Hogan Lovells 2024 Election Impact and Congressional Outlook Report
The Information Commissioner's Office (ICO) has published new guidance on direct marketing using electronic mail and live calls, aimed at providing a more detailed overview of the rules on direct marketing as well as practical examples.
The new guidance is supplementary to the existing guidance on this topic, including the ICO's Guide to the Privacy and Electronic Communications Regulations 2003 (as amended) (PECR) and the draft Direct Marketing Code of Practice.
This post summarises some of the key takeaways and what organisations should do next.
Organisations that wish to send unsolicited messages by electronic mail or make live calls for the purposes of direct marketing have to comply with the marketing rules in PECR, irrespective of whether they are processing personal data in this context (and separately from their obligations under the UK GDPR and the Data Protection Act 2018). The marketing rules in PECR are aimed at protecting “subscribers,” who can be individual subscribers or corporate bodies.
For direct marketing by electronic mail (which includes emails and text messages, picture and video messages, voicemail messages, in-app messages and direct messages on social media) and live calls (as opposed to automated callas), it is the “sender”/“caller” and/or the “instigator” who is responsible to comply with the requirements. This means that in certain cases multiple parties will be responsible for compliance in relation to the same marketing communication.
As a reminder, live calls or electronic mail made or sent for administrative or customer service purposes (e.g. checking someone's details or conducting genuine market research), count as “service messages” and do not amount to direct marketing. However, the ICO have made it clear that if a service message contains a promotional element, then the whole message would amount to direct marketing and thus be subject to the relevant requirements.
In order to market through electronic mail, organisations must either obtain consent or meet all the requirements of the soft opt-in exemption.
The standard of consent in this context is taken from the UK GDPR, so organisations should ensure consent obtained from subscribers is freely given, specific, informed and unambiguous. In respect to marketing by electronic mail, this means, in particular, ensuring that the consent wording used to request consent clearly covers electronic mail marketing messages, indicates the name of the organisation and is separate from other requests (such as to accept the terms of service). Organisations should also keep a record of consent so that they can demonstrate its validity.
Alternatively, organisations can rely on the soft-opt in exemption if all of the following criteria are met:
The sender must have obtained the subscriber’s contact details – which means that a third party is not allowed to rely on the sot opt-in.
The contact details must be obtained in the course of a sale or negotiation of a sale. A negotiation should include someone actively expressing interest, for example signing up to a free trial of a product or service.
The marketing is related to similar products and services.
The individual was provided an opportunity to refuse or opt-out when the details were collected as well as in subsequent communications. Opting out should be simple and best practice would be to allow subscribers to do this using one click.
These rules only apply to individual subscribers, therefore organisations may use electronic mail to market to corporate bodies without prior consent.
As a general rule, and subject to limited exceptions (e.g. for direct marketing calls about claims management services and pension schemes), in order to market through live calls, organisations do not need prior consent, but must ensure that the subscribers (1) have not objected to receiving live marketing calls; and (2) are not listed on the Telephone Preference Service (TPS) or Corporate Telephone Preference Service (CTPS).
In practice, this means that organisations are required to check the phone numbers they wish to contact against the TPS or CTPS registers before making marketing calls. If a subscriber is listed on the registers, you should not make live marketing calls to that number. The only exception to this is where the relevant individual or business has specifically notified the caller that they do not object to receiving marketing calls. While the “UK GDPR consent” does not apply in the context of live marketing calls, the ICO indicates that, in practice, the standard to reach to override the TPS/CTPS registration is very similar to obtaining opt-in consent.
When sending electronic mail or making live calls for direct marketing purposes, organisations have an obligation to provide certain information. This applies to both individual and corporate subscribers and to both solicited and unsolicited marketing messages or calls.
As a general rule, organisations should display identification information, provide clear information on the marketing and make it easy for subscribers to object or opt-out.
For electronic mail, the sender must ensure its identity is not hidden or disguised and provide a valid contact address to opt-out. For live calls, the caller must display their phone number, or a valid alternative number, say who is calling and provide contact details if asked.
The new ICO guidance reminds organisations that any preferences expressed by subscribers are, as set out in the PECR, “for the time being.” This means that organisations should have a defined process in place to honour opt-outs. In this respect, the ICO suggest that it is best practice to keep a list of those who have opted-out.
As long as the mechanisms for opt-in and opt-out are clear, and internal systems are set up appropriately, a subscriber may be opting out of receiving marketing by a particular contact type/method of communication, meaning that other means of communication may not be affected.
For direct marketing using electronic mail and live calls, the use of third parties or information provided by third parties may be permitted, as long as compliance with the applicable rules under the PECR can be ensured.
The ICO advise that it is best practice to have a contract in place between the organisation and the third party setting out their responsibilities (if personal data is processed, then there is a legal obligation under the UK GDPR to have a contract in place).
Bought-in lists can be used to send electronic mail and conduct live calls but it is the organisation’s obligation to ensure that the list complies with the respective marketing rules.
For example, organisations should ensure that the recipients on the list have consented to receiving direct marketing from them via the specific channel (noting that the soft opt-in exemption does not apply to bought-in marketing lists). In practice, this may include checking what information the recipients on the list were provided with, whether the sender was named and whether consent was validly obtained.
While PECR does not explicitly prohibit the use of publicly available contact details for marketing purposes, the new guidance clearly sets out that, given the consent requirement and inability to rely on soft opt-in, it is unlikely for an organisation to be able to use someone’s contact details collected from publicly available sources to send unsolicited electronic mail marketing (a possible exception to this might be someone’s business contact details that are on their employer’s website).
As for marketing calls, organisations wishing to use bought-in lists or publicly available contact details should screen numbers against the TPS/CTPS registers. Even if the details are obtained via a third party who indicates that the numbers have been checked against the relevant registers, it is best practice to check again or ensure this has happened recently as it can take 28 days for a TPS or CTPS registration to become active.
Until the final version of the draft Direct Marketing Code of Practice is published by the ICO, this guidance will serve to add clarity to the marketing rules under the whole data protection framework.
While the guidance does not substantially change the previous status-quo, organisations should take this opportunity to review their marketing practices, policies and internal processes and make any changes needed, in light of the new guidance, to maximise the value of their marketing efforts while ensuring compliance and alignment with market best practice.
Authored by Eduardo Ustaran and Sara Marinoni.