UK—ICO Releases New Direct Marketing Guidance
By Brian Davidson, CIPP/E
The Information Commissioner’s Office (ICO) has released its new direct marketing guidance to assist organisations in understanding their obligations when carrying out direct marketing campaigns—including issues around lead- generation and marketing lists and setting out what enforcement action the ICO can undertake for those organisations that ignore the UK marketing rules.
The guidance, published 9 September, arrives as the ICO continues to focus on the problems posed by nuisance calls and SMS messages. The ICO has been actively encouraging individuals to report nuisance calls to it in order to undertake enforcement action and has been working with other organisations in the marketing sectors to formulate joint policy initiatives. It has also called on the UK Parliament to reduce the harm-threshold requirement under the current law—currently “causing substantial damage” or “substantial distress”—to “annoyance” or “nuisance” in order to allow further enforcement action to be taken against a wider category of organisations that are understood to be carrying out regular unwanted and nuisance calls.
The guidance sets out the key rules for organisations when conducting marketing activities across the different communication mediums, such as e-mail, SMS, telephone calls, etc., and begins with 10 key bullet-point considerations that organisations should be aware of, including a helpful “direct marketing checklist,” which provides organisations with key “must-dos” for obtaining customer consent for marketing campaigns; making calls; using bought-in marketing lists, and sending SMS messages or e-mails. Helpfully, the 44-page guidance also includes many practical examples for organisations to assess and understand what activities the ICO considers as lawful good practice and what activities are not considered as such.
The guidance also refers to other laws and regulations which may be applicable to marketing campaigns, i.e., not just the UK Data Protection Act (DPA) and the Privacy and Electronic Communications Regulations (PECR) but also the Communications Act and CAP Code.
It also warns organisations of the dangers of “sugging,” or selling products to consumers under the guise of market research—which will therefore require compliance with the relevant provisions of the DPA and PECR—and includes a detailed section on what constitutes consent, including how to obtain it and the time limits on the use of such consent.
The guidance also sets out some key considerations for online marketing activities, for example, displaying personalised adverts based on browsing and purchasing history and login information, and for non-targeted and contextual marketing, i.e., targeted to the content of the web page itself rather than to the identity or characteristics of the user. The guidance states that the applicability of the DPA depends on whether such advertising activities involve the processing of personal data—as would be the case when displaying personalised adverts to users.
Finally, the guidance includes helpful information on the use of lead-generation and the purchase, creation and sale of marketing lists, stating that lists created in-house generally create less compliance risks than those presented by lists obtained from an external third party, owing to the ease to which accuracy and verification checks can be carried out in the case of the former.
The guidance is available here.
Brian Davidson, CIPP/E, is a privacy and information law advisor at Field Fisher Waterhouse, LLP.