To make sure your business is doing this in accordance with the law, we have outlined a refresher of the current rules of direct marketing, and the changes that appear to be on the way.
What is direct marketing?
Direct marketing is widely defined to include any form of advertising sent directly to an identified or identifiable end-user; it does not matter what method of advertising is used, the key is that it is directed at a specific person.
What rules and laws do you need to consider?
There are a whole host of laws and rules that apply to direct marketing. Generally speaking, and without focusing on any sector-specific requirements, before contacting a customer or a potential customer, businesses should consider the following:
The data protection laws – GDPR and the UK Data Protection Act 2018
When using names and contact details you are processing personal data and so you need to comply with the data protection laws. Your organisation needs to have a legal basis to use personal data for direct marketing purposes, and this is usually consent or legitimate interests, but it will depend on the circumstances. Remember that the GDPR standard of consent means that it needs to be unambiguous and given by affirmative action – so pre-ticked boxes won’t work!
Your organisation also needs to tell individuals that their personal data will be used for direct marketing purposes at the time it is collected – so this should be set out in your organisation’s privacy notice. Please also keep the ‘purpose limitation principle’ in mind: if you obtained an individual’s contact details for a purpose unrelated to marketing then those contact details should not be used for direct marketing without informing the individual first.
The Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR)
PECR has specific rules on direct marketing when electronic forms of communication are used e.g. email, text, phone call, but it does not apply to traditional postal marketing. PECR requires prior opt-in consent in some cases depending on the method of contact, who the communication is going to, and how the contact details were obtained in the first place.
Direct Marketing Authority’s (DMA) preference services
The DMA runs a number of preference services that allow consumers and businesses to opt out of certain types of unsolicited marketing communications. Organisations should screen against the preference service lists before sending out direct marketing communications, and please remember to screen against your own internal suppression lists (e.g. those who have expressly opted-out of receiving marketing communications from your organisation).
Individual contacts v business contacts – is there a difference?
The short answer is yes. There are different rules for direct marketing, depending on whether you intend to contact a business or consumers/individuals – and remember that sole traders and some types of partnerships fall within the individual group rather than the business group.
Guidance from the ICO
Under the terms of the UK Data Protection Act 2018, the Information Commissioner's Office (ICO) – as the UK’s regulator for data protection matters – is required to publish a statutory direct marketing code.
The public consultation on the ICO’s draft Direct Marketing Code of Practice ended earlier this month, and the ICO is now considering the feedback it received to create the final version of the Code. Once finalised, the ICO must take the Code into account when deciding whether organisations carrying out direct marketing have complied with their obligations. The Code will also give helpful guidance to organisations on how to ensure compliance with the laws when engaged in direct marketing practices.
The draft Code makes clear that it applies to charities, public sector organisations and all other organisations who engage in direct marketing practices. It is widely aimed, and states: “You will be caught by the direct marketing rules if you are using data with the intention to market, advertise, or promote products, services, aims or ideals.”
We await finalisation of this Code from the ICO, and in the meantime you should refer to their current and existing Direct Marketing Guidance. We will keep you updated on the status of the draft Code as matters develop. The ICO is also continuing its work in the “ad tech” space and has not ruled out taking regulatory action if self-regulation by industry is not deemed to be sufficient.
We appreciate that this can be a tricky area, and this blog is only intended to act as a high-level refresher. If you are unsure of when you can lawfully direct market to consumers and to businesses, please get in touch with our expert team who can guide you and your organisation through the legal requirements.