Thinking about contacting your clients to promote your products or services, selling your client database or buying a database to generate leads?
The Data Protection Act 1998 (the DPA) gives people specific rights about how their personal information is used by an organisation, and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) provide rules about communicating or sending marketing and advertising information by telephone, fax, email, text and picture or video message, or by using an automated calling system.
These rules are designed to help organisations maintain a good relationship with their clients. Keeping within the law will help build customer confidence in your business. It will also help you to avoid an enforcement action or fine of up to £500,000 from the Information Commissioner’s Office (ICO).
So, before you contact your clients or sell or buy a database or marketing list, here are some key points to consider:
- In most cases you will need consent to send people marketing materials or to pass their details on. You will also need to keep clear records that this consent was knowingly and freely given, that the consent was clear and specific and that it covers the intended purpose. Opt-in boxes (where the person indicates that they consent to the specific use of their details) are preferable to using opt-out boxes (where the person needs to indicate that they do not want you to use their information in a particular way). Silence is not consent.
- There are stricter rules for making calls or sending texts or emails, and consent must be more specific. For example, using a general opt-in box to give consent to the use of a person’s details for ‘any form of marketing’ is not advisable. It is better to specifically list email, for example, if that’s how you intend to contact customers, and also describe the types of products or services that will be marketed.
- Contact details of customers should be pre-screened against the TPS (Telephone Preference Service) or if a company, the CTPS (Corporate Telephone Preference Service), the FPS (Fax Preference Service), the MPS (Mail Preference Service) and the eMPS (Email Preference Service) registers. If a client is registered with any of these, they cannot be contacted by that form of communication, unless they have given you specific consent to do so.
- There is a limited exception (soft opt-in) for previous customers, provided that the direct marketing materials are for similar products and services, and the customer is given a simple means of refusal. The soft opt-in exception is not transferable to third party buyers of customer lists.
- Live marketing calls can be made to numbers not registered with the TPS, if it is fair to do so. This means that you must have obtained the person’s contact details fairly and lawfully in the first place and the person must be aware that you have their number and that you intend to use it for marketing purposes. You must not make any calls which the person would not reasonably expect, e.g. if the person has given explicit consent to receive calls promoting travel destinations, they would not expect to receive a call promoting car insurance.
- Automated pre-recorded marketing calls should only be made with specific prior consent and your contact number must be visible to the person receiving the call.
- You must stop sending marketing messages to a person who opts out or objects to receiving them.
- Although the use of marketing lists is not banned by the DPS or PECR, you must carry out rigorous checks if consent was originally obtained by a third party (e.g. if you have bought a marketing list). This includes checking that the list was compiled fairly and accurately reflects the person’s wishes.
- It is highly unlikely that consent obtained by a third party (indirect consent) will allow you to make marketing automated calls, texts or emails, although it may cover traditional forms of marketing. If you have bought a marketing list, check whether the customer has given your organisation specific consent to contact them by these forms of communication. Ideally, your organisation should be specifically named and the method of contact (emails, texts, marketing calls) should be explicitly consented to. Consent obtained from customers for ‘marketing calls from selected third parties’ will not demonstrate valid consent to marketing automated calls, texts or emails.
- As a general rule, if you are making contact for the first time by email, text or phone, you should not rely on consent that is more than six months old, even if the consent clearly covered your organisation. A marketing list which is out of date or does not accurately reflect a person’s marketing preferences risks breaching the DPA.
Looking ahead, the UK government has confirmed that the UK will opt in to the General Data Protection Regulation (GDPR) before it leaves the EU. The GDPR (coming into force across Europe, and presumably the UK, on 25 May 2018) will apply to all data controllers and data processors in the UK and EU, as well as those who operate outside of the EU but who provide goods or services to EU citizens or monitor their behaviour. The GDPR enhances existing protections for personal data and the free movement of such data and will have an impact on the direct marketing rules.
If you have any questions on direct marketing please do not hesitate to contact Gina Bicknell (firstname.lastname@example.org or 01892 701279) or Denise Bodri (email@example.com or 01892 701162).