This article is a brief guide to the rules on unsolicited electronic direct marketing communications such as text, automated calls, live calls, fax, and emails. These rules apply to corporate bodies and individuals under the Privacy and Electronic Communications Regulations (PECR) 2003 and the main features of the General Data Protection Regulations (GDPR) and the Data Protection Act (DPA) 2018. They control the use of personal data for direct marketing purposes which includes postal marketing.
When controllers/direct marketers send electronic direct marketing communications they must comply with the requirements of the PECR. This often involves getting the data subjects prior consent but can also include checking statutory preference services and any ‘do not send’ list. The requirements differ depending on whether the recipient is a corporate body, charity, individual, political party or other not for profit organisation. However, the PECR does not apply to postal marketing.
You must comply with the GDPR and the DPA 2018 when personal data is processed. Personal data includes names, addresses, emails, and contact details. The definition of direct marketing given by the DPA 2018 is that it means ‘the communication (by whatever means) of advertising or marketing material which is directed to particular individuals.’
The rules under the GDPR and the DPA 2018 are like that of the DPA 1998 but there are some critical differences. These are:
- Expanded territorial scope.
- A higher standard of consent which involves and opt-in action.
- Clarity and prominence of requests for consent.
- Keeping records of consent.
- Performance of a contract (including the provision of a service) cannot be conditional on consent unless it is necessary for that contract or service.
- More information must be provided in simple and clear language in privacy notices.
- Data subjects have more control over how their personal data is used.
- The right to withdraw consent.
- An enhanced right to object.
- Any third parties must be specifically named.
The first principle of data protection is fair and transparent processing. To process personal data fairly and transparently certain information must be given to data subjects at the point of data collection. This is usually done with a privacy notice. The Information Commissioner’s Office (ICO) Direct marketing guidance states that, ‘in particular (organisations) will usually need to tell the individuals concerned who they are and that they plan to use those details for marketing purposes. Organisations will also need to tell people if they plan to pass those details on to anyone else, including selling or sharing the data for marketing purposes, and are likely to need their consent to do so. Organisations must not do anything that people would not reasonably expect, or which would cause them unjustified harm.’
The ICO has issued fines under the DPA 1998 for breach of the first data protection principle and they can issue even higher fines under the GDPR.
Data controllers also need to show a lawful basis for the processing of personal data. Two that apply to processing personal data for direct marketing are:
- An individual has given their consent.
- It is in the legitimate interest of the controller or third party. Except when such interests are overridden by the interests or fundamental rights and freedoms of the data subject. Particularly when the data subject is a child. The GDPR confirms that processing for direct marketing is a legitimate interest. However, this does not override the requirements of PECR.
The GDPR states that consent must be a ‘freely given, specific, informed and unambiguous indication of the data subjects wishes by which he or she, by a statement or by clear affirmative action, signifies agreement to the processing of personal data relating to him or her.’ It is important to note that all consent must be opt-in consent. There is no such thing as opt-out consent.
There is specific protection for children as they may be less aware of the risks relating to the use of their personal data. This would include providing very simple and clear privacy notices which could possibly include graphics. The ICO has published guidance on processing children’s personal data which includes in the context of direct marketing.
Direct marketers should also be aware of other statutory rules and codes of practice. These include, advertising law and regulation, digital marketing, and Consumer Protection from Unfair Trading Regulations 2008.