the UK has done.
It should also have mentioned that under the E-commerce Regulations, rules on “opt-in” and “opt-out” in relation to email marketing have been expressly excluded from the “country of origin” regime which those regulations introduced. In other words, prudent email marketers addressing a European catchment and looking to be 100% compliant should strictly check on exactly how each of their destination states have implemented the directive.
Can charities and non-profit organisations take advantage of “soft opt-in”?
The problem for charities and political parties here is that “soft opt-in” only applies where the email address has been initially obtained “in the course of the sale of a product or service or negotiations for such a sale”. Could it be said that by making a donation to a charity an individual is in some way buying a product or service or negotiating for such a purchase? The Guidance makes it clear that in the IC’s view this could not be said. In other words, unless the charitable organisation is separately promoting commercial goods or services, using a separate trading arm for example, “soft opt-in” cannot be used.
Location data
As reported previously on marketinglaw, the PECRs will significantly liberalise the currently very strict regime on the marketing use of location data (information indicating where a mobile phone user is standing). Under laws pre-PECRs this data can only be used legally for the purposes of marketing telecommunications services offered by the telecoms company whose service the mobile phone user is using. This is regardless of whether the phone user has actually “opted-in” to receiving a wider category of marketing messages.
Under the PECRs this will all change, but it will still be a strictly opt-in environment. Also, disclosure will have to be given, in advance of the phone user being invited to “opt-in”, as to the types of location data that will be processed, what purposes the data will be used for and whether the data will be transmitted to third parties for other purposes.
The Guidance goes on to make it clear that, in its view, service providers should not be able to rely on a blanket “catch all” statement on a bill or website. Instead the IC will look for the obtaining of specific, informed consent for any future marketing using location data.
Furthermore, where the further marketing is to be done by the telecommunications service provider in conjunction with a third party, in the interests of transparency it is likely that the consent to process location data for such a purpose should be obtained by the person who will be seen to be responsible for providing the service. The idea, in keeping with the strong leitmotiv running through the whole Guidance, is that the way in which the location data is used will be consistent with the expectations of the subscriber or user. Where the user provides consent to one party for the purposes of the provision of a particular service, they should not then be surprised when they are contacted by another party relating to the provision of that service.
Cookies
The PECRs require that if cookies or similar devices are to be deployed by websites or email messages, then the recipient must be provided with clear and comprehensive information about the purposes of the device and given the opportunity to refuse its operation.
The Guidance comments helpfully that the phrase “given the opportunity to refuse” may be subject to differing interpretations. At the very least, the Guidance says, the user or subscriber should be given a clear choice as to whether or not they wish to allow service providers to engage in the continued deployment of the cookie or similar device.
In the IC’s view, this means more than just making such a refusal a possibility. The mechanism by which a subscriber or user may exercise their right to refuse should be “prominent, intelligible and readily available to all, not just the most computer-literate or technically aware”. Whether relevant information is to be included in the privacy policy, for example, the policy should be clearly signposted at least on those pages where a user may enter a website. The relevant information should appear in the policy in a way that is suitably prominent and accessible and it should be worded so that all users and subscribers are capable of understanding and acting upon it, without difficulty.
Here the IC refers to the series of web pages produced by the Interactive Advertising Bureau at which it explains to users how cookies work and can be managed. The IC Guidance reports that the IAB welcomes website owners who wish to link their cookie policies directly to these pages.
Why this matters:
The IC Guidance is an essential read for all those contemplating digital marketing in the UK. What we offer above is merely edited highlights and a summary of some of the indications given in the Guidance. All of the document has to come with the health warning that it does not come from the body which will ultimately take the decision as to whether any particular practice is contrary to the PECRs. This will be for the courts. However, as most of the time the decision as to whether enforcement action will be taken will be that of the IC, marketers would do well to consider seriously all of the recommendations contained in this document.
It should also be borne in mind that the above report only touches on Part 1 and aspects of Part 2 of the Guidance document. For the full monty on the implications of all the PECRs, both Parts 1 and 2 should also be read in full.
Finally, please remember that all of the above is not legal advice. This should be taken separately before embarking on email marketing.