Direct marketing has been a focus of the UK data protection regulator, the Information Commissioner’s Office (ICO), for the last several years. Direct marketing for these purposes includes promotional messages that are sent directly to an individual recipient electronically (email or text), by post or communicated by phone. Such messages are considered to be unsolicited communications, as opposed to marketing messages that were specifically requested by individuals.
The use of contact details of individuals for direct marketing (such as direct marketing by email, text or phone) are subject to the EU e-Privacy Directive (implemented in the UK by the Privacy and Electronic Communications Regulations). This means there additional specific limitations beyond those applicable to direct marketing as set out in the EU GDPR and UK DPA. Prior consent is required in most cases and the form of consent must be compatible with the GDPR.
The ICO has issued a number of fines to enforce the rules on direct marketing. For example, this year around 40% of the enforcement action taken by the ICO was in relation to failures by organisations to comply with the rules on direct marketing by email, text, or phone.
To date, the ICO has used its enforcement powers in situations where:
- direct marketing emails or texts were sent without necessary consents,
- direct marketing phone calls were made without checking the Telephone Preference Service (the TPS) lists for opt outs,
- third-party marketing lists were used without checking if valid consents were obtained for marketing or screening against the TPS lists, or
- personal data was used for profiling individuals by third parties without making it transparent to individuals.
The ICO had issued Direct Marketing Guidance pre-GDPR and most of the enforcement measures the ICO took this year largely fall under the old regime. The guidance must now be updated as post-GDPR the rules on direct marketing have been reinforced and updated due to a number of new requirements, including:
- transparency when processing personal data for direct marketing purposes,
- documenting lawful bases for the processing of personal data for such purpose, and
- ensuring the rules on electronic direct marketing are complied with (emails, texts) including obtaining “GDPR-standard consent” unless an exception to the “opt-in” requirement applies.
You may use this link to provide your views on how new rules affect your business and how you would like them to be implemented. If you would like help formulating a response, please let us know.
The consultation closes on 24 December 2018.