Marketing compliance: do you tick the right boxes?
2 May 2024
Advertising your products and services by text message and email is a win for both time- and cost-efficiency. However, with the Information Commissioner’s Office (ICO) giving significant focus to nuisance marketing over recent years and consumers becoming more alert to the issue, it seems a good time to check whether your direct marketing activity is in order.
According to ICO statistics, in the first quarter of 2024 alone 10,234 people complained to them about receiving marketing text messages and emails, to which those people had not consented, from organisations across all sectors. The ICO is taking complaints seriously, taking action on at least 17 occasions in 2023 in the form of fines and enforcement notices, coupled with the organisations in question being specifically mentioned on their website.
The legal requirements
The Privacy and Electronic Communications Regulations 2003 (PECR) tell us that organisations may only send marketing messages to consumers via email or text if they have the consumer’s consent to do so. The retained EU General Data Protection Regulation 2016/679 (UK GDPR) sets the standard for that consent, which is high: it must be fully informed, specific, and freely and affirmatively given. Consent which does not meet the standard is not binding and cannot be relied on by the organisation seeking to send the marketing messages.
Obtaining valid consent
To obtain consent to the UK GDPR standard, you must:
- inform consumers that you wish to send them marketing emails and/or text messages;
- request consent separately from any other written material (for example, a privacy policy), using an intelligible and easily accessible form and clear and plain language;
- ensure that consent is as easy to withdraw as it is to give; and
- obtain freely-given, affirmative consent which is not conditional upon anything else, such as the provision of a service.
Additionally, the UK GDPR requires you to keep records of when and how consent was obtained from each individual, the scope of that consent and the details of any subsequent withdrawal. This is in line with the statutory accountability principle i.e. demonstrating how you comply with the law, and the ICO may ask to see such records in the event of a complaint.
To ensure that you are able to market to your customers, or prospective customers, here are some suggestions to ensure that you meet the legal requirements.
- Ensure that your privacy policy is up to date, informing readers of your selected marketing channels and providing them with details of how to manage their marketing preferences or withdraw consent to marketing communications.
- Review your consent gathering mechanisms to ensure that they explicitly state that you wish to send marketing emails and/or text messages, their subject matter, and that consent can be withdrawn at any time. You must include a mechanism for individuals to actively confirm, such as by ticking boxes, whether they consent to receive marketing, and the method(s) by which you may send it to them; i.e. they may choose text and/or email. Note that pre-ticked boxes are invalid.
- Include an unsubscribe mechanism in all messages.
- Keep consent records.
- Review periodically to prevent “creep”: does your marketing strategy fit within the consent you have obtained?
A possible alternative: the “soft opt-in”
If the requirements for UK GDPR standard consent are going to be difficult for you to meet, you may be able to rely on something called the “soft opt-in”. At first glance this actually looks like an opt-out, but bear with me and I will explain.
The soft opt-in applies to your existing customers and enables you to market your products or services in reliance upon the lawful basis of your legitimate interest to increase sales and grow your business, rather than consent. If you have obtained someone’s email address and/or mobile number whilst selling them something, or negotiating with them in relation to a potential sale, you can send that person marketing texts and/or emails about similar products and services you provide as long as they had an opportunity to refuse (opt out of) marketing both when you collected their contact details and in each subsequent marketing message.
The soft opt-in has its limitations, though. You will need to have received an active expression of interest in your products and services, such as a request for a quote or more information on a product range. In addition, the soft opt-in only applies to commercial marketing. Not-for-profit organisations must still rely on consent, although PECR is expected to be amended on this point to enable organisations such as charities to expand their marketable sponsorship base. Finally, it can only be relied upon by the specific organisation requesting it, so cannot be used to cross-sell products from group companies.
The rules on telephone, postal marketing and B2B marketing are different. If you have any questions about these, or would like your direct marketing practices reviewed, please don’t hesitate to contact our Data Protection Team.
Services
The content of this article is for general information only. It is not, and should not be taken as, legal advice. If you require any further information in relation to this article please contact the author in the first instance. Law covered as at May 2024.