29/11/22 – The Information Commissioner’s Office (ICO) recently published new guidance on email marketing and phone marketing. The guidance is supplementary to the ICO’s Guide to the Privacy and Electronic Communications Regulations (PECR) and (124-page) draft Direct Marketing Code of Practice.
Direct marketing is a fiddly area, with different rules depending on whether you’re using email/text, phone, post or (perhaps less likely) fax, and also whether you’re marketing to companies, sole traders/partnerships, or individuals. This post takes a look at the rules for direct marketing by UK businesses of their own products and services, either by email or text/voice messaging services (such as WhatsApp or LinkedIn), or by phone. It is not exhaustive, and there are additional rules if for example you are selling pensions or claims management services, marketing to children etc.
What’s the relevant law?
The law applicable to direct marketing is set out in the Privacy and Electronic Communications Regulations 2003 (PECR) and to a lesser extent the UK GDPR and Data Protection Act 2018. The ICO provides extensive, plain English overviews of all areas of marketing law.
Direct marketing by email/messaging services
If you’re looking to market to a contact by email or using a text or voice messaging service then you either need to obtain the contact’s consent or you need to check if you can use the so-called ‘soft opt-in’ exemption.
Consent. For consent to be valid it needs to be freely given, specific, informed and unambiguous. In practice this means no pre-ticked checkboxes, and making sure the consent covers the type of communication you’re using – obtaining consent for marketing by email does not entitle you to send them a WhatsApp. The consent also needs to be separate from other consents, so you can’t include marketing consent in the tickbox wording used for accepting your terms of service.
Soft opt-in exemption. To use the soft opt-in exemption, you need to meet all of the following criteria:
- You must have obtained the contact details yourself. You cannot for example use an email address obtained by someone in your marketing department.
- The contact details must have been obtained as part of a sale or negotiation, i.e. the contact must either be an actual customer or a prospect who has previously expressed an interest in your products or services.
- The marketing content must relate to products or services which are similar to the ones that your contact has previously purchased or been interested in.
- The contact must have had an opportunity to opt-out of receiving marketing messages when you obtained their details, and they must continue to have that option, e.g by including a ‘click to unsubscribe’ link in the message.
A few things to bear in mind:
- The direct marketing rules apply to individuals, which for these purposes include sole traders and partnerships. There are no restrictions on sending marketing messages to companies, LLPs, or other corporate entities such as local authorities.
- Messages sent for customer service purposes (e.g. asking a contact to confirm their details, or providing product support) or for genuine market research purposes do not fall within the direct marketing rules. But the ICO have made it clear that if a customer service or market research message also contains a promotional element, then the whole message amounts to direct marketing. Halford’s discovered this to their cost when they emailed 498,062 customers with information about the Government’s Fix Your Bike voucher scheme, also suggesting that customers could use their vouchers at their local Halfords store – the ICO rejected Halford’s ‘service message’ argument and fined them £30,000.
- The PECR direct marketing rules are separate from, and in addition to, the UK GDPR and Data Protection Act 2018. As well as the normal rules regarding the collection, storage and other processing of your contact’s personal data, you have to identify a lawful basis for using the contact’s information for marketing purposes.
- When sending a message for direct marketing purposes, you must display identification information, provide clear information about the marketing, and provide a method to opt out.
Direct marketing by phone
In short, you do not consent for making direct marketing phone calls, whether to individuals or to businesses, unless either of the following applies:
- The phone number is listed on the Telephone Preference Service (TPS) or the Corporate Telephone Preference Service (CTPS).
- Your contact or the business has previously objected to receiving marketing calls.
If the phone number is listed on TSP or CTPS you can still get consent to receive marketing calls. The ICO have suggested that any consent for overriding a TSP/CTPS listing should aim to meet the GDPR-style, opt-in standard that applies to direct marketing by email.
When making a direct marketing phone call, you must display your phone number (or a valid alternative number), say who is calling (and provide contact details if asked), provide clear information about the marketing, and make it easy for the recipient to object or opt out.