ICO Publishes New Guidance on Direct Marketing

September 15, 2013

The Information Commissioners Office has published new guidance on direct marketing as well as a direct marketing checklist and guidance for companies that receive unwanted marketing.

The guidance explains the rules for direct marketing under the Data Protection Act 1998 (DPA) and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR).  It aims to help organisations to keep within the law and maintain a decent reputation with customers.  In addition, it sets out the ICO’s enforcement powers.

The guidance starts with a broad overview of the law, then contains separate sections on what counts as direct marketing, what counts as consent, the specific rules on telephone calls and text messages, and the use of marketing lists.

The key points of the guidance are as follows:

• Direct marketing includes promoting an organisation’s aims and ideals. Consequently, the promotional and campaigning activities of not-for-profit organisations like charities and political parties fall within the scope of the DPA and PECR.

• In many cases organisations will need consent to send people marketing, or to pass their details on.  Organisations will need to be able to demonstrate that consent was knowingly given, clear and specific, and should keep clear records of consent. They should use opt-in boxes if possible.

• The rules on calls, texts and emails are stricter than those on mail marketing, and consent must be more specific. Organisations should not take a one-size-fits-all approach.

• Organisations must carry out rigorous checks before relying on indirect consent (that is, consent originally given to a third party). Indirect consent is unlikely to be valid for calls, texts or emails,
• particularly if it is generic or non-specific.

• Organisations can make live marketing calls to numbers not registered with the Telephone Preference Service (TPS), if it is fair to do so. But they must not call any number on the TPS list without specific prior consent.

• Organisations must not make any automated pre-recorded marketing calls without specific prior consent.

• Organisations must not send marketing texts or emails to individuals without their specific prior consent. There is a limited exception for previous customers, known as the soft opt-in. Organisations must stop sending marketing messages to any person who objects or opts out of receiving them.

• Neither the DPA nor PECR ban the use of marketing lists, but organisations need to take steps to ensure a list was compiled fairly and accurately reflects peoples’ wishes. Bought-in call lists should be screened against the TPS, and it will be difficult to use bought-in lists for text, email, or automated call campaigns (as these require very specific consent).

• The ICO will consider using its enforcement powers, including the power to issue a fine of up to £500,000, where an organisation persistently ignores individuals’ objections to marketing or otherwise fails to comply with the law.