Article: Lessons from recent direct marketing penalties

The privacy rules for direct marketing derive from both the Data Protection Act 1998 (DPA) and the Privacy and Electronic Communications (EC Directive) Regulations 2003, and are also reflected within industry rules such as the Direct Marketing Association Code of Practice.

Under the DPA, the usual data protection principles must be followed when collecting or using personal data for marketing purposes, and individuals also have a right to object to direct marketing. Under PECR, there are requirements to obtain consents or provide options to object to unsolicited direct marketing communications, which vary depending on the method of communication (including telephone, fax, email, SMS). The options must be given to the “subscriber” to the line, which may be an individual or a company. There are additional requirements under PECR for those sending marketing communications to identify themselves and provide a free way to contact them.

The ICO has the power to take enforcement action for breaches of the DPA and PECR, including issuing monetary penalties for serious breaches, issuing enforcement notices, and requiring organisations to give undertakings to change their practices. There are also criminal penalties for some breaches, for example if an employee unlawfully uses his employer’s customer list to send marketing communications for another business.

The threshold for monetary penalties under PECR was lowered in April 2015 to remove a requirement for the breach to be likely to cause substantial damage or distress. This has enabled the ICO to issue more fines for serious breaches – monetary penalties totalling over £2m were issued in the year following the change. In many cases, evidence of distress, worry and irritation from recipients has been a factor in issuing such penalties.

The DPA is due to be replaced by the EU General Data Protection Regulation (GDPR) in May 2018. This does not amend PECR, although the EU Directive from which PECR derives is also currently under review. The GDPR requirements relating to direct marketing are similar to the DPA – there is a right to object, and the data protection principles must be followed. Contrary to some recent blogs on the issue, consent will (still) not always be required for direct marketing activities, although, where it is sought, it must be “unambiguous”, as well as (as under current law), specific, informed and freely given.

Under PECR, automated calls cannot be made without the prior consent of the recipient (or, more accurately, the subscriber to the line). This is different to the rule for live calls, where prior consent is not always required (see (2) below). Recipients have the option to refuse live calls, and may register on the TPS register as a way to provide a blanket objection to all marketing calls to their line.

In a number of recent cases, companies have not sought the required consent before instigating automated marketing calls, but have instead checked the TPS register. Consent cannot be inferred from a lack of objection (by registering on the TPS register or otherwise).

Examples:

• Nevis Home Improvements Ltd monetary penalty, April 2016.
• Prodial Ltd monetary penalty (£350,000, which is the highest to date), February 2016
• Home Energy and Lifestyle Management Ltd monetary penalty, September 2015.

Direct marketing by telephone often does not require prior consent¹. However, individuals and companies may register with the Telephone Preference Service and the Corporate Telephone Preference Service respectively, indicating their wish not to receive marketing calls. It is therefore important for organisations to screen their marketing lists against these registers before making the live calls. To avoid the need to screen against the lists, an option is to obtain specific consent for your organisation (which can override a general TPS opt-out). In several recent cases, organisations have failed to screen their lists or obtain consent.

Examples:

• Central Compensation Office Limited enforcement notice, June 2016.
• Advice Direct Ltd monetary penalty, March 2016.
• MyIML Ltd monetary penalty, February 2016.

It is not uncommon for an organisation to purchase a marketing list from a third party, or to appoint a third party to carry out marketing activities on its behalf. In such cases, the organisation remains responsible for ensuring that the requirements have been met in relation to marketing communications which it sends or which are sent on its behalf. Enforcement action has been taken against organisations for the actions or failures of their third party providers.

It is therefore important to carry out appropriate due diligence on each third party to check that marketing rules are being followed. Appropriate obligations, warranties and indemnities can also be included within contracts with providers.

See also (5) below in relation to consents obtained by third parties.

Examples:

• Quigley & Carter Limited monetary penalty, June 2016.
• Direct Choice Home Improvements Ltd monetary penalty and enforcement notice, March 2016.
• Prodial Ltd monetary penalty (£350,000, which is the highest to date), February 2016
• Cold Call Elimination Ltd monetary penalty, September 2015.

The “soft opt-in” rule under PECR allows businesses to use an opt-out approach for sending marketing emails and SMSs to existing customers. However, the marketing must relate to the sale of similar products and services. Organisations cannot therefore rely on this rule if the marketing email or SMS is intended to promote aims or ideals, which may be the case, for example, with political parties and charities.

In addition, the soft opt-in only applies where the marketing communication is about the sender’s own products or services, so it cannot be relied upon to market third party products or services.

If the soft opt-in is not an option, then prior consent must be obtained.

Example: Telegraph Media Group Ltd monetary penalty, December 2015.

Where consent is required to a marketing communication (e.g. for email or SMS), it must be notified to the sender of the communication. This raises a problem where a marketing list has been purchased from a third party, as any consents will not have been given directly to the purchaser.

The ICO has indicated that indirect or third party consent can be valid but only if it is sufficiently clear and specific, and enforcement action has been taken where this is found not to be the case.

Organisations should therefore take extra care to check such consents obtained by third parties (see also (3) above). Recipients must have intended for their consent to be passed on to the organisation doing the marketing, which means they must be clearly informed, when giving consent, that their details will be passed to that specific organisation or one clearly fitting its description for marketing purposes.

Consents (whether obtained directly or indirectly) must also be specific to the proposed marketing activities. A general consent seeking to cover all types of communications or activities is unlikely to be sufficient, as also demonstrated in recent enforcement action.

Examples:

• Leave.EU monetary penalty, May 2016.
• UCAS undertaking, April 2015.

How long a direct marketing consent lasts will depend on the context; it is unlikely that a consent will last indefinitely, particularly if there has not been regular contact with the recipient and/or the circumstances change. Individuals must also be given the ability to withdraw consent at any time. Recent undertakings in the charity sector have set out some best practice on these matters.

Examples:

• Age International undertaking, March 2016.
• British Red Cross undertaking, February 2016.

Organisations will need to find practical ways to facilitate ongoing management of customer choices and marketing data. In particular, if someone makes a request for marketing communications to stop, this request must be acted upon. This may mean suppressing rather than deleting contact details, in order to ensure the request is respected in relation to future marketing campaigns when the same details may find their way onto the marketing system. In some recent cases, requests for marketing to stop have not been acted on appropriately.

Examples:

• Advanced VOIP Solutions monetary penalty, June 2016.
• Nevis Home Improvements monetary penalty, April 2016.

Organisations often focus on providing appropriate opt-in and opt-out boxes or options to address data protection and privacy requirements. Whilst these are an important part of compliance, there are many additional matters to address. Other failures cited in recent cases include:

• not identifying the sender of a marketing communication;
• not providing appropriate contact details of the sender – an address and/or freephone number is usually required;
• not providing sufficient fair processing information at the time contact details are collected, clearly covering use of the details for direct marketing purposes; and
• selling customer details to marketing companies without obtaining appropriate consents from customers (to meet DPA requirements).

Examples:

• Advanced VOIP Solutions monetary penalty, June 2016.
• Nevis Home Improvements monetary penalty, April 2016.
• FEP Heatcare Ltd monetary penalty, March 2016.
• Member of Parliament monetary penalty, March 2016.
• UCAS undertaking, April 2016.
• Pharmacy2U Ltd monetary penalty, October 2015.

As from 16 May 2016, organisations must also ensure that the number of the sender of a marketing call is displayed; caller line identification may not be blocked. Prior to this, in March 2016, the monetary penalty against Advice Direct Ltd (see above), took into account that marketing calls (falsely) gave the appearance that the call was coming from a local number.

The ICO has investigated organisations and taken enforcement action as a result of a relatively low number of complaints, compared to the number of marketing calls or communications actually made. For example:

• Central Compensation Office Limited enforcement notice, June 2016 – over just under five months, the ICO received 23 complaints, and the TPS received 167 complaints.
• Nevis Home Improvements Ltd monetary penalty, April 2016 – over three months, the ICO received 175 complaints, and the TPS received 8 complaints.
• Advice Direct Ltd monetary penalty, March 2016 – over just under four months, the ICO received 57 complaints and the TPS received 160 complaints.