GDPR Blog Week 5: Direct Marketing
This is one of the most examined areas in the field of data protection. This is because there are two sets of regulations in play – the GDPR and PECR (Privacy and Electronic Communications Regulations) and as data protection evolves, so does the legislation. PECR is currently being updated and will be replaced soon by the new E-Privacy Regulations. This will change the goalposts again but for now the position is outlined below.
GDPR has a focus on the protection of personal data, that is, how it is collected, controlled, processed and protected. PECR on the other hand governs how you can communicate with people using their personal data. These are two separate issues but they work in tandem so that both must be considered jointly.
Assuming that you have complied with the new data protection principles (collected for specified purpose, limited, accuracy, retention, transparency, security etc), there are 6 lawful bases for legally processing data. The one that is often applied in cases to direct marketing is that of consent. This is because the other bases, such as legal obligation, performance of a contract etc. don’t apply to situations where the marketer has not had a business relationship with or duty of care to the data subject previously. Alternatively, the scope of personal data held may be wider than that required to perform a contract or fulfil a legal obligation. In either scenario, the data may only be held if it relies upon another lawful bases and this note addresses the issue of direct marketing through an individual’s consent.
The GDPR creates an overarching requirement to obtain an individual’s opt-in consent to contact them by email or SMS. This consent must be freely given, specific, informed and unambiguous (see our Week 2 Blog). It must be explicitly brought to the attention of the individual and presented separately from any other information. It must be capable of withdrawal at any time.
The four main types of marketing are direct mail, telephone, email and SMS (texts). If you propose to directly market using either direct mail or telephone, then you need to be aware that there is a preference service for both – the TPS and the MPS – and these must be checked before contact with an individual is made. In relation to email and SMS, explicit consent must be obtained unless you can rely on the exception of “soft opt-in” which assumes that the data subject has opted in to receive marketing material from you.
However, the soft opt-in may only be relied upon if the following requirements are met:
- Individuals’ details have been obtained through a sale or negotiation with you and they have not opted out of receiving communications from you;
- The email/SMS must relate to similar products or services to that of previous sale/negotiation;
- Your identity must not be concealed; and
- Your communication must contain a simple and free means of opting out (often “unsubscribe” button).
All four of the above criteria must be satisfied, otherwise your opt-in consent will not be valid. Whether you rely on this soft-option or obtain explicit consent, you should ensure that you have an audit trail evidencing your consent and your compliance with the GDPR for it to be valid.
As with all data processing under the GDPR, you must support your business activities with a Privacy Notice or Statement, ideally on your website, to inform all data subjects what data you hold about them and the purpose for which it is held. The consents you receive, if this is the lawful basis on which you rely, should make reference to a privacy notice so that data subjects can access a detailed account of what you do with their personal information.
As a final word, remember that the above refers to personal data of a data subject, and not a business or “corporate subscriber”. If you are processing business information then this doesn’t require individual consents so you can send marketing emails and/or texts to these organisations whilst relying on the “legitimate interests” legal basis (assuming no personal corporate email accounts are used). Any targeting of corporate subscribers should include an opt-out link in your communications. The ICO has more detailed information about this.
Please don’t hesitate to contact me, Louise Weatherhead at Louise.firstname.lastname@example.org or by telephone on 0191 226 3699 or speak to another member of the Data Protection Team if you require any further information.
We will be releasing our blogs on a weekly basis in the run up to May to pick apart the new legislation in simple terms and help you to get GDPR-ready. Next week, our topic will be Security Breaches and how to deal with them. We hope that our blogs help you to think about transition arrangements and getting to grips with the new GDPR’s.