Market research is a useful method used by organisations to collect information from individuals about their needs and preferences. For most organisations, the information gathered will help shape commercial decisions. Common examples of market research include: employee surveys, consumer feedback forms, or telephone questionnaires, comprising questions to gauge an individual’s desires, expectations, perceptions, satisfaction levels and suggested areas of improvement in respect of the organisation. Market research is proven to be a convenient method to gather varied feedback from individuals in a relatively short period of time. However, it’s important that organisations understand the difference between market research and direct marketing and the regulations which govern these activities. The ICO has taken action against organisations that have failed to adhere to these rules, which we discuss in more detail below.
Market Research vs Direct Marketing – understanding the legislation
Section 11(3) of the Data Protection Act 2018 (“DPA”) provides a broad brush definition of direct marketing: “the communication, by whatever means, of any marketing material which is directed to particular individuals”. This definition aligns with the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”), which sets out the rules in relation to electronic marketing activities applicable to UK organisations. Direct marketing takes many forms, including: advertising and directly selling products or services, promoting ideals or aims, creating sales leads and generating customer databases and non-commercial marketing undertaken by not-for-profit bodies, such as charities. Most often, the law requires organisations to obtain an individual’s consent to directly market to them, although there are a limited number of exceptions where direct marketing may be conducted on the basis of legitimate interest i.e. postal marketing. Organisations carrying out direct marketing must comply with the marketing rules under the PECR and also the DPA, ensuring that personal data is processing in a fair and lawful manner.
If an organisation carries out genuine market research it need not comply with the marketing rules under the PECR but it must still comply with the DPA. Where this can, and has been problematic for organisations is when market research intentionally (or unintentionally) contains promotional materials or collects personal data about that individual for the purpose of direct marketing. This activity, described as “marketing under the guise of research”, is referred to as “sugging”. The law does not permit organisations to label direct marketing activities as market research to avoid complying with obligations under PECR.
Issues with Sugging
The practice of sugging occurs when organisations pretend to conduct market research, when the real aim is to carry out direct marking. The ICO guidance states: “If [a] call or message includes any promotional material, or collects data to use in future marketing exercises, the call or message will be for direct marketing purposes. The organisation must say so, and comply with the DPA 2018 and PECR direct marketing rules”. Organisations that make this mistake may also be in breach of PECR direct marketing rules if it, or an agency working on its behalf, communicates marketing materials by email or text without consent or communicates by phone with an individual registered with the Telephone Preference Service. In short, organisations who use the sugging method will be in direct breach of the applicable regulations and in turn risk being investigated and fined by the ICO.
ICO action against sugging
We have observed the ICO flex its supervisory powers in relation to organisations found to be in breach of the marketing rules over the past few years. Specifically in relation to sugging, the ICO issued a stop order against Change and Save Ltd in 2016. The organisation had attempted to circumvent direct marking rules by disguising their activities as market research. The company called individuals registered on the Telephone Preference Service (“TPS”) to enquire about their will arrangements. It then went on to promote funeral, will and legal services to the individual. Over 250 individuals who received these calls complained to the TPS and many of these complaints were passed to the ICO. This resulted in an ICO inspection during which the organisation insisted it had been partaking in market research and did not require to adhere to direct marketing rules. The ICO disagreed with this and concluded that the aim of the company was to sell its products and services, and it was therefore in breach of direct marketing rules.
Advice for organisations carrying out market research?
Organisations must understand the difference in the rules relevant to market research and direct marketing, paying particular attention to the following:
- Organisations who engage in direct marketing are required to comply with the requirements of the DPA and the PECR.
- Organisations who engage in market research are required to comply with the requirements of the DPA.
- The definition of direct marketing is broad, covering any promotional or sales materials directed to an individual. If any such material is contained in a market research survey, or a survey collects personal data that could be used for direct marketing, this activity would be direct marketing and subject to the requirements of the DPA and PECR.
- Organisations using external market research agencies must make sure that the agency also follows the rules set out under the PECR and DPA when undertaking market research under its instruction. Specifically, agencies must not promote their products and services or provide them with research data for future sales and marketing activities.
- Organisations carrying out market research are required to fully comply with provisions and principles of the DPA. The ICO states that organisations must ensure “they process any individually identifiable research data fairly, securely and only for research purposes.”
- Do not contact individuals who are registered on the TPS to carry out any telephone market research. Screen against the TPS and place registered individuals on a suppression list to make sure they are not contacted.
- Charities and other not-for-profit organisation are subject to the same compliance requirements of the DPA and PECR.
If your organisation has any questions about how to design a compliant market research campaign or direct marketing campaign, please contact Thorntons Data Protection Team on 03330 430350.