Data Protection Update on Direct Marketing

Following on from our recent Webinar ‘An Update on Direct Marketing’, with Partner Loretta Maxfield and Director of Data Protection Services Morgan O’Neill, here are the top five things that organisations should bear in mind in relation to their marketing practices.

1. The Fine Line between “Service” and “Marketing” Communications

To avoid a run in with the ICO, businesses should ensure that their service communications do not include any marketing material. Service e-mails can be sent to recipients regardless of whether they have consented and are sent for administrative or customer service purposes only.

Even a minor inclusion of marketing, whether that be the advertisement of services or goods or the promotion of an organisation’s ideals, could capture the entire communication as a marketing message. Once a communication is deemed ‘marketing’ far more rules and guidelines must be followed, including the Privacy and Electronic Communication Regulations (PECR). You cannot send marketing messages to consumers who have not consented (or who do not qualify under the soft opt-in option) and to do so risks reputational damage to your organisation and an ICO fine. Be mindful of keeping marketing lists and service mail lists separate and have a clear understanding of what your organisation considers as a service communication and how that fits with the ICO’s position.

2. Experian v ICO: Direct Marketing may be a ‘Legitimate Interest’

The First Tier Tribunal recently overturned the ICO’s decision and found that Experian’s direct marketing activity e.g. collation and profiling of personal data and selling this to customers, may rely on legitimate interest as a lawful basis. This is contrary to the ICO’s view that felt that the level of intrusion to data subjects was such that the processing would unlikely meet the requirements of the legitimate interest lawful basis. This decision only applies to offline direct marketing (e.g. profiling or postal). It is important to remember that consent may still be appropriate for direct marketing activity particularly where the level of intrusion is particularly high, special category data is being processed or if electronic communications to consumers, such as e-mails, are being sent.

It is worth bearing in mind that this is an area of UK data protection law which is experiencing a live discussion, and the ICO is currently considering whether or not to appeal this decision. This is therefore perhaps, an area of the law which has not quite settled yet.

3. B2B Marketing: Lawful Basis

It’s incredibly important that an organisation executes its direct marketing on the correct lawful basis. Generally, most B2B marketing can be based on legitimate interests.

The following methods of marketing can rely on legitimate interests:

1. ‘Live’ calls where there are no CTPS/TPS registrations or objections;
2. E-mails or texts to corporate subscribers;
3. E-mails or texts to sole traders/some types of partnerships obtained through soft opt-in;
4. Postal marketing.

Organisations will need to apply the legitimate interests’ ‘three-part test’ in order to determine if they can rely on this lawful basis:

1. Identify a legitimate interest;
2. Show that the processing is necessary to achieve it; and
3. Balance it against the individual’s interests, rights and freedoms.

The test should be documented and particular focus should be on the impact on the data subjects and whether any negative impact overrides the interests of the organisation.

 4. B2C Marketing: Lawful Basis  

B2C marketing tends to be considered higher risk and although organisations can still rely on legitimate interests for some marketing e.g. postal, they will require consent for the following marketing practices:

1. E-mails to individuals, sole traders or partners in common law partnerships;
2. Texts;
3. Recorded telephone practices;
4. Targeted/Personalised online advertisements; and
5. Service communications that contain marketing messaging.

An alternative to consent is the ‘soft opt-in’. Opting in is considered the ‘gold standard’ and requires an individual to take a positive action, for example checking a box or sending an e-mail agreeing to direct marketing. You must be specific and transparent about what you are asking the individual to agree to.

A soft opt-in, on the other hand, is where the organisation has an existing relationship with an individual and provides the individual with the ability to opt out at the point of collecting the data. For example, someone makes an online purchase and is given the opportunity to opt out of receiving direct marketing when they are first submitting personal data. They choose not to opt out. The organisation is therefore permitted to send them marketing communications but only if they are in relation to the goods or services which they purchased. The organisation must continue to give the customer an opportunity to opt out in their subsequent marketing messages and cannot advertise something different to their initial purchase.

Your obligations do not come to an end when a data subject gives you consent. How you then manage that consent is equally as important. The ICO provides that “you should view consent as a dynamic part of your ongoing relationship of trust with individuals, not a one-off compliance box to tick and file away. To reap the benefits of consent, you need to offer ongoing choice and control”. Giving customers control over their consent preferences builds an organisation’s credibility, reputation and trust.

The UK GDPR does not set a specific time limit for how long consent lasts. However, it will likely reduce over time and the speed in which that happens depends on the circumstances. You will need to refresh consent if anything changes. This could be a change in data processing operations or if the purpose for this processing varies. Following these changes, the original consent will likely not be informed or specific enough for the consent to remain valid.

According to the ICO, if you are in doubt about the frequency in which you should be sending out consent refreshes, you should consider to do so every two years.

5. Be Fair and Transparent

Being open and transparent with data subjects remains vital. The law and the ICO expects organisations to inform data subjects of how their personal data will be used and its important this point is not overlooked. This point formed an integral part of both the recent Experian and Meta cases.

Organisations must give consideration as to how their direct marketing practices are set out in their privacy notice and ensure they are provided in a timeous manner.   

Thorntons Data Protection Team present a new webinar each month on a range of topics. Join us on 26 April 2023 for our next webinar with Director of Data Services, Morgan O’Neill, to discuss the latest data protection developments arising from the new Data Protection and Digital Information Bill.