With lockdown restrictions still in place, more businesses are using digital marketing to promote their services and products. David Edwards, director and head of Harrison Drury’s regulatory team, considers the relevant data protection and privacy regulations that impact on marketing activities of businesses.
If direct marketing involves the processing of personal data, businesses will be required to demonstrate that they have a lawful basis under Article 6 of the General Data Protection Regulation (GDPR) to carry out direct marketing.
The lawful exceptions which businesses will rely on for marketing purposes will include Consent and Legitimate Interest, which are discussed in turn below.
What does Consent mean under the GDPR?
Many businesses rely on consent for the purposes of marketing and if the consent complies with the requirements of the GDPR, then it will not be necessary for the individual to give their consent again.
Care must be given when requesting consent, which must be separate from other terms and conditions, and it must be easy to understand.
The Information Commissioner’s Office (ICO) has said the request must include:
- The name of the organisation;
- The name of the third-party controllers who will rely on the consent;
- Why they want the data;
- What they will do with the data; and
- Explain how individuals can withdraw their consent at any time.
It must be made clear that data subjects will need to opt in, and you must not use pre-ticked boxes, opt-out boxes or other default settings.
What is defined as Legitimate Interest?
Legitimate interests are the most flexible lawful basis for processing data.
However, extra responsibility for ensuring people’s rights and interests must be fully considered and protected.
If a business relies on legitimate interest as a lawful basis for carrying out direct marketing, it is not necessary to also obtain consent.
Legitimate interests will be used where you use the data in ways that would reasonably be expected or have minimal impact.
To determine whether or not you have a legitimate interest you must carry out an assessment which comprises a three-stage test:
- Identify a Legitimate Interest;
- Carry out a Necessity Test which involves considering whether the processing of personal data is “necessary” for the pursuit of identifiable commercial or business objectives; and
- Carry out a Balancing Test which involves assessing whether the rights and freedoms of the individual whose personal data will be processed will not override the controllers’ legitimate interest.
However, this exception does not override the requirements of the Privacy and Electronic Communications Regulations (PECR), which restrict circumstances in which a business can market by telephone, email or other electronic means.
What is the PECR and how does it affect marketing activity?
The PECR complements the general data protection regime and sets out more specific privacy rights on electronic communication.
PECR will apply if you:
- market by phone, email, text or fax;
- compile a telephone directory (or a similar directory).
What are the PECR rules for electronic and telephone marketing?
You must ensure (under PECR) that you obtain consent from your data subjects when sending marketing material by email, text, phone or other electronic means to an individual.
There is an exception to this rule, known as the ‘soft opt-in’ approach, where you can send emails/texts without consent if the following conditions are met:
- The customer has specifically consented to electronic mail from you.
- You have obtained the contact details in the course of a sale (or negotiations of a sale) of a product or service.
- You are only marketing your own similar products and services.
- You provided a simple opportunity to refuse or opt-out of the marketing when you first collected the contact details and in every subsequent communication.
In practice, this means you may be able to transmit unsolicited electronic marketing via email or text to your long standing customers, without consent, but this will not apply to prospective clients or new contacts (bought-in lists) and in general, does not apply to non-commercial promotions (such as charities).
Businesses must not send marketing materials electronically to any individual who has said they do not want to receive it. If you are marketing by using direct messaging via social media, the electronic marketing rules will apply.
Sole traders and some partnerships are treated as individuals, and so you can only email or text them if they have specifically consented to that, or if they have bought a similar product from you in the past, and didn’t opt out from marketing messages.
The same rules apply if you send a marketing message or if you ‘instigate’ someone else to send it and if you are marketing using direct messaging via social media.
The PECR makes it clear that you must not make marketing calls to anyone who has expressed they do not want to receive calls.
Additionally, calls should not be made to numbers registered with the Telephone Preference Service or Corporate Telephone Preference Service. Therefore, businesses should screen numbers against both lists to ensure they do not call those listed.
How are complaints and sanctions dealt with?
Both the GDPR and PECR are enforced by the ICO and failure to comply can result in complaints to the ICO, who can investigate your compliance with PECR.
In the case of business supplying services, the ICO may well undertake an investigatory audit involving off-site and on-site checks to assess compliance. The results of the PECR audits are published online and will include observations and recommendations.
If the ICO finds that a business has failed to comply with PECR or other data protection legislation, enforcement action can be taken against a business, and in the case of a company, against the company and/or its officers or senior managers.
Possible implications include criminal prosecution, non-criminal enforcement, audit, and imposition of monetary penalties of up to £500,000.
PECR fines have been handed out to various high-profile companies including the airline Flybe, which was fined £70,000 for sending out mass emails to contacts who had previously opted out of marketing communications.
This, and other examples, make the compelling case for compliant policies and procedures in this quickly developing area of the law.
Harrison Drury’s regulatory team can provide tailored advice and assist you with by reviewing your GDPR practices and drafting any relevant documents, such as privacy notices, cookie policies and terms and conditions implementing GDPR practices. If you wish to discuss any of the above further, then please contact our regulatory team on 01772 258321.