The Information Commissioner’s Office (ICO) has issued revised guidance notes on existing laws could result in major changes for email marketers. This change is being driven by the ICO’s taking a stricter interpretation of the Data Protection Act (DPA) and the Privacy in Electronic Communications Regulations (PECR) already in effect.
Am I going to be incarcerated?
No. Breaches of this law are civil, not criminal so you cannot be imprisoned for violating them. Not following this guidance is more likely to end in a discussion with the Enforcement Division of the ICO but could result in your organisation being fined up to £500,000 in the worst case scenario. And the good news is that the ICO won’t penalise you for what happened up to the 9th September 2013 – when they published the guidance notes. Clearly, that date has past so you need to ensure that you comply from now on.
What action should I take?
First of all, it’s important to make sure you are only marketing to the contacts that have opted-in to receive your email communications – you should be doing that anyway.
Secondly, you should revise the wording of your email opt-in. It needs to be explicitly clear to the consumer exactly which kinds of marketing communication messages they are opting in to receive. So for example, instead of simply asking people to opt-in to marketing communications, you should now say something like:
“I would like to be sent email in the future including, promotions and news about all products and services, and other types of marketing communications”
What about third party lists?
The law on email and SMS marketing has always said that the recipient of an email must have given their consent to the sender – that hasn’t changed, and your content can still be placed in an email that goes to someone else’s list – if they send it.
What has changed?
If you are renting someone else’s list, you can’t rely on them having obtained the appropriate consent to pass details on to third parties. Instead, you can only send to someone else’s list IF the first party names the third party upon opt-in OR if the third party falls into a specific category of organisation which the first party told the recipient they would be contacted by when they opted in.
So the above example, becomes:
“I would like to be sent emails in the future, including, promotions and news about all products and services, and other types of marketing communications, and I am happy for my details to be passed on to third party organisations in the Travel and Leisure sectors, such as GB Airways”
But I know my customers are expecting emails!
This excerpt from the guidelines is clear, so we won’t labour the point:
“It is extremely unlikely that a customer would intend to consent to unlimited future marketing calls or texts from anyone, anywhere. The question is what the customer would reasonably expect, given the context. Would they have anticipated that they were consenting to messages from that particular organisation? If the nature of the promotion is quite different from the context in which consent was originally obtained, consent is unlikely to be valid under PECR – even if it was superficially expressed to cover third
The example is given where a customer signs up to a service, sharing their data for that purpose. When the customer stops requiring those services, the consent expires too.
What about rented lists?
The ICO are expecting that the list renter will have done sufficient due diligence to be comfortable that this is the case. They also recommend that all data be stored with the date and method of collection, who collected it and the information provided to the recipient at the point of collection.what you should do is enquire with the list provider before purchasing to check that the correct permissions have been obtained – the onus is on you as the sender to find out as far as the ICO is concerned. This could include getting an example copy of the wording used upon opt-in.
Does it matter when the consent was obtained?
The guidance clearly states that the consent is time-limited, but doesn’t give very specific information as to what that limitation is for specific industries. The PECR says that this consent should be considered as applying to “the time being”. Great. Obviously it is more difficult to prove an opt-in that happened a long time ago, but given the advice given above around context – if it has been so long that the customer wouldn’t expect to have heard from you, then err on the side of caution and suppress them from your list. In addition, if you have collected data for the purpose of a time limited, promotional campaign – a competition for example, then the consent may only be valid for that period of time. That’s why we included the words ‘in the future’ in our examples above.
There are more specific notes around third-party lists and time constraints. The ICO believes that any consent for a company to share data with a third party only lasts for a short time and the third party must make first contact within six months of the data being collected – unless the customer might expect to receive something later than that because the opt-in relates to a seasonal product like Christmas Cards.
Do I need proof of consent?
The ICO have said that the burden of proof is on the brand sending the email to prove they obtained consent in the case of a complaint. Without that proof, the brand is at risk of being fined.
That means you must record to what each record has consented.
What might I be asked to show?
- The date of consent
- Method of collection of the consent
- Whether the consent was gained by opt-out/opt-in methods
- Which company obtained the consent
- What information was provided to the recipient at the point of consent
So these are the records that a list provider should be able to share if you are renting a list.
Can my company challenge the ICO?
The ICO’s interpretation can be challenged at the Information Tribunal but we hope it will not come to that. In the near term, as Chair of the Email Marketing Council I am working with the other members as well as the DMA to lobby the ICO for clarification on some points and changing their stance on others. Watch this space for future updates.