Banking and finance dispute resolution
For the latest news and comment on banking and finance disputes.
For the latest news and comment on banking and finance disputes.
For all the latest news and comment in clinical negligence healthcare law
This collection looks at the latest news and comment on commercial contracting healthcare law. With the health and social care sector under…
For all the latest news and comment in employment and pensions healthcare law
For all the latest legal and regulatory news and comment in health technology
This collection contains DAC B eachcroft's latest report, The Route to Integrated Healthcare , which provides the first practical examples of how…
This collection looks at the latest strategic, commercial, regulatory and negligence legal and advisory news and comment in health and social care. …
For all the latest news and comment on employment and pensions law.
DAC Beachcroft Dublin specialises in insurance, professional indemnity, defendant personal injury, health, commercial litigation and employment work.…
For all the latest new and comment in tax law.
The GC Collective collection offers insight and comment for General Counsels (GCs) and in-house legal teams.
For the latest news and comment on Corporate, M&A and Equity Capital Markets.
Analysis, commentary and checklists on the legal and governance implications of Brexit on businesses operating in, and trading with, the UK
The Accountant's Liability Collection brings you topical news and insight of interest to accountants, actuaries, trustees and other financial…
Events and online training for the health and social care sector.
DAC Beachcroft's LatAm Quarterly Newsletter discusses topical news and issues in Latin America
In response to client suggestions and requests, DAC Beachcroft's insurance sector flagship publication.
For all the latest legal and regulatory news and comment in health and social care integration
For all the latest news and comment in corporate regulatory healthcare law
Find advice, commentary and thought leadership on all aspects of Director's & Officer's Insurance; from contract formation through to complex…
This collection looks at the latest news, comment and development on the law affecting mental health services. The law affecting mental health…
Our market-leading Information Law team regularly publish articles and updates addressing the ever-evolving Information Law landscape.
This collection looks at our Safety, Health and Environment Team and the products and services they can provide. In the climate of increased…
The Insurance Act 2015 comes into force in August 2016 and will represent a significant change to insurance contract law in this country. This…
Legislative changes are bringing major changes to the Insurance landscape. This collection houses DAC Beachcroft's alerts on the pertinent issues.
For all the latest news and comment in clinical regulatory healthcare law
Organisations face ever-increasing expectations from Government, regulators, customers or service users, and other stakeholders, so scrutiny and…
For all the latest legal and regulatory news and comment in healthcare estates and facilities management
This collection addresses the full spectrum of cyber security and data risk management – the zeitgeist of our age.
We have acted for clients in the majority of significant product liability cases that have been decided in the UK over the last 35 years. Our product…
Considering the future landscapes of our cities
The European General Data Protection Regulation (GDPR) came into force on 25 May 2016. A rewrite of European data protection law, the GDPR imposes…
Considering the future of housing
For the latest news and comment on public procurement law.
Welcome to the Construction Risks collection. This space is used to report upon issues of interest to those who seek to allocate, manage and reduce…
Technology, brands and intellectual capital are key assets for any successful business. Our intellectual property (IP) team are experts at helping…
Considering the future of retail
The Insurance Market Conditions and Trends report is DAC Beachcroft's insurance sector flagship publication. Now in its tenth year, the report…
The Solicitors' Risk Collection addresses issues and developments affecting legal practitioners, and the professional indemnity insurers of legal…
Published On: 19 April 2016
In the wake of recent enforcement action against two Swansea based firms which led to the city being dubbed the "UK's cold call capital" the ICO has issued updated direct marketing guidance in an effort to help firms better comply with the Privacy and Electronic Communications (EC Directive) Regulations 2003 (the "PECRs") in their marketing activities.
The updated guidance was announced at the ICO's recent annual conference and follows a year that saw high profile enforcement action against several charities. This enforcement focus has led to a greater focus in the updated guidance on not-for-profit organisations. The updated guidance also provides more direction around the issue of third-party consent and consent in general.
Given that most readers will be familiar with the previous guidance I will focus here on the key changes introduced in the updated guidance which are also summarised in a blog published by the ICO:
1. Focus on not-for-profit sector
The most notable addition in the updated guidance is sector specific advice for charities and other not-for-profit organisations. Charities, despite their not-for-profit status, are still required to comply with the PECRs in their marketing activities and the updated guidance seeks to make this clearer with more tailored advice and sector specific examples. The updated guidance sets out that "direct marketing is not limited to advertising goods or services for sale. It also includes promoting an organisation's aims and ideals". This brings squarely under the remit of the PECRs the activities of, for example, charities and political parties.
Amongst other things, the updated guidance makes clear to not-for-profit organisations that:
Despite the focus of the additions to the updated guidance being on the not-for-profit sector, the guidance provided is of more general use and applicability and serves as a useful reminder of what activities will be caught by the PECRs and how best an organisation can comply with them.
2. Third party consent
Another area that has received particular attention is the guidance in respect of obtaining consent for direct marketing activities where such consent is given to a third party, this is sometimes called "indirect consent" or "third party consent". We have previously reported on the Information Tribunal's consideration of this issue in the case of Optical Express (Westfield) Ltd v Information Commissioner in January of last year. The Tribunal's decision inferred that, in order for a direct marketing consent to be valid when provided via a third party, it should identify the ultimate sender.
At its annual conference the ICO indicated that it would not go as far as to require that each individual sender be identified. However, the updated guidance does require data controllers who propose to share their marketing lists to move away from vague statements such as "we may share your data with selected third parties", now requiring them to make very specific references to groups of third parties.
The guidance also applies to organisations that have bought in marketing lists. As the organisation will not have had contact with those customers contained on bought in marketing lists before, it will not have received direct consent to market to them. Even where the seller of the list claims to have received consent for customers to receive marketing from third party organisations, the guidance makes clear that this consent may not be valid for marketing by electronic means.
The PECRs require that "the customer has notified the sender that they consent to messages from them", which in most cases would not be met by indirect consent. To be valid in these circumstances when providing consent the customer must have "anticipated that their details would be passed to the organisation in question, and that they were consenting to messages from that organisation", which would be satisfied for example by specifically naming the third party or by clearly describing precise and defined categories of organisations. By way of example, the ICO advised that it would not be sufficient to refer to sharing data with "other charities". To be valid, the consent would need to identify the specific sector in which those charities operated.
Therefore, both organisations who share marketing lists and those who purchase them are advised to review their marketing consents and procedures to ensure they are compliant. Those organisations who wish to continue sharing marketing lists in compliance with the PECRs should ensure their privacy notices are sufficiently clear and precise and that they only share their lists with organisations that are either expressly listed or would clearly fall within precisely defined categories. However, it will be the ultimate responsibility of the third party using the marketing list to ensure it has adequate and necessary consents. It should therefore perform rigorous checks as to how and when consent was obtained and by whom, and what the customer was told. The updated guidance clearly shows that it is not acceptable to rely on "assurances of indirect consent without undertaking proper due diligence". Once a third party is satisfied adequate consent has been obtained, it should then also ensure any marketing carried out is consistent with that consent.
3. How consent may be given
As well as revisiting its guidance around third party consent the ICO has also provided more detail as to what it means for a data subject to give consent. As before the guidance states that "to be valid, consent must be knowingly given, clear and specific" and also refers to definition of consent set out in the European Directive 95/46/EC which describes it as "any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed".
However, the updated guidance goes into greater detail as to what it considers "freely given" to mean. In order for consent to be considered freely given the data subject must have a "genuine choice" as to whether or not to consent to the marketing. The ICO's Steve Woods set out in his blog on the updated guidance that this means "it isn't within the law to unduly incentivise people to give their consent to marketing". Data subjects should also not be penalised for refusing to provide their consent and generally it will not be compliant to require consent to marketing as a condition of subscribing to a service.
Organisations should therefore review their marketing consents and processes to ensure that the consent they obtain from their customers meets the requirements set out in the updated guidance and in particular that their customers are not required to receive marketing communications in order to receive any service or useful information related to it.
The ICO's blog on the updated guidance also refers to the statement made by Baroness Neville Rolfe at the recent Direct Marketing Association Data Protection Conference in which she supported the proposal to issue the direct marketing guidance as a Code of Practice, with specific statutory recognition. This would allow it to be considered by the courts and would give its requirements greater authority in the enforcement of the PECRs. Although this would require legislative change and a full consultation before going before Parliament, it clearly signals the ICO's intentions in relation to the oversight of direct marketing activities.
The ICO's blog also mentions that it is working on further new guidance to help organisations undertaking direct marketing comply with the data protection legislation, including: an updated Privacy Notices Code, a checklist for selling and buying marketing data and standard wording for organisations to use when collecting personal data for marketing purposes.
Submitted by Charlotte Halford, Solicitor