The Information Commissioner's Office (ICO) recently updated its guidance in respect of direct marketing.
Whilst applicable to all organisations, the updated guidance has a strong focus on not-for-profit organisations, and follows on from recent concerns expressed by the ICO in relation to data protection compliance in the third sector.
The guidance emphasises that direct marketing will cover any message that embodies a marketing element, even if that is not the intended purpose of the communication, meaning that it would cover the promotion of an organisation's aims and ideals.
Consent and direct marketing
The core feature of direct marketing is consent, and many of the changes are aimed at giving better guidance to the third sector in this regard, particularly given forthcoming changes under the General Data Protection Regulation.
So what is consent?
In order to be valid, consent must be:
- informative - clearly explaining what the individual is consenting to;
- specific - highlighting the specific types of marketing communications that will be used (e.g. text, email etc) as well detailing the organisation who will be sending it; and
- freely given - in other words the customer must have a genuine choice in whether or not to consent to direct marketing communication. This also means that such information cannot be hidden away in small print or difficult to find - it must be clearly drawn to the attention of the customer.
The same is true whether consent is explicit, implied or indirect. It is the latter two categories of consent, which often cause issues for not-for-profit organisations (and indeed many other organisations), when using the likes of bought-in marketing lists.
Indirect (third party) consent
Indirect or third party consent is defined as "situations where a person tells one organisation that they consent to receiving marketing from other organisations."
While the guidance does not say that indirect consent will automatically be invalid, it suggests that it will be harder for not-for-profit organisations to send texts, emails or make automated calls on the back of indirect consent. This is because the consent requires that the customer has notified the organisation sending the marketing communication to consent to receiving such communication from them.
Therefore, sweeping general consents such as 'you consent that you are happy to receive marketing from us and selected third parties', will not amount to valid consent on the part of the customer.
Organisations considering using third party lists will therefore have to approach the matter of consent cautiously and ensure that they conduct appropriate due diligence before contacting individuals.
"Freely given" consent
The ICO's guidance emphasises that organisations should not be coercive or unduly incentivise customers to agree to receive marketing communication. Any consent sought must be freely given. This means that marketing consents should not be a condition of subscription unless it can be shown that consent to marketing is "necessary for the service and why consent cannot be sought separately".
In addition to the general rules on consent, the Privacy and Electronic Communications Regulations set out specific rules in relation to marketing by telephone or electronic means.
So if consent cannot be a condition of subscription, how should an organisation obtain consent in compliance with the direct marketing guidance?
The clearest and easiest way, is to use 'opt-in' tick boxes that require customers to actively tick the box. Provided the consents are specific and clear, they will likely be deemed compliant. Many organisations use 'opt-out' boxes (i.e. a box that requires to be ticked to opt out of receiving marketing communication). While the guidance does not say that they are not allowed, it is clear that they may not be viewed as favourably as 'opt-in' boxes. This is consistent with the forthcoming General Data Protection Regulation expressly states that pre-ticked boxes are not a valid means of consent.
Telephone Preference Service (TPS)
The guidance also reminds not-for-profit organisations that when undertaking telephony campaigns or marketing, they must not call any number registered with the TPS, unless they have received consent from the relevant individual. Organisations must regularly check their marketing database against the TPS.
While there is no set time limit for the validity of a customer's consent, it is important to highlight that consent given is not infinite. Care will have to be taken to ensure that consent is still valid.
Being able to demonstrate valid consent is paramount for organisations and consequently it is essential to have an audit trail. If an individual claims that they did not consent to receiving a marketing communication, then the onus will be on the organisation to demonstrate that they did in face have valid consent.
Top tips for direct marketing:
- The onus is on the party making the marketing communication to ensure it has valid consent.
- Ensure that consent is freely given, informed and specific. Don't rely on opt-outs or pre-ticked boxes.
- Be aware of the stricter rules that apply to marketing by email, text or other electronic means.
- Be careful when using marketing lists provided by third parties or using indirect consent.
- Regularly check your lists against the TPS and other relevant lists.
- Ensure you respect any opt out from or objection to direct marketing.
- Keep and audit trail to show so that you can demonstrate compliance.
- Regularly review your processes and procedure for carrying out direct marketing
- Be aware of any additional guidance applied by regulators or industry bodies in your sector
If you have any queries about the new direct marketing guidance or your direct marketing activities, please get in touch.
Find out more about the forthcoming General Data Protection Regulation.