On its mission of making data protection law simpler, the Information Commissioner’s Office has published an email marketing ‘Data protection good practice note’. At two pages of A4 it’s certainly short, but just how useful is it?
Topic: Email marketing
Who: The Information Commissioner's Office ("ICO")
Where: Wilmslow, Cheshire
When: November 2005
What happened:
The ICO (the UK's data protection watchdog) published a "Data Protection Good Practice Note" on email marketing.
The Note opens by saying that it "explains how the Privacy and Electronic Communications (EC Directive) Regulations 2003 ("Regulations") apply to electronic mail, which activities they cover and gives some good practice recommendations".
This Note then goes on to remind us that "marketing includes messages trying to sell goods or services, as well as those promoting the values of benefits of a particular organisation".
When permission needed:
Then it underlines that, apart from e-mails to employees of limited companies at their office e-mail address and the "soft opt-in" exception, "you can only carry out unsolicited marketing (that is, marketing which has not specifically been asked for) by electronic mail if the individual you are sending the message to has given you their permission".
In the context of the "soft opt-in" exception (which applies when digital contract details are captured in the course of a sale or negotiations for a sale), the Note emphasises that at the point of first data capture and when all further electronic messages are sent, the individual must be given a simple opportunity to refuse further such marketing.
How to opt out:
The Note then goes on to amplify the letter of the Regulations by stating that the opt-out option should allow the individual to reply directly to the message opting out. In the case of text messages, the Note goes on, an individual could opt-out by sending a stop message to a short code number, for example, text "STOP" to 12345. The only cost involved should be the cost of sending the message.
Identifying the sender:
For all marketing e-mails and texts, the recipient of the marketing message must be told who has sent the message. A valid address must also be provided so that the individual can contact the marketer if they want to stop the marketing.
As regards marketing e-mails to employees at their personal corporate e-mail addresses, the Note reminds us that although the Regulations do not directly apply, these employees will still have a right under the Data Protection Act 1998 to request the marketer stop using that e-mail address for marketing.
Eight recommendations:
The Note ends with eight "good practice recommendations".
These are as follows:
- try to go for permission-based marketing as much as possible; this way you are only contacting customers who want you to contact them;
- provide a statement of use when you collect details. Put this in an obvious place or make sure it has to be read before individuals submit their details;
- make sure you clearly explain what individuals' details will be used for. For example, explain to individuals why you might use their email address in the future;
- do not have consent boxes already ticked;
- provide a simple and quick method of customers to opt-out of marketing messages at no cost other than that of sending the message;
- promptly comply with opt-out requests for everyone, not just those from individuals;
- have a system in place to deal with complaints about unwanted marketing;
- when you receive an opt-out request, suppress the individual's details rather than deleting them. This way you will have a record of who not to contact.
Why this matters:
This good practice Note is by no means any departure from previous guidance issued by the ICO in respect of the Regulations. It does, however, meet with the ICO's declared intention of making data protection simpler and more accessible.